AI Agents & Compliance: HIPAA, TCPA, GDPR Frameworks

HIPAA: Healthcare AI Agents

HIPAA (Health Insurance Portability and Accountability Act) protects patient health information. If your AI agent handles any protected health information (PHI) — symptoms, medication names, appointment histories, insurance details — you must comply.

Core requirements:

• Covered entity status: If you're a healthcare provider, health plan, or healthcare clearinghouse, you're covered. If you're a vendor (business associate), you need a Business Associate Agreement (BAA) with your customer.
• Encryption: All data in transit (TLS 1.2+) and at rest (AES-256). Call recordings with PHI must be encrypted.
• Authentication: Multi-factor authentication for anyone accessing PHI. Audit logs for all access, retention ≥6 years.
• Consent & disclosure: Patients must consent to recording. AI disclosure: if the agent is AI, the patient must be told before the call.
• Data minimization: Only collect PHI required for the interaction. Delete after retention period (typically 30 days for recordings, varies by policy).

Real example — dentist intake AI: A dental practice deploys an AI agent to handle appointment reminders and pre-visit intake ("Are you allergic to any medications?"). The agent collects medication history (PHI). Compliance checklist: (1) Encrypt call recordings server-side with AES-256. (2) Sign BAA with the practice. (3) Log all data access. (4) Disclose "This call may be recorded and reviewed by our team" at the start. (5) Delete recordings after 30 days. (6) If the AI handles medication questions, route uncertain responses to a human. Cost: $300/mo UltisAI + compliance infrastructure, but avoids $100K+ HIPAA violation penalties.

TCPA: Telemarketing & Compliance Calls

TCPA (Telephone Consumer Protection Act) governs outbound calls, SMS, and robocalls. Even inbound call agents can trigger TCPA rules if they make callbacks or follow-up calls.

Core requirements:

• Do Not Call list: Before any outbound call, check the National Do Not Call Registry. Maintain records. Violations: $43K per call (not per campaign).
• Consent & disclosure: For outbound calls, written prior express consent is required (signature, online form, verbal + documentation). Disclose: company name, call purpose, and callback number.
• Calling windows: No calls before 8am or after 9pm recipient's timezone. Respect "do not call" requests immediately.
• Artificial voices: Robocalls with synthetic voices are prohibited unless exempted. AI disclosure: "This call uses automated technology."
• Callback rules: If your AI agent makes a callback (e.g., "Calling you back about your quote"), document the prior consent and the call purpose.

Real example — contractor callback AI: A roofing company receives a call: "Need a quote on a leak?" Their AI offers to callback within 24 hours with the quote. Compliance: (1) Obtain prior verbal consent during the initial call ("I'll have our team call you back by end of business tomorrow — is that OK?"). (2) Document the consent timestamp. (3) Program the AI to only call within 8am–9pm recipient's local timezone (calculate from area code or caller input). (4) Disclose before dialing: "This is a callback about your roofing estimate. This call uses automated technology." (5) If the caller says "don't call again," remove them and escalate the quote to a human. Failure: Recorded consent + proper disclosure prevents $43K TCPA fines per violation.

GDPR: EU Customer Data

GDPR (General Data Protection Regulation) applies to any AI agent that handles EU customer data, even if your company is US-based. The rules are strict.

Core requirements:

• Lawful basis: You must have a lawful reason to process personal data: consent, contract, legal obligation, vital interests, public task, or legitimate interest. For calls: typically "contract" (booking a service) or "consent" (opt-in). Document which.
• Data processing agreement (DPA): If you use a third-party AI vendor (like UltisAI), sign a DPA that covers data processing, subprocessors, and deletion.
• Consent & privacy notice: Before collecting data, inform users: what data is collected, why, how long it's stored, and their rights (access, deletion, portability). Audio disclosure: "Your call may be recorded and used to improve our service. You can request deletion anytime."
• Data minimization: Only collect data essential to the business purpose. If the call is about a booking, don't ask for full credit card details — ask only for the appointment date.
• Retention: Delete data when no longer necessary. Calls: 90 days unless legal requirement (tax, contract disputes). Older data = deletion or anonymization.
• Right to access/delete: EU users can request all their data ("Tell me what you have on me") or deletion ("Delete my call recordings"). You must comply within 30 days. Design your system for easy export and deletion.

Real example — EU tour booking AI: A UK-based tour operator deploys an AI agent to handle call inquiries from EU customers. Compliance: (1) Privacy notice in call greeting: "We record this call to process your booking. You can request deletion anytime by emailing us." (2) Sign a DPA with UltisAI stating they're a data processor for EU customers. (3) Store call recordings encrypted on EU servers (GDPR geography rules). (4) Delete recordings after 90 days unless there's an active dispute or booking contract. (5) Implement a "customer data export" endpoint so users can download their call logs and personal data on request. (6) When a user requests deletion, queue the deletion within 30 days. Result: Full GDPR compliance, zero regulatory risk.

Building a Compliance-First AI Agent

Consent layer: Before the AI answers, collect explicit consent if required by your jurisdiction. E.g., "This call will be recorded to improve service. Do you consent?" Log the response. Never proceed without consent for HIPAA, TCPA, or GDPR-sensitive interactions.

Disclosure & transparency: Let callers know they're talking to an AI. "Hi, this is our AI receptionist. I'm here to collect your details and schedule your appointment." Transparency builds trust and ensures compliance.

Escalation on sensitive topics: If a caller mentions medication, legal issues, or anything requiring human judgment, escalate immediately. AI agents should not diagnose, provide legal advice, or handle PII without human review.

Encryption & access control: Use end-to-end encryption for call recordings. Restrict access to recordings to authorized staff only. Log every access for audit compliance.

Audit & documentation: Keep detailed records: who processed what data, when, why. Use a compliance checklist per jurisdiction. Review quarterly. If a regulator asks, your documentation proves you took reasonable care.

Summary: Compliance by Jurisdiction

Healthcare (HIPAA): Encrypt PHI, sign BAA, log access, disclose recording, delete after retention period.

Telemarketing (TCPA): Check Do Not Call list, obtain prior consent for outbound calls, respect opt-outs, disclose artificial voice, stay within calling windows.

EU/GDPR: Establish lawful basis, sign DPA with vendors, disclose in privacy notice, enable data export and deletion, store on EU servers.

Compliance is not one-time. As regulations evolve and your AI agent's scope expands, revisit your compliance checklist. Use a Data Processing Impact Assessment (DPIA) to identify new risks. When in doubt, escalate to a human and consult a privacy lawyer. The cost of compliance ($1-5K in legal review + infrastructure) is far less than the cost of a violation ($100K–$1M+ fines).