Is Sage Voice a HIPAA Business Associate?

Yes — Sage Voice executes a Business Associate Agreement with each healthcare tenant per 45 CFR § 164.504(e). Sage Voice in turn maintains BAAs with downstream subcontractors (Retell, Vapi, OpenAI, Anthropic, ElevenLabs, Cloudflare). The BAA chain is documented in the tenant onboarding runbook.

How is PHI redacted in the audit log?

Audit entries for healthcare tenants pass through a conservative regex pass that handles all 18 Safe Harbor identifier categories per 45 CFR § 164.514(b)(2) — names, geographic subdivisions smaller than a state, dates more specific than year, phone numbers, fax numbers, email addresses, SSNs, MRNs, health-plan beneficiary numbers, account numbers, certificate numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photos, any other unique identifier. Entries with redacted=false are rejected at the Durable Object boundary.

Does the assistant diagnose or triage?

No. Sage Voice handles intake and logistics — chief complaint and duration only — not clinical decision-making. Diagnosis codes, lab results, imaging results, and psychotherapy notes are excluded at both the prompt and audit-log layer. Any urgent symptom (chest pain, suicidal ideation, severe shortness of breath) triggers an immediate transfer to the practice line.

What does California AB 3030 require?

California AB 3030 (Cal. Health & Safety Code § 1339.75, effective 2025) requires AI disclosure on clinical patient communications generated by generative AI. Sage Voice delivers and timestamp-acknowledges the disclosure on every California healthcare call automatically.

What is the default retention?

Six years from the later of creation or last effective date, per 45 CFR § 164.530(j). R2 bucket lifecycle policy and Durable Object retention are configured for six years by default; tenants in states with longer retention requirements (e.g., MA 20 years for adults, until age 26 for minors) override per-tenant.

Which downstream providers are HIPAA-aligned?

As of 2026-06-05: Cloudflare offers a BAA on Workers (per cloudflare.com/trust-hub), AWS and Azure offer BAAs on most regulated services, OpenAI offers BAAs on its enterprise and API tiers (per openai.com/security/business-associate-agreement), Anthropic offers BAAs on Claude Enterprise (per anthropic.com/legal). Retell and Vapi BAA availability shifts; the tenant declares approval per provider on tenant config.

How does Sage Voice handle the minimum necessary standard?

The prompt library scopes intake to general chief complaint and duration only. Diagnosis codes, lab results, imaging, and psychotherapy notes are excluded at the prompt-template layer and the audit-log schema. The minimum necessary standard per 45 CFR § 164.502(b) is built into the prompts, not delegated to the model.

Sage Voice for healthcare — HIPAA, BAA-gated routing, AB 3030

Kill-shot — healthcare vertical

Hippocratic AI and Cresta are the direct competitors. We ship in 14 days; they take six months.

The named, well-funded competitors in healthcare voice AI are Hippocratic AI (general nursing-agent platform, clinical scope), Cresta (contact-center AI, multi-vertical, not healthcare-specific), and a long tail of EHR-integrated offerings from Epic, Oracle Health, and athenahealth. All of them are real and all of them can cover Sage Voice's intake-and-logistics scope eventually.

Where Sage Voice wins inside the 24-36 month window:

Time-to-live for an SMB practice. 14 days from BAA signature to first production call — versus Hippocratic's enterprise-sales cycle and Cresta's multi-vertical platform onboarding.
BAA-chain transparency. Sage Voice publishes the full downstream BAA chain (Cloudflare, OpenAI, Anthropic, ElevenLabs, Retell, Vapi) and refuses to route PHI to providers outside the tenant's declared approval list. Most competitors disclose only the top-level BAA.
Intake scope discipline. Sage Voice deliberately does not diagnose, triage, or capture diagnosis codes. The narrower scope makes the HIPAA risk assessment shorter and the counsel review faster. Hippocratic competes on clinical depth; Sage Voice competes on deployment speed.
California AB 3030. Built-in disclosure delivery + acknowledgement on every California call. Most competitors retrofit this; Sage Voice ships it.
Bilingual EN + Mexican Spanish. Native authorship matters for community-health practices serving Hispanic-American patients.

Kill condition. If Hippocratic AI ships an SMB-practice tier with sub-30-day onboarding, or Cresta launches a healthcare-vertical pack with published BAA chain transparency, Sage Voice's healthcare wedge narrows fast. The exit decision moves toward acquihire-to-Cresta range.

Scope discipline

Intake and logistics, not clinical.

Sage Voice is intake + logistics, never clinical decision-making. The assistant does not diagnose, never triages urgency, and never captures diagnosis codes, lab results, imaging results, or psychotherapy notes — these are excluded at both the prompt and audit-log layer.

Any patient mention of an urgent symptom — chest pain, suicidal ideation, severe shortness of breath, signs of stroke — triggers an immediate transfer to the practice line and ends Sage Voice's data collection. The transfer event is captured in the audit log with the trigger phrase redacted.

BAA chain

Sage Voice signs the BAA. Tenant declares the approved providers.

Sage Voice signs a Business Associate Agreement with the covered entity per 45 CFR § 164.504(e). Sage Voice maintains BAAs with downstream subcontractors (Retell, Vapi, OpenAI, Anthropic, ElevenLabs, Cloudflare). Tenants declare which downstream providers they have approved; Sage Voice refuses to route PHI to providers outside the tenant's BAA list (see src/compliance/hipaa.ts).

BAA availability per downstream provider as of 2026-06-05: Cloudflare BAA available on Workers and R2 (cloudflare.com/trust-hub), OpenAI BAA available on Enterprise + API (openai.com/security/business-associate-agreement), Anthropic BAA on Claude Enterprise (anthropic.com/legal). Retell and Vapi BAA availability is tenant-declared on config.

State overlays

Federal HIPAA baseline plus state add-ons.

California AB 3030

Cal. Health & Safety Code § 1339.75. AI disclosure mandatory on clinical patient communications. Effective 2025.

Texas 22 TAC § 174

Telemedicine and telehealth services rule. Disclosure recommended on AI-assisted intake.

New York

SHIELD Act + Public Health Law § 18. Patient access rights to records; reasonable security requirements.

References

Authoritative citations on every healthcare gate.

HIPAA Privacy Rule — 45 CFR Part 164 Subpart E
HIPAA Security Rule — 45 CFR Part 164 Subpart C
HIPAA Breach Notification Rule — 45 CFR §§ 164.400–414
Business Associate Agreement requirements — 45 CFR § 164.504(e)
Safe Harbor de-identification — 45 CFR § 164.514(b)(2)
Minimum necessary standard — 45 CFR § 164.502(b)
Audit controls — 45 CFR § 164.312(b)
Retention (six years) — 45 CFR § 164.530(j)
Risk analysis — 45 CFR § 164.308(a)(1)(ii)(A)
HHS Office for Civil Rights guidance on AI in healthcare communications

Sage Voice provides infrastructure. HIPAA compliance also requires covered-entity administrative + physical safeguards, workforce training, and the annual risk assessment per 45 CFR § 164.308. Sage Voice supplies the technical-safeguard appendix.