If you are putting a voice agent anywhere near patient data, HIPAA is not a feature you compare at the end. It is a gate at the front. Get it wrong and the cheapest per-minute rate in the world does not save you, because the fine, the breach notice and the lost trust dwarf any saving on the meter. So this page starts where a healthcare buyer has to start: which of these platforms can actually carry protected health information, and how painful is the compliant path once you walk it.
A quick plain-language note first, because the jargon trips people up. HIPAA is the United States health-privacy law that governs how protected health information is handled. Protected health information, usually shortened to PHI, is anything that ties a health detail to a person: a name next to an appointment, a phone number next to a diagnosis, a recording of a patient describing symptoms. A Business Associate Agreement, the BAA you will see everywhere below, is the contract a vendor signs that makes them legally responsible for protecting that data when they process it for you. No signed BAA, no compliant deployment. It really is that binary.
Here is the trap. Six of the platforms in our directory mark HIPAA as available, and on a comparison grid they all get the same green tick. That tick hides enormous differences. One vendor builds compliance in from the start and includes it in the flat rate. One gates the BAA behind an Enterprise contract you have to phone for. One sells HIPAA as a paid monthly add-on that costs more than most teams’ entire call budget. One is not even a finished agent, it is a component you compose yourself. Same tick, four different bills and four different amounts of work. The whole point of this page is to be precise about that, because “has HIPAA” is the question that sounds answered and is not.
What actually matters for HIPAA voice agents
Four things decide whether a platform’s HIPAA story is real or just marketing copy.
- Can you actually get a BAA, and on which plan? This is the first filter. A vendor can be SOC 2 certified, GDPR-ready and proud of its security page, and still refuse to sign a BAA below an Enterprise contract. SOC 2, for the record, is an independent audit of a company’s security controls; reassuring, but not a BAA, and it does not make a deployment HIPAA-compliant on its own. Ask which plan the BAA lives on before you fall for the demo.
- Where PHI is stored, and for how long. A voice call generates a lot of PHI: the audio recording, the transcript, the logs. The safest compliant setups keep as little of it as possible. Some platforms only meet HIPAA by switching off logging and recording entirely, which is good for privacy but changes how you can debug and audit, so you need to know that going in.
- Who else in the stack needs covering. A voice agent is rarely one supplier. There is the platform, the speech-to-text, the language model, the voice, and the phone line. Every part that touches PHI needs its own BAA. A platform that signs one does not magically cover the carrier underneath it. The more of the stack a single vendor owns, the fewer separate agreements you chase.
- What the compliant tier actually costs. “Has HIPAA” and “has affordable HIPAA” are different sentences. The compliant path can be an included flat rate, a sales call for Enterprise pricing, or a flat add-on with a real monthly number on it. That number, not the headline per-minute rate, is your true cost of being compliant.
No platform here scores top on all four, so the ranking below is about which trade-off suits a healthcare team. A clean included path wins on simplicity and loses a little on component choice. A building block wins on price and control and loses on how much you assemble and certify yourself. Read each entry for where it sits, not just the number next to its name.
How I ranked these
The order below is my editorial read of how usable each HIPAA path is for a healthcare buyer, best first. It is not the raw average from our score columns, because “best for HIPAA” is about the compliance path, not all-round polish. Only platforms whose profile marks HIPAA as available are eligible, which is exactly these six. Where a platform makes a compliance claim, I have attributed it as the vendor’s own statement rather than something we have audited, because almost every certification line on these sites is self-reported until a buyer verifies it.
One disclosure up front, and it is the same one we put on every roundup. Some of these platforms run affiliate programmes we may earn from. The ranking is not for sale, no vendor saw this page before it went live, and if a platform ever pays to appear it will be labelled sponsored and kept out of the ranked positions, so a paid slot can never pose as an earned one. The order you are about to read is the order I would give a clinic operations lead who asked me over coffee, with nothing else weighing on it.
One more honesty note. We have not yet placed our own timed test calls to any of these platforms, so there are no Voxrater latency numbers here, and the 1 to 10 scores on the individual vendor pages are an editorial preview, not a measured result. When the test rig ships we will publish measured scores against the same scenarios, and if they contradict a vendor’s claim, the measured numbers win.
