Is Dialpad HIPAA Compliant? BAA, Plans, and Security Explained

HIPAA Compliance Overview

Dialpad can support HIPAA requirements when your organization signs a Business Associate Agreement (BAA) and configures the service to limit how Electronic Protected Health Information is created, transmitted, and stored. The BAA defines which Dialpad products and features are in scope, and which must be disabled or tightly controlled.

Compliance is shared. Dialpad provides security controls, while you choose eligible plans, enforce policies, and train users. Simply purchasing a license does not make your environment compliant—you must execute a BAA and apply the right settings to prevent unauthorized exposure of ePHI.

What “HIPAA-ready” typically means

• A signed BAA covering specific Dialpad services and data flows.
• Encryption in transit and at rest, strong authentication, and audit logging.
• Administrative safeguards such as least-privilege access, SSO/MFA, and user training.
• Documented retention and deletion rules for recordings, voicemails, and logs.

Because scope varies by plan and configuration, review your BAA language carefully and coordinate with legal and security teams before enabling features that might touch ePHI.

BAA Signing Process

Administrators should follow a structured approach to enable HIPAA on Dialpad. The exact steps may vary by account and plan, but the sequence below reflects common practice.

Step-by-step

1. Confirm need: determine which users and workflows will create, receive, or transmit ePHI via calls, voicemails, recordings, or contact center interactions.
2. Select an eligible plan: work with sales to confirm which plans and SKUs qualify for a Dialpad BAA and what features will be restricted in HIPAA mode.
3. Request the BAA: obtain Dialpad’s Business Associate Agreement from your account team for review and negotiation as needed.
4. Define scope: ensure the BAA lists covered products, data residency expectations, subcontractors, breach notification timelines, and security responsibilities.
5. Execute the BAA: complete e-signature, retain a countersigned copy, and have Dialpad flag your tenant for HIPAA settings.
6. Configure controls: enforce SSO/MFA, restrict roles, disable non-covered features (for example, certain transcriptions or AI), and set retention policies.
7. Validate and train: run test calls, confirm logging and retention behavior, and train users on approved workflows for handling ePHI.

Security Certifications

Independent audits and certifications demonstrate the maturity of a provider’s security program. Dialpad’s program commonly includes SOC2 Type 2 reporting and ISO 27001 Certification, which assess the design and operating effectiveness of controls across security, availability, and confidentiality.

These attestations are not a substitute for HIPAA, but they help you evaluate due diligence. Request current summaries or reports under NDA, map controls to your risk assessment, and confirm that in-scope services for your deployment are covered by the audits.

Data Encryption Practices

Dialpad uses layered encryption. For TLS Data Transmission, signaling and application traffic are protected in transit, and media streams use secure protocols where supported. At rest, content such as recordings and voicemails is typically protected with AES 256-bit Encryption and managed keys.

Access is reinforced with strong identity controls. OAuth2.0 Authentication supports secure API access and integrations, while SSO (for example, SAML) and MFA reduce account takeover risk. Combine these with least-privilege roles and periodic access reviews for administrators and contact center supervisors.

Note that end-to-end encryption is not feasible across the public telephone network (PSTN). Plan workflows accordingly, and avoid channels like SMS/MMS when ePHI is involved unless explicitly covered.

Data Retention Policy

Retention determines how long ePHI persists and who can access it. Under a BAA, administrators should set explicit retention for call recordings, voicemails, transcripts, messages, and analytics artifacts, and disable creation of content that is not needed for care operations.

Best practices include minimizing stored ePHI, masking sensitive details in notes, restricting downloads/exports, and logging every administrative action. Align your Dialpad settings with internal policies, legal hold needs, and regulatory requirements, and document your retention schedule.

Subcontractor Compliance

As a Business Associate, Dialpad must ensure any subcontractors that handle ePHI meet equivalent safeguards and sign downline BAAs. Typical subcontractors include cloud hosting providers, telephony carriers, and analytics services used to deliver the platform.

Review the current subprocessors list during vendor due diligence, understand data residency and cross-border flows, and confirm how breach notifications and incident response cascade from subcontractors to your organization.

Service Limitations and Exclusions

When HIPAA settings are enabled, certain features are often limited or excluded to reduce risk. Exact coverage is defined in your executed BAA and the plan you purchase, but you should expect tighter controls on content-generating and AI-driven capabilities.

• Transcriptions and AI features: voicemail and call transcription, real-time summaries, coaching, or sentiment analysis may be disabled or out of scope.
• Recordings: call and meeting recordings may require stricter access, shorter retention, encryption, and documented patient notice where applicable.
• Messaging: SMS/MMS and some team messaging functions are commonly excluded from BAAs; avoid using them for ePHI unless explicitly covered.
• Integrations: third-party apps, bots, and data exports are only in scope if those vendors also sign a BAA and meet your security standards.
• File storage and screen capture: attachments, shared files, and screen recordings may be restricted or require special handling.
• Fax/eFax: coverage varies; treat as excluded unless your BAA explicitly includes it.

Conclusion

Dialpad can be part of a HIPAA-compliant communications stack when you execute a BAA, choose eligible plans, and configure security and retention controls that minimize ePHI exposure. Treat certifications, encryption, and administrative safeguards as complementary layers, and verify service scope and exclusions in writing before rollout.

FAQs

How does Dialpad handle HIPAA compliance?

Dialpad supports HIPAA through a signed Business Associate Agreement, eligible plans, and platform controls such as encryption, audit logging, SSO/MFA, and configurable retention. Administrators must enable HIPAA settings, restrict non-covered features, and train users so ePHI is only created and stored within approved workflows.

What services are excluded from Dialpad’s BAA?

Your executed BAA defines the exact scope, but commonly excluded or restricted items include voicemail/call transcription, AI-generated summaries, certain recordings, SMS/MMS and team messaging, third-party integrations without a BAA, and some file-sharing features. Confirm coverage with Dialpad and your legal team before using these features with ePHI.

How can administrators sign the Dialpad BAA?

Work with Dialpad Sales or your account manager to confirm plan eligibility, request the Business Associate Agreement, and complete e-signature. After execution, ask Dialpad to enable HIPAA settings for your tenant, then enforce SSO/MFA, apply least-privilege roles, disable non-covered features, and set retention and deletion policies.

What security certifications does Dialpad maintain?

Dialpad’s security program typically includes SOC2 Type 2 and ISO 27001 Certification, demonstrating independent validation of control design and effectiveness. Use current reports to inform your vendor risk assessment and to map controls to your HIPAA security requirements.