HIPAA, the Health Insurance Portability and Accountability Act, is the U.S. baseline for handling patient data. Any AI agent that touches PHI (names, dates of birth, medical reasons for the call) operates under HIPAA whether the vendor admits it or not.
For a clinic buyer, the practical checklist is short. The vendor needs to sign a Business Associate Agreement (BAA). The vendor needs documented retention and breach notification policies. The vendor needs to encrypt PHI in transit and at rest, and to redact it from telemetry where it is not needed for operations.
Most CX-AI vendors will say they are 'HIPAA-aligned' without signing the BAA. That is not HIPAA compliance, that is marketing. The BAA is the contract that creates the obligation. Without it, there is no recourse if the vendor mishandles PHI.
Vorel signs a BAA on every healthcare master agreement, the BAA is non-optional, not a customization.

