HIPAA compliance

Learn how ElevenLabs Conversational AI supports HIPAA compliance for healthcare applications

This guide is a technical overview of our HIPAA compliance. Please refer to our compliance page for the latest information.

Overview

ElevenLabs Conversational AI is one of ElevenLabs’ HIPAA-eligible services, and we offer Business Associate Agreements (BAAs) to eligible customers. This service enables Covered Entities and Business Associates, as defined under HIPAA, to develop AI-powered voice agents capable of handling Protected Health Information (PHI) while ensuring regulatory compliance.

Once a BAA is in place and Zero Retention Mode is enabled, PHI remains securely protected throughout the entire conversation lifecycle, ensuring full compliance with HIPAA’s data protection requirements.

How HIPAA compliance works

When HIPAA compliance is required for a workspace, the following policies are enabled:

  1. Zero Retention Mode - All sensitive data from conversations is automatically redacted before storage. This also applies to derivative data like LLM-produced transcript summaries, and tool call parameters and results.
  2. LLM Provider Restrictions - Only LLM from providers with whom we have a BAA in place are available as preconfigured options
  3. Storage Limitations - Raw audio files and transcripts containing PHI are not retained

If you want to use LLMs that aren’t available preconfigured in Zero Retention Mode (e.g., OpenAI’s GPT-4o mini), you can still use them in Conversational AI by:

  1. Arranging to sign a BAA directly with the LLM provider you’d like to use
  2. Using your API key with our Custom LLM integration

ElevenLabs’ platform ensures that PHI shared as part of a conversation is not inadvertently stored or logged in any system component, including:

  • Conversation transcripts
  • Audio recordings
  • Tool calls and results
  • Data analytics
  • System logs

For Conversational AI, your BAA applies only to conversation content. Agent configuration data is persisted, meaning it is not covered by Zero Retention Mode and should not contain PHI.

Enabling HIPAA compliance

HIPAA compliance is only available on Enterprise tier subscriptions and requires a BAA to be in place between you and ElevenLabs. Contact your account representative to discuss enabling this feature for your organization.

HIPAA-Compliant LLMs

When operating in Zero Retention Mode, only the following LLMs are available:

  • Gemini 2.0 Flash
  • Gemini 2.0 Flash Lite
  • Gemini 1.5 Flash
  • Gemini 1.5 Pro
  • Gemini 1.0 Pro
  • Claude 3.7 Sonnet
  • Claude 3.5 Sonnet
  • Claude 3.0 Haiku
  • Custom LLM (supports any OpenAI-API compatible provider and requires you to bring your own API keys)

Technical implementation

Zero Retention Mode implements several safeguards including but not limited to:

  1. LLM Allowlist - Prevents use of non-compliant LLMs
  2. PII Redaction - Automatically redacts sensitive fields before storage
  3. Storage Prevention - Disables uploading of raw audio files to cloud

Developer experience

When working with Zero Retention Mode agents:

1

Non-compliant LLMs are disabled in the UI

Redacted conversation analysis showing Zero Retention Mode in action

The UI shows disabled LLM options with tooltip explanations
2

Content is redacted from content history

Redacted conversation history showing Zero Retention Mode in action

All sensitive information is redacted and not stored
3

Conversation analysis is limited

Redacted conversation analysis showing HIPAA compliance in action

Analysis and summaries maintain HIPAA compliance through Zero Retention Mode

API restrictions are enforced

API calls attempting to use non-compliant LLMs will receive an HTTP 400 error. Analytics data will be limited to non-sensitive metrics only.

FAQ

No. When HIPAA compliance is required, you can only use LLMs from the approved list. Attempts to use non-compliant LLMs will produce an error. You can always use a custom LLM if you need a specific model not on the allowlist.

HIPAA compliance is only available to enterprise customers. Please refer to your account executive to check if this is enabled.

No. HIPAA compliance only affects how data is stored and which LLMs can be used. It does not impact the quality or functionality of conversations while they are active.

Yes, but with limitations. Conversation analytics will only include non-sensitive metadata like call duration and success rates. Specific content from conversations will be redacted.

Best practices

When building HIPAA-compliant voice agents:

  1. Use Custom LLMs when possible for maximum control over data processing
  2. Implement proper authentication for all healthcare applications
  3. Validate configuration is correct by checking redaction before launching + passing PHI
Conversational AI Security

Learn about securing your Conversational AI agents

Custom LLM Integration

Set up your own LLM for maximum control and compliance

Built with