1. Bland: compliance built in, on the flat rate
Bland tops this list because it treats compliance as a foundation rather than a feature you bolt on later. Its own positioning is that the platform was built around the standards from the start, and the posture it advertises is the broadest clean one here: SOC 2 Type 1 and Type 2, HIPAA, GDPR and PCI DSS. Read that as Bland’s stated posture rather than something we have independently audited, and one worth re-confirming on Bland’s own trust page before you rely on it, but it is the most complete included story in the group.
What makes Bland the cleanest HIPAA path is the pricing model. Bland charges one bundled per-minute number that covers the AI, the speech-to-text, the text-to-speech and the phone line together, with nothing billed through from outside suppliers. That matters more for HIPAA than it first looks. When one vendor owns the whole stack, you are chasing one BAA, not five, because there is no separate speech vendor, model vendor or carrier each needing their own agreement. The all-in rate runs from about $0.11 to $0.14 a minute: $0.14 on the entry tier, $0.12 on the $299 a month Build plan and $0.11 at scale on the $499 a month plan, with unlimited concurrency on Enterprise. There is no separate HIPAA add-on line in Bland’s pricing, which is the point. The compliant posture comes with the platform rather than as a paid upgrade.
The trade-off is the flip side of the bundle. You do not pick the AI model or the voice the way you would on a component platform, so you are trusting Bland’s choices. For a regulated phone job at volume, where predictability and a single accountable supplier are worth more than fine-grained control, that is a fair trade and often the right one. Bland steers customers toward opted-in and warm-lead outbound rather than cold calling, so if your healthcare use case is appointment reminders, follow-ups and inbound triage rather than cold outreach, that fits its stance neatly.
Pick Bland if you want one predictable per-minute bill, a single supplier to hold accountable for the whole stack, and a compliant posture that comes included rather than gated or charged extra. Read the full Bland review for the tier detail.
2. Retell: turnkey, but the BAA is Enterprise-only
Retell is the platform I would hand a clinic that wants a working phone agent in days without building it from parts, and it is a close second for exactly that reason. It sits one notch more managed than a developer kit: the speech side is handled for you, you still choose the AI model and see every cost on the bill, and the operational features a contact centre needs are in the box. On compliance, Retell’s own docs state SOC 2 Type 1 and Type 2, GDPR and HIPAA, which on paper is a strong, turnkey-friendly stack.
Here is the catch that drops it below Bland, and it is the one a healthcare buyer must know before they build anything. HIPAA and the BAA that comes with it are on the Enterprise plan only. You cannot self-serve HIPAA on the pay-as-you-go tier, which is the tier most people sign up to and start building on. You have to contact sales, move onto an Enterprise contract, and only then get the agreement signed. So the pleasant $0.13 to $0.31 a minute pay-as-you-go experience is not the compliant one. The compliant path is a sales conversation and an Enterprise commitment, and the real price of HIPAA on Retell is whatever that contract lands at, which is not published.
That is not a dealbreaker, it is a planning point. If you are already at the scale where an Enterprise contract makes sense, Retell gives you a genuinely turnkey compliant agent with a model you control and an itemised bill. If you are a small clinic hoping to prototype on the cheap plan and flip a HIPAA switch later, you will hit the gate the moment real patient data is involved. Build the Enterprise conversation into your timeline from the start rather than discovering the wall after you have wired everything up.
Pick Retell if you want a turnkey contact-centre agent, you are at Enterprise scale anyway, and you would rather a managed voice layer than assembling parts. Just confirm the BAA and the Enterprise pricing before you build. The Retell review has the component-rate breakdown.
3. Vapi: strong platform, but HIPAA is a $2,000 add-on
Vapi is the most capable platform in this group for a team that wants to choose every part, and its compliance paperwork at the platform layer is real: its Trust Center lists SOC 2 Type II, GDPR and PCI DSS v4.0.1. HIPAA is available too. The reason it sits at number three for a healthcare buyer is the shape and the cost of that HIPAA path.
On Vapi, HIPAA is a paid add-on of about $2,000 a month. That is a flat, published number, more honest than a sales-call mystery, but a serious line on the budget that for many small clinics dwarfs their actual call spend. There is a second thing to weigh that is easy to miss. Switching HIPAA on means Vapi keeps no logs, no recordings and no transcripts. For privacy that is excellent, the least PHI retained is the safest place to be, but it changes how you operate. If your plan relied on reviewing call recordings for quality, training or dispute resolution, that capability goes away under the compliant configuration, so design your auditing around the constraint. Zero Data Retention, which keeps nothing at all, is a further $1,000 a month on top.
