HIPAA Compliance
Effective Date:
Aug 1, 2024
Last Updated
Aug 28, 2025
This document establishes the Health Insurance Portability and Accountability Act (HIPAA) compliance framework for Callisi, a voice AI platform and agency operated by Hyperdimensional LLC. Callisi enables healthcare clients to use voice AI services while maintaining full HIPAA compliance.
1. Callisi Platform Responsibilities
Callisi is responsible for the following platform-specific HIPAA compliance measures:
Technical Safeguards:
- Implementing secure API connections with voice providers
- Maintaining encrypted data transmission (TLS 1.3)
- Providing role-based access controls within the platform
- Ensuring secure user authentication and session management
- Maintaining audit logs of platform access and activities
Administrative Safeguards:
- Designating a security officer for platform security
- Implementing access management procedures
- Conducting regular security assessments of platform infrastructure
- Maintaining incident response procedures for platform-related events
Physical Safeguards:
- Leveraging AWS SOC 2 Type II certified infrastructure
- Ensuring proper facility access controls through cloud provider
- Maintaining secure workstation access for platform administration
Voice AI Provider Configuration:
- Executing Business Associate Agreements (BAAs) with applicable voice AI providers (such as Vapi, Retell, ElevenLabs, etc. – as indicated in our sub-processors list)
- Configuring voice provider accounts for HIPAA compliance
- Ensuring proper encryption settings in voice provider platforms
- Setting appropriate data retention policies on their voice AI provider accounts
- Implementing access controls within voice AI provider systems
Healthcare Client Management:
- Executing BAAs with healthcare clients (covered entities)
- Implementing comprehensive HIPAA policies and procedures
- Conducting staff training on HIPAA requirements
- Managing end-user consent and authorization processes
- Handling data subject requests from healthcare clients
Compliance Monitoring:
- Conducting regular risk assessments
- Monitoring voice provider compliance status
- Maintaining compliance documentation
- Implementing corrective actions for compliance gaps
2. Incident Response Framework
Callisi’s incident response is limited to platform-related security events:
- Platform Security Breaches: Unauthorized access to Callisi platform
- API Security Incidents: Compromised data transmission between systems
- Authentication Failures: Compromised user accounts or access controls
- Data Transmission Issues: Encryption failures or data leakage in transit
- Healthcare client PHI breach notifications (60-day timeline)
- HHS breach notifications (60-day timeline)
- Voice provider incident coordination
- End-user breach notifications
- Regulatory reporting and compliance actions
- Response Timeline: Callisi will notify affected companies within 24 hours of discovering platform-related incidents.
3. Business Associate Agreement (BAA) Framework
Callisi’s Business Associate Agreement covers only platform-specific services and does not extend to comprehensive healthcare solution delivery. Our BAA is available at: Callisi BAA Document
Permitted Uses under BAA:
- Platform administration and user management
- API integration and data routing
- Technical support and troubleshooting
- Security monitoring and incident response
- Platform analytics and usage reporting
- Voice AI Providers: Applicable Voice AI Providers supported by Callisi (e.g. Vapi, Retell, ElevenLabs, etc.)
- Healthcare Clients: All covered entities using Callisi’s Client’s agency services
4. Training and Awareness
Callisi provides HIPAA training focused on platform-specific responsibilities:
- Platform security awareness
- Limited PHI handling procedures
- Incident response protocols
- Customer support guidelines for healthcare clients
5. Contact Information
For HIPAA compliance questions or concerns:
Compliance Officer: Lynn Schulte-Kellinghaus
Email: team@callisi.com
Company: Hyperdimensional LLC