How to Record Vapi Calls for HIPAA Compliance (Full Setup Guide)

Running Vapi in a healthcare context means you have to handle Protected Health Information properly. Call recordings, transcripts, and structured data can all contain PHI. HIPAA penalties for a breach range from 100 dollars to 50,000 dollars per violation, so the configuration here matters. This guide walks through the specific steps to make a Vapi deployment HIPAA-compliant.

Disclaimer: this is operational guidance, not legal advice. Talk to a HIPAA compliance professional before deploying in a production healthcare context.

Step 1: Sign a BAA with Vapi

A Business Associate Agreement is a contract between your organization (the covered entity or business associate) and Vapi that documents how Vapi will handle PHI. Without a BAA, any PHI touching Vapi is a HIPAA violation regardless of how securely you store it elsewhere.

Vapi offers BAAs on enterprise plans. Contact their sales team directly; the BAA is not on the self-serve tier. Expect the process to take one to three weeks depending on how much back-and-forth your legal team needs.

Step 2: Sign BAAs With Every Provider in the Pipeline

A BAA with Vapi is not enough. PHI flows through the LLM (OpenAI, Anthropic, etc.), the TTS (ElevenLabs, Cartesia), the STT (Deepgram), the phone provider (Twilio), and any tool call webhooks (n8n, custom backends). Every one of those vendors needs a BAA.

OpenAI offers BAAs on their enterprise tier. Anthropic offers BAAs on Anthropic Enterprise. Twilio offers BAAs through their HIPAA program. Deepgram offers BAAs. ElevenLabs does not currently offer BAAs for most plans, so for HIPAA use you will likely need to switch TTS to a provider that does, like Azure Neural TTS which has BAA support.

Step 3: Configure Recording Storage

By default, Vapi stores recordings in their own infrastructure. For HIPAA workloads you can configure recordings to be stored in your own S3 bucket with the proper encryption and access controls. This is done in the assistant settings under storage configuration.

Your S3 bucket must be configured with server-side encryption (SSE-KMS or SSE-S3), bucket policies that enforce TLS 1.2 or higher, versioning enabled, and access logging turned on. The bucket must be in a region where your BAA with AWS applies (AWS has HIPAA-eligible services in all major regions).

Step 4: Disable Data Retention on LLM Providers

OpenAI retains API inputs and outputs for 30 days by default on most plans. For HIPAA workloads, request zero data retention (ZDR) on your OpenAI account. Anthropic has similar zero-retention settings on the enterprise tier. Deepgram and Azure have configurable retention settings.

Every provider in your pipeline needs retention disabled or minimized. If any provider retains the data by default, you need explicit opt-out and documentation for your compliance file.

Step 5: Caller Consent

In many states, recording requires two-party consent. Have the Vapi agent disclose recording at the start of every call: "This call may be recorded for quality purposes." Some states additionally require explicit consent, in which case the agent asks "do you consent to this call being recorded?" and waits for affirmative response before proceeding.

The consent wording should be in the Vapi assistant's first message or immediately after the greeting. Document the consent flow in your compliance policy.

Step 6: Access Controls

Only authorized personnel should be able to access recordings, transcripts, and transcribed data. Configure Vapi team roles tightly, do not give admin access broadly. On your S3 bucket, use IAM policies that require MFA for access and log every read and write.

Review access logs monthly. HIPAA requires audit trails of who accessed PHI and when.

Step 7: Retention Policy

HIPAA does not mandate a specific retention period but state laws do. Most healthcare records are retained for 6 to 10 years. For Vapi call recordings, set a retention policy that matches your state's requirements. Use S3 Object Lifecycle policies to automatically delete recordings after the retention period.

Transcripts are often retained longer than audio because they have lower storage cost and higher operational value (training data, audit evidence). Document the retention policy for audio and transcripts separately.

Step 8: Breach Notification Plan

HIPAA requires notification within 60 days of a breach affecting PHI. Have a documented incident response plan that includes who is notified, how impacted patients are contacted, and how the breach is remediated. Test the plan with a tabletop exercise at least annually.

Step 9: Encryption at Rest and In Transit

All PHI must be encrypted at rest (in storage) and in transit (over networks). Vapi uses TLS for API calls and webhook traffic. Confirm your n8n or custom backend also enforces TLS 1.2 or higher. S3 bucket encryption handles at-rest; for databases, use encrypted storage and encrypted connections.

When Self-Hosted Is Easier

For some healthcare deployments, self-hosting the pieces you can (n8n on your own infrastructure, a local LLM for certain tool calls, your own recording storage) reduces the number of BAAs you need and keeps PHI inside infrastructure you control. Vapi itself cannot be self-hosted, but the backend pieces around it can be.

The operational overhead is higher but the compliance story is cleaner. For larger health systems this is often the right tradeoff.

Documentation Requirements

Keep a compliance binder (digital is fine) with: all signed BAAs, your data flow diagram showing where PHI moves through the pipeline, your retention and access policies, your incident response plan, and your training records for anyone with access to the system. HIPAA auditors will ask for this.