add HIPAA FAQ

humford · humford · commit 31fa00ba61b6 · 2025-04-08T19:41:33.000-07:00
diff --git a/fern/security-and-privacy/hipaa.mdx b/fern/security-and-privacy/hipaa.mdx
@@ -11,7 +11,7 @@ At Vapi, we are committed to delivering exceptional voice assistant services whi
 
 ## Understanding HIPAA Compliance Basics
 
-The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA compliance is crucial for any entity that deals with protected health information (PHI), ensuring that sensitive patient data is handled, stored, and transmitted with the highest standards of security and confidentiality. The key concepts of HIPAA compliance include the Privacy Rule, which protects the privacy of individually identifiable health information; the Security Rule, which sets standards for the security of electronic protected health information (e-PHI); and the Breach Notification Rule, which requires covered entities to notify individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Compliance with these rules is not just about adhering to legal requirements but also about building trust with your customers by demonstrating your commitment to protecting their sensitive data. By enabling the `hipaaEnabled` configuration in Vapi’s voice assistant platform, you are taking a significant step towards aligning your operations with these HIPAA principles, ensuring that your use of technology adheres to these critical privacy and security standards.
+The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA compliance is crucial for any entity that deals with protected health information (PHI), ensuring that sensitive patient data is handled, stored, and transmitted with the highest standards of security and confidentiality. The key concepts of HIPAA compliance include the Privacy Rule, which protects the privacy of individually identifiable health information; the Security Rule, which sets standards for the security of electronic protected health information (e-PHI); and the Breach Notification Rule, which requires covered entities to notify individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Compliance with these rules is not just about adhering to legal requirements but also about building trust with your customers by demonstrating your commitment to protecting their sensitive data. By enabling the `hipaaEnabled` configuration in Vapi's voice assistant platform, you are taking a significant step towards aligning your operations with these HIPAA principles, ensuring that your use of technology adheres to these critical privacy and security standards.
 
 ## Understanding Default Settings
 
@@ -35,17 +35,64 @@ To enable HIPAA compliance, set hipaaEnabled to true within your assistant's con
 
 Note: The default value for hipaaEnabled is false. Activating this setting is a proactive measure to align with HIPAA standards, requiring manual configuration adjustment.
 
-## FAQs
-
-**Q: Will enabling HIPAA compliance affect the quality of Vapi’s service?**
-A: Enabling HIPAA compliance does not degrade the quality of the voice assistant services. However, it limits access to certain features, such as reviewing call logs or transcriptions, that some users may find valuable for quality improvement purposes.
-
-**Q: Who should use the HIPAA compliance feature?**
-A: This feature is particularly useful for businesses and organizations in the healthcare sector or any entity that handles sensitive health information and must comply with HIPAA regulations.
-
-**Q: Can I switch between default and HIPAA-compliant settings?**
-A: Yes, users can toggle the hipaaEnabled setting as needed. However, we recommend carefully considering the implications of each option on your data privacy and compliance requirements.
+# FAQs
+
+<AccordionGroup>
+  <Accordion title="Will enabling HIPAA compliance affect the quality of Vapi's service?">
+    Enabling HIPAA compliance does not degrade the quality of the voice assistant services. However, it limits access to certain features, such as reviewing call logs or transcriptions, that some users may find valuable for quality improvement purposes.
+  </Accordion>
+  <Accordion title="Who should use the HIPAA compliance feature?">
+    This feature is particularly useful for businesses and organizations in the healthcare sector or any entity that handles sensitive health information and must comply with HIPAA regulations.
+  </Accordion>
+  <Accordion title="Can I switch between default and HIPAA-compliant settings?">
+    Yes, users can toggle the `hipaaEnabled` setting as needed. However, we recommend carefully considering the implications of each option on your data privacy and compliance requirements.
+  </Accordion>
+</AccordionGroup>
+
+## Where can PHI be used with Vapi?
+
+<AccordionGroup>
+  <Accordion title="Which endpoints can contain Protected Health Information (PHI)?">
+    When using Vapi with PHI, you may only pass PHI through the `/call` endpoint. All other endpoints in the API Reference should not contain PHI. For example, you should not put PHI in an `/assistant` prompt or in a `/phone-number` label. The restriction applies to all configuration endpoints where data would be stored on Vapi's platform.
+  </Accordion>
+  <Accordion title="Are there specific HIPAA-safe endpoints I should use?">
+    No, there are no designated "HIPAA-safe endpoints." Instead, when `hipaaEnabled` is turned on, Vapi will only use HIPAA-compliant services (such as Azure OpenAI) for processing PHI through the pipeline. The voice pipeline (STT → LLM → TTS) can process PHI when properly configured, but Vapi does not store this data.
+  </Accordion>
+</AccordionGroup>
+
+## HIPAA Compliance Configuration
+
+<AccordionGroup>
+  <Accordion title="How do I enable HIPAA compliance with Vapi?">
+    Enable `hipaaEnabled` at the organization level. This ensures that all appropriate compliance measures are in place across your Vapi implementation. You can also toggle HIPAA-compliance at the assistant-level by setting `Assistant.compliancePlan.hipaaEnabled=true` in your configuration.
+  </Accordion>
+  <Accordion title="If I bring my own HIPAA-compliant provider keys, does that make everything compliant?">
+    No. Even when using your own HIPAA-compliant provider keys, it remains your responsibility not to store PHI via Vapi's endpoints. The model keys are a separate concern from the storage of PHI on Vapi's platform. You must both use HIPAA-compliant keys AND ensure you're not storing PHI on Vapi.
+  </Accordion>
+</AccordionGroup>
+
+## Best Practices
+
+<AccordionGroup>
+  <Accordion title="What are best practices for ensuring HIPAA compliance with Vapi?">
+    - Enable `hipaaEnabled` at the organization level
+    - Ensure that PHI only passes through the call pipeline and is not stored in configuration
+    - Use HIPAA-compliant enterprise accounts with all third-party providers (STT, LLM, TTS)
+    - Be mindful of test/demo assistants where compliance might be turned off for testing purposes - never use these with real PHI
+    - Remember that with HIPAA compliance enabled, Vapi won't store logs, recordings, or transcriptions
+  </Accordion>
+  <Accordion title="Can I have both HIPAA-compliant and non-HIPAA-compliant assistants?">
+    Yes, but be extremely careful. If you have test or demo assistants where HIPAA compliance is turned off for testing purposes, ensure you never intermingle these with real PHI. It's safest to enable HIPAA compliance at the organization level to avoid accidental misconfigurations.
+  </Accordion>
+  <Accordion title="What is my responsibility under the BAA with Vapi?">
+    Under the Business Associate Agreement (BAA), you agree:
+    1. Not to introduce PHI onto Vapi's platform through its API or dashboard except as permitted
+    2. To use HIPAA-compliant accounts with external providers when providing keys
+    3. Not to use underlying providers through Vapi without having HIPAA-compliant enterprise accounts with those providers
+    4. To use the platform in accordance with all BAA requirements
+  </Accordion>
+</AccordionGroup>
 
 ## Need Further Assistance?
 
-If you have more questions about privacy, HIPAA compliance, or how to configure your Vapi assistant, our support team is here to help. Contact us at security@vapi.ai for personalized assistance and more information on how to make the most of Vapi’s voice assistant platform while ensuring your data remains protected.
+If you have more questions about privacy, HIPAA compliance, or how to configure your Vapi assistant, our support team is here to help. Contact us at security@vapi.ai for personalized assistance and more information on how to make the most of Vapi's voice assistant platform while ensuring your data remains protected.
