HIPAA Compliance
Effective Date:
Aug 1, 2024
Last Updated
Aug 28, 2025
This document establishes the Health Insurance Portability and Accountability Act (HIPAA) compliance framework for Callisi, a voice AI platform and agency operated by Hyperdimensional LLC. Callisi enables healthcare clients to use voice AI services while maintaining full HIPAA compliance.
1. Callisi Platform Responsibilities
Callisi is responsible for the following platform-specific HIPAA compliance measures:
Technical Safeguards:
Implementing secure API connections with voice providers
Maintaining encrypted data transmission (TLS 1.3)
Providing role-based access controls within the platform
Ensuring secure user authentication and session management
Maintaining audit logs of platform access and activities
Administrative Safeguards:
Designating a security officer for platform security
Implementing access management procedures
Conducting regular security assessments of platform infrastructure
Maintaining incident response procedures for platform-related events
Physical Safeguards:
Leveraging AWS SOC 2 Type II certified infrastructure
Ensuring proper facility access controls through cloud provider
Maintaining secure workstation access for platform administration
Voice AI Provider Configuration:
Executing Business Associate Agreements (BAAs) with applicable voice AI providers (such as Vapi, Retell, ElevenLabs, etc. – as indicated in our sub-processors list)
Configuring voice provider accounts for HIPAA compliance
Ensuring proper encryption settings in voice provider platforms
Setting appropriate data retention policies on their voice AI provider accounts
Implementing access controls within voice AI provider systems
Healthcare Client Management:
Executing BAAs with healthcare clients (covered entities)
Implementing comprehensive HIPAA policies and procedures
Conducting staff training on HIPAA requirements
Managing end-user consent and authorization processes
Handling data subject requests from healthcare clients
Compliance Monitoring:
Conducting regular risk assessments
Monitoring voice provider compliance status
Maintaining compliance documentation
Implementing corrective actions for compliance gaps
2. Incident Response Framework
Callisi’s incident response is limited to platform-related security events:
Platform Security Breaches: Unauthorized access to Callisi platform
API Security Incidents: Compromised data transmission between systems
Authentication Failures: Compromised user accounts or access controls
Data Transmission Issues: Encryption failures or data leakage in transit
Healthcare client PHI breach notifications (60-day timeline)
HHS breach notifications (60-day timeline)
Voice provider incident coordination
End-user breach notifications
Regulatory reporting and compliance actions
Response Timeline: Callisi will notify affected companies within 24 hours of discovering platform-related incidents.
3. Business Associate Agreement (BAA) Framework
Callisi’s Business Associate Agreement covers only platform-specific services and does not extend to comprehensive healthcare solution delivery. Our BAA is available at: Callisi BAA Document
Permitted Uses under BAA:
Platform administration and user management
API integration and data routing
Technical support and troubleshooting
Security monitoring and incident response
Platform analytics and usage reporting
Voice AI Providers: Applicable Voice AI Providers supported by Callisi (e.g. Vapi, Retell, ElevenLabs, etc.)
Healthcare Clients: All covered entities using Callisi’s Client’s agency services
4. Training and Awareness
Callisi provides HIPAA training focused on platform-specific responsibilities:
Platform security awareness
Limited PHI handling procedures
Incident response protocols
Customer support guidelines for healthcare clients
5. Contact Information
For HIPAA compliance questions or concerns:
Compliance Officer: Lynn Schulte-Kellinghaus
Email: team@callisi.com
Company: Hyperdimensional LLC