AI for Medical Practices: A Practical HIPAA Guide for 2026

AI is doing the thing it does in every other industry — drop into operations, save 30–50% of front-office time, recover lost revenue from missed calls. Medical practices want in. But "HIPAA compliant" is a checkbox a lot of vendors slap on their landing page without actually being able to back up, and the consequences of getting it wrong (OCR investigations, six-figure fines) are bad enough that "vaguely close to HIPAA" doesn't work.

This guide is the checklist we use internally when we sign up a medical practice on Lani. It's not legal advice — talk to a healthcare compliance attorney before signing anything — but it's the operational floor.

A BAA is the contract under which a vendor agrees to handle Protected Health Information (PHI) on your behalf in compliance with HIPAA. It's the most important single document in the entire stack. If a vendor won't sign one, they cannot legally process PHI for a covered entity — full stop.

Things to check: the BAA should be signed by an authorized officer of the vendor, should explicitly cover the use case you're deploying (voice calls, SMS, email, transcripts), and should include breach notification timelines that meet HIPAA's 60-day requirement. Lani's BAA is available via the Privacy Plus+ add-on and is included for any medical-vertical client.

Voice audio, SMS bodies, email content, transcripts, and CRM-synced records all need to be encrypted both in transit (TLS 1.2+) and at rest (AES-256 typically). The right question to ask a vendor isn't "do you encrypt" — they all say yes — but "show me your encryption documentation." Real vendors have it ready.

For voice specifically, also ask about the model inference path. Some voice AI vendors route audio through third-party LLM providers without BAAs in place. The end-to-end chain has to be covered, not just the storage.

Every access to PHI needs to be logged with timestamps and user identity. This includes both human accesses (your team viewing a transcript) and machine accesses (the AI reading the patient's prior history during a call). If something goes wrong, the audit log is what you and your attorney use to reconstruct what happened.

Practical test: ask the vendor to show you the audit log for a sample call. If they can't produce one in real time, they don't have it.

HIPAA itself doesn't mandate a retention period, but state laws do (often 6–10 years for medical records). More importantly, you don't want voice recordings sitting around forever. Lani lets practices configure retention per category (voice audio, transcripts, SMS, email, CRM events) with auto-deletion on the schedule you set.

Default to short retention for raw audio (90 days is usually enough) and longer retention for transcripts + structured records (per your state's rules). The vendor should support both, and you should be able to change the policy without a support ticket.

Twelve US states are two-party-consent states for call recording: every party on the call must consent before the call can be recorded. Your AI receptionist has to deliver that disclosure within the first few seconds of the call ("This call may be recorded for quality and training purposes") and respect the caller's opt-out if they object.

Lani handles the disclosure automatically based on the practice's location and the caller's area code, and lets you edit the disclosure text per state. If a vendor doesn't handle this, the practice ends up responsible for the violation.

AI in medical contexts shouldn't make clinical decisions. The receptionist can handle booking, payment, FAQ, hours, location, and rescheduling, but anything that touches medical advice, clinical urgency, or sensitive issues needs to escalate to a human in real time.

Lani recognizes escalation intent (symptoms questions, complaints, sensitive triggers) and warm-transfers to a designated human with full call context attached. The escalation rules are configurable per practice — your office decides what triggers transfer.

When a patient calls about an existing appointment or record, the AI needs to verify their identity before disclosing any PHI. Standard verification is date of birth + last name match, but practices can configure stricter rules (last 4 of SSN, address match, etc.) for sensitive cases.

No verification — no PHI disclosure. The AI defaults to "I can't share that without verifying your identity first" if the patient can't pass the check, which is the right behavior under HIPAA.

The Privacy Plus+ add-on unlocks the HIPAA-grade architecture: signed BAA, encrypted audio + storage, audit logging, configurable retention, recording disclosure, escalation rules, and patient verification — all configurable per practice during the 7-day pilot. Add-on pricing is $97/month on top of the base subscription.

Medical practices using Lani in 2026 include med spas, dental offices, dermatology, and several MSO-style multi-location healthcare groups. The architecture clears the operational floor; the rest is configuration during onboarding.