Is VoxParse HIPAA compliant?

VoxParse includes HIPAA and PCI-DSS compliance detection flags. The API identifies when protected health information or payment card data appears in calls.

← Back to Blog Padlock on redacted medical and financial documents

Compliance

HIPAA and PCI Compliant Transcription: What Your API Must Do

April 27, 2026 · 9 min read

If your organization transcribes phone calls that contain protected health information (PHI) or payment card data, your transcription API is a compliance surface. It does not matter how secure the rest of your stack is. If audio files and transcripts pass through a third-party API without appropriate safeguards, you have a gap that auditors will find.

This guide breaks down what HIPAA and PCI-DSS actually require from a transcription API, gives you a practical checklist for evaluating providers, and shows how VoxParse handles each requirement.

Why compliance matters more in 2026

Three regulatory shifts have raised the stakes for any business that processes call recordings:

HIPAA enforcement is increasing: The HHS Office for Civil Rights has accelerated audits of business associates, including cloud service providers and API vendors that handle PHI
PCI-DSS v4.0 is fully enforced: As of March 2025, all organizations must comply with v4.0 requirements, which include stricter controls on cardholder data in recordings
State privacy laws are expanding: Beyond CCPA, states like Colorado, Connecticut, Virginia, and Texas now have consumer privacy laws that affect how call recordings are processed and stored

The common thread is that sending audio to a transcription API now counts as data processing under most frameworks. Your API vendor is a subprocessor, and you are responsible for their compliance posture.

HIPAA requirements for audio transcription

HIPAA applies when your call recordings contain PHI, which includes any individually identifiable health information. For healthcare providers, insurers, and their business associates, virtually every patient call qualifies.

Your transcription API must satisfy these HIPAA requirements:

Business Associate Agreement (BAA): The API provider must sign a BAA before you send any PHI through their system
Encryption in transit and at rest: Audio files and transcripts must be encrypted using AES-256 or equivalent during transmission (TLS 1.2+) and storage
Access controls: Only authorized personnel should access PHI. API keys and authentication must enforce least-privilege access
Audit logging: Every access to PHI must be logged with timestamps, user identity, and the nature of the access
Data retention limits: PHI must be retained only as long as necessary and securely deleted afterward
Breach notification: The provider must notify you within 60 days of discovering a breach involving your data

PCI-DSS requirements for call recordings

PCI-DSS applies whenever cardholder data (card numbers, CVVs, expiration dates) appears in your call recordings. If your agents take payments over the phone, your transcription pipeline is in scope.

Do not store CVV/CVC: Under PCI-DSS Requirement 3.3.2, sensitive authentication data must never be stored after authorization, even if encrypted
Mask card numbers: If primary account numbers (PANs) appear in transcripts, they must be masked to show only the first six and last four digits
Encrypt stored data: Any retained cardholder data must be encrypted using strong cryptography with documented key management
Restrict access: Access to cardholder data must be limited to individuals with a business need
Monitor and log: All access to network resources and cardholder data must be tracked and monitored

The simplest way to comply with PCI-DSS for transcription is to never store cardholder data in your transcripts at all. Automatic redaction before storage eliminates the entire PCI scope from your transcript database.

The 7-point compliance checklist

Use this checklist when evaluating any transcription API for regulated workloads:

Audio files must be encrypted during upload (TLS 1.2+) and while stored. Transcripts and analysis results must also be encrypted at rest. Ask: What encryption standard is used? Is encryption applied to both audio and output data?

The API should offer automatic detection and masking of names, phone numbers, SSNs, card numbers, CVVs, and addresses. This should be a single parameter, not a separate pipeline. Ask: Is redaction automatic or manual? Does it cover both transcript text and structured JSON fields?

The provider must document how long audio and transcripts are stored, and provide mechanisms for deletion. Indefinite retention of PHI or cardholder data is a compliance violation. Ask: What is the default retention period? Can you request immediate deletion?

Every API call should be logged with a timestamp, API key identity, and operation type. You need this audit trail for both HIPAA and PCI-DSS. Ask: Are API access logs available? What level of detail do they capture?

For HIPAA-regulated organizations, a signed BAA is a prerequisite, not a nice-to-have. Without it, sending PHI to the API is a violation regardless of the provider's security posture. Ask: Do you offer a BAA? Is it available on all plans or only enterprise?

Some regulations require that data be processed and stored within specific geographic boundaries. Ask: Where are audio files processed? Where are transcripts stored? Can you restrict processing to specific regions?

If the API provider uses third-party services (cloud storage, AI models), those subprocessors must be disclosed. Under GDPR, you need contractual assurances about the entire chain. Ask: What subprocessors handle my data? Are they disclosed in your privacy policy?

How VoxParse handles each requirement

Requirement	VoxParse Implementation
Encryption	TLS 1.3 in transit. AES-256 encryption at rest for all stored audio in isolated cloud storage
PII/PHI redaction	Single parameter: `redact_pii=true`. Masks names, phones, emails, SSNs, card numbers, CVVs, and addresses in both transcript text and structured JSON
Data retention	30-day audio retention with automatic deletion. Documented in privacy policy
Audit logging	Every API call logged with timestamp, API key hash, operation type, and result status
No data sharing	Audio and transcripts are never shared with third parties or used for model training
Subprocessors	Disclosed in privacy policy. All subprocessors are vetted for SOC 2 compliance and bound by data processing agreements

Compliance comparison across providers

Feature	VoxParse	AssemblyAI	Deepgram	Google STT
Auto PII redaction	✓ Included	+$0.02/hr	✓ Included	✗ Manual
Card number masking	✓ Automatic	✗ Limited	✓ Redaction	✗ None
Retention controls	30-day auto-delete	Custom	Custom	Custom
Audit logging	✓ Every call	✓ Enterprise	✓ Enterprise	✓ Cloud Audit
BAA available	On request	Enterprise only	Enterprise only	✓ Standard
Compliance add-on cost	$0 (all included)	$0.02+/hr	Varies	Varies

Getting started with compliant transcription

The fastest path to compliant transcription is a three-step approach:

Enable PII redaction by default: Add redact_pii=true to every API call. This eliminates PII from your transcript database entirely, reducing your compliance surface.
Store redacted transcripts only: If you need the unredacted version for a specific compliance investigation, request it on demand and do not persist it.
Audit your data flow: Map exactly where audio files and transcripts travel in your infrastructure. Every stop is a compliance checkpoint.

# Compliant transcription request
curl -X POST https://api.voxparse.com/v1/transcribe \
  -H "X-API-Key: YOUR_API_KEY" \
  -F "[email protected]" \
  -F "redact_pii=true"

# The response contains full AI analysis with all PII masked:
# Names -> [REDACTED_NAME]
# Phones -> [REDACTED_PHONE]
# SSNs -> [REDACTED_SSN]
# Card numbers -> [REDACTED_CARD]
# Addresses -> [REDACTED_ADDRESS]

For a detailed walkthrough of how redaction works, including side-by-side before/after examples with real audio, see our PII redaction guide.

Every plan includes PII redaction

No compliance add-on fees. No enterprise-only features. $0.49/hr for everything, including automatic PII masking.

Get started free →

Bottom line

Compliance is not a feature you add later. It is a filter you apply before selecting any vendor that touches sensitive data. If your transcription API cannot demonstrate encryption, automatic redaction, documented retention, and audit logging, it is not ready for healthcare or financial services workloads.

The good news is that compliant transcription does not have to be expensive or complex. With the right API, it is a single parameter on every request.

Read the pricing comparison to understand why compliance features should be included in your base rate, not sold as premium add-ons.