50% off setup · First 5 agencies only · Claim your seat →

HIPAA

Does Your Call-Recording Vendor Need a BAA? Here’s How to Tell

“HIPAA compliant” is marketing copy, not a legal status — the real question is which vendors in your telesales stack touch data that could identify a beneficiary’s health-plan selection, and whether each one has a signed Business Associate Agreement to cover it.

Updated July 2026

The short answer

Any vendor that stores, processes, or can access recordings, transcripts, or CRM records tied to a specific Medicare beneficiary’s health-plan discussion is handling protected health information (PHI) on your behalf — and needs a signed Business Associate Agreement (BAA). That includes your dialer/CRM, your call-recording platform, your cloud storage, and any AI transcription tool. There is no such thing as a “HIPAA certified” vendor — certification isn’t a real designation under the law. What exists is a signed contract, and it’s only as good as what it actually covers.

“HIPAA certified” isn’t a real thing

No federal agency issues a “HIPAA certification.” HHS does not certify, accredit, or approve vendors as HIPAA compliant. When a vendor’s sales page says “HIPAA certified,” that’s a marketing claim, not a legal fact — and it tells you nothing about whether they’ll actually sign a BAA, or what that BAA will cover once you ask for one.

What does exist, per HHS, is a defined relationship: a covered entity (a health plan, provider, or clearinghouse) that engages a business associateto create, receive, maintain, or transmit PHI on its behalf must have a written BAA with that vendor. A Medicare telesales agency sits in a similar position — the agencies your carriers hold you to expect the same discipline even though the underlying HIPAA mechanics run through the carrier as the covered entity. Either way, the practical test is the same: does the vendor touch data that identifies a real person’s health-plan activity? If yes, get a BAA. If a vendor won’t sign one, that’s your answer about whether to use them for anything PHI-adjacent.

The actual test: does this vendor touch PHI?

Skip the marketing language and ask one question for every tool in your stack: can this vendor see, store, or process information that ties a specific beneficiary’s name or contact info to a health condition, plan selection, or enrollment status?

  • A call recording of a beneficiary discussing chronic conditions or plan benefits is PHI the moment it’s captured — the vendor storing that file needs a BAA, full stop.
  • A CRM record with a name, phone number, and “interested in Plan G” noted against it is PHI, even though it looks like ordinary sales data.
  • A dialer that only stores phone numbers with no health context attached is a closer call — but if it’s wired into the same CRM or call log that holds PHI, it likely needs coverage too.
  • An AI transcription tool that converts your recorded sales calls to text is processing PHI, even if the output only lives for a few minutes before it’s deleted.

Vendor-by-vendor checklist for a typical Medicare telesales stack

Here’s how that test plays out across the tools most Medicare agencies and call centers already run:

Vendor typeTouches PHI?BAA needed?
Dialer / CRM (call logs, notes, plan interest tags)Yes, if notes reference health or plan detailYes
Call-recording platformYes — the recording itselfYes
Cloud storage / backup for recordings or exportsYes — it holds the same filesYes
AI transcription or QA-scoring toolYes — processes recording contentYes
Email/SMS platform sending only appointment reminders with no health detailUsually noCase-by-case — ask counsel
General analytics tool with no access to recordings or PHI fieldsNoNot required

The pattern: if a tool sits anywhere near the call itself — recording it, storing it, transcribing it, or logging notes about what was said — assume it needs a BAA until a vendor or your counsel tells you otherwise. Tools that are purely logistical (scheduling, general marketing analytics) are the exception, not the rule.

What to ask a vendor before you sign anything

  1. 1Do you offer a signed BAA, or only a generic “security overview” PDF? A security whitepaper is not a substitute for a contract.
  2. 2What specifically is covered — call recordings, CRM fields, transcripts, all of the above, or just a subset?
  3. 3What’s explicitly excluded? Some vendors will sign a BAA for their core storage layer but exclude a connected AI or analytics add-on — ask directly.
  4. 4Who has access on their end, and do their own subprocessors (cloud hosting, backup providers) have BAAs in place with them?
  5. 5What happens to the data if you cancel the contract — is it deleted, and on what timeline?

Where retention rules intersect

Getting the BAA signed is step one. Step two is knowing how long that vendor is required to hold the data once it’s covered. See how long you actually have to keep Medicare call recordings for the 6-year marketing-call framework versus the 10-year enrollment-record rule — a BAA doesn’t change either clock, it just governs who’s allowed to hold the data during that window.

Common mistake #1: assuming sales calls aren’t PHI-bearing

The most common error we see is agencies treating Medicare sales calls as pure sales data — no different from a mortgage lead call. But the moment a beneficiary mentions a diagnosis, a current medication, or which plan they’re leaning toward, that recording contains PHI. It doesn’t matter that the call originated as a marketing call rather than a clinical one. If the content identifies a person and touches their health status or plan choice, treat it as PHI and make sure every vendor touching it is covered.

Common mistake #2: treating “compliance” as something you buy

A signed BAA transfers legal responsibility for specific safeguards to the vendor — it does not make your agency “HIPAA compliant” as a purchasable end state. Compliance is a shared responsibility: your vendor secures their systems, and you still need your own policies for who on your team can access recordings, how long you retain them, and how you respond if something goes wrong. A vendor with an airtight BAA and a call center with no internal access controls is still exposed.

BAA coverage vs. CMS compliance — two different checklists

A signed BAA satisfies HIPAA. It does nothing for your CMS TPMO obligations, which run on a separate track: documented Scope of Appointment, disclaimer timing, and consent capture. See what changed (and didn’t) with the FCC one-to-one consent rule for how CMS’s own consent expectations sit apart from both HIPAA and the vacated FCC rule. The overlap is practical, not legal: the same call-recording vendor that needs a BAA for HIPAA is usually the same system you rely on to prove SOA and disclaimer timing for CMS. One system, two separate compliance obligations riding on top of it — which is the gap most Medicare vendor stacks were never built to close.

Quick self-audit

  • List every vendor in your telesales stack that touches a call, a recording, or a CRM note.
  • For each one, ask: does it store or process anything tied to a beneficiary’s health status or plan selection?
  • If yes, confirm a signed BAA is on file — not a security page, an actual signed contract.
  • Confirm what the BAA covers and excludes, in writing.
  • Separately confirm your CMS retention and consent obligations are met — a BAA doesn’t satisfy those.

Get your compliance stack AEP-ready

Start with the AEP compliance readiness checklist — scripts, retention, consent capture, and attribution tagging, reviewed before Oct 15 volume hits.

Sources

Keep reading