HIPAA Compliance
Voquii includes a built-in HIPAA mode that switches the voice pipeline to zero-retention processing. When enabled, audio flows through RAM only, transcripts and recordings are never stored, and only proprietary Voquii voices are used.
Enabling HIPAA Mode
Per-Bot Setting: HIPAA mode is configured per bot. If you manage multiple clients, you can enable HIPAA mode only for healthcare clients while keeping standard mode for others.
What Changes When HIPAA Mode Is Enabled
| Setting | Standard Mode | HIPAA Mode |
|---|---|---|
| Audio Processing | RAM + optional disk buffering | RAM only - no disk writes |
| Transcripts | Stored for analytics | Never stored |
| Call Recordings | Optional (per integration) | Auto-disabled |
| Voice Provider | Any (ElevenLabs, OpenAI, Voquii) | Voquii only (Kokoro TTS) |
| Conversation History | Visible in dashboard | Not displayed |
| Call Summaries | Generated post-call | Disabled |
| Application Logs | Standard logging | PHI redacted with [REDACTED-HIPAA] |
Compliance Dashboard
The HIPAA settings page includes a live compliance dashboard that runs real system-level checks every time you load it. It verifies:
Application Controls
HIPAA mode enabled, Voquii-only voice provider, recording disabled, PHI log suppression
Encryption
LUKS full-disk encryption, TLS 1.2+ in transit, SCRAM-SHA-256 database authentication
Memory Protection
Swap disabled, kernel swappiness set to zero
Access Controls
SSH key-only authentication, UFW firewall active, database ports restricted, fail2ban intrusion prevention
Audit & Monitoring
PostgreSQL audit logging (connections, disconnections, DDL), Linux auditd active
Legal
BAA template available for download
Each check shows pass, warn, or fail status. Items marked Critical must be resolved before signing a BAA. Click Refresh checks to re-run all verifications.
Business Associate Agreement (BAA)
A custom BAA template is available for download from Settings → HIPAA Compliance.
What's Included
- Blind Provider Clause - Voquii operates as an infrastructure provider without logical access to PHI when HIPAA mode is enabled
- Shared Responsibility Model - Defines responsibilities between Voquii (infrastructure) and the Covered Entity
- Technical Safeguards - Details on encryption (LUKS, TLS), access controls, and audit logging
- Breach Notification - Procedures for incident response and notification timelines
Important: HIPAA mode configures Voquii for zero data retention. Your organization is responsible for ensuring overall HIPAA compliance including BAA agreements with your clients, staff training, and physical security controls.
FAQ
Can I enable HIPAA mode for some clients and not others?
Yes. HIPAA mode is a per-bot setting. You can enable it for healthcare clients while keeping standard mode (with transcripts, analytics, and recordings) for non-healthcare clients.
What happens to existing transcripts when I enable HIPAA mode?
HIPAA mode only affects new calls going forward. Existing conversation history remains in the database. If you need to purge existing data for a specific bot, contact support.
Can I still use ElevenLabs or OpenAI voices with HIPAA mode?
No. HIPAA mode automatically switches the voice provider to Voquii (Kokoro TTS) and disables third-party voice APIs. This ensures audio never leaves our GPU infrastructure.
Does HIPAA mode affect call quality or latency?
No. The voice pipeline runs identically - ASR, LLM, and TTS all process on the same GPU cluster. The only difference is that data is not persisted after the call ends. Latency remains at 375ms TTFA.
Is Voquii SOC 2 certified?
Not currently. Voquii provides HIPAA compliance through its zero-retention architecture, encryption, access controls, and BAA. SOC 2 Type II certification is on the roadmap.
Do I need a separate BAA with the telephony provider (Twilio/Telnyx)?
Yes. Twilio and Telnyx both offer HIPAA-eligible plans with their own BAAs. Since you bring your own telephony account (BYOK), you should ensure your telephony provider is HIPAA-compliant for healthcare use cases.