There is also a structural point that applies to Vapi more than to the bundled platforms above. Vapi is only the layer that runs the call. The speech-to-text, the model, the voice and the phone line all come from suppliers you choose, so end-to-end HIPAA coverage leans on each holding its own compliant configuration and, where it touches PHI, its own BAA. Vapi documents a list of compliant provider options to use under HIPAA, which is the right way to handle it, but it does mean certifying the whole stack is partly your job.
Pick Vapi if you have a developer, you want component-level control, and the roughly $2,000 a month HIPAA add-on plus the no-logging trade are acceptable for that flexibility. The Vapi review covers the pass-through pricing model.
4. Synthflow: no-code, with a strong paper posture
Synthflow is the no-code pick for a healthcare team without engineers. You build the agent by dragging blocks around rather than writing code, which is why agencies and non-technical clinics like it, and its compliance posture on paper is one of the broadest here. Its changelog announces SOC 2 and HIPAA, and the wider posture it advertises is GDPR, PCI DSS Level 1 and ISO 27001 too. That is the full list a regulated buyer scans for.
Two honest caveats keep it mid-table rather than higher. First, on the compliance detail: our record marks Synthflow’s SOC 2 Type 2 but does not mark SOC 2 Type 1. The two audits are different. Type 1 checks that controls are designed correctly at a point in time, Type 2 checks they actually operated over a period, so Type 2 is the more demanding of the pair, but if a Type 1 certificate matters to your procurement checklist, confirm it directly with Synthflow rather than assuming the full set is in place. The usable HIPAA path itself looks self-serve rather than gated to Enterprise, which is a genuine plus over Retell and ElevenLabs for a smaller team, but get the BAA in writing before you trust that.
Second, and this belongs on any Synthflow page because it sits in the vendor’s own profile, there is a documented affiliate-payment dispute. A public Trustpilot report describes an affiliate’s $10,840.55 commission marked approved and scheduled, then removed from the dashboard without a clear explanation, with the case escalated to German arbitration. We have not independently verified the outcome, and this is an affiliate-programme matter rather than a product or compliance fault, so it does not bear on whether Synthflow can run a compliant clinic agent. We flag it because Voxrater earns affiliate commissions and we will not quietly drop an inconvenient fact, and because if you plan to resell Synthflow as an agency you should go in with eyes open.
Pick Synthflow if you want a compliant agent live without code, you value speed over fine-grained cost control, and you confirm the BAA and the SOC 2 scope directly. The Synthflow review has the full pricing and the dispute detail.
5. Deepgram: the strongest stack, but it is a building block
Deepgram has, on paper, the most reassuring compliance stack of anyone here. Its trust page states SOC 2 Type 1 and Type 2, a HIPAA Business Associate Agreement on request, plus GDPR and PCI. That is more than several flashier competitors can show in writing, and the BAA is available on request rather than buried behind an Enterprise gate or a four-figure add-on. On the narrow question of “can I get a clean BAA without jumping through hoops”, Deepgram arguably has the best answer in the group.
So why fifth? Because Deepgram is not a turnkey agent, it is a component you compose into one, and I am not going to pretend otherwise to flatter its compliance story. Its Voice Agent API bundles speech-to-text, the language model and its Aura-2 voice into one runtime at about $0.075 a minute, among the lowest rates of any serious platform, but it brings no phone line. You wire up Twilio yourself, at about $0.014 a minute on top, and Twilio is then a separate supplier that touches PHI and needs its own BAA. There is no built-in warm transfer, no batch calling and no drag-and-drop builder. For a developer building a custom healthcare agent, that is a feature, not a flaw: a cheap, certified, unified runtime you control completely. For a clinic that wanted to plug in and go, it is real engineering work, and the compliance paperwork does not change how much building is left to do.
The honest framing is this. Deepgram’s compliance is the strongest here, but compliance is necessary, not sufficient. A perfect BAA on a component you still have to assemble, certify end to end and bolt a carrier onto is worth less to a non-technical buyer than a slightly more gated path on a platform that hands them a working agent. If you have the engineering depth, Deepgram’s mix of price and paperwork is hard to beat. If you do not, it ranks below the turnkey options for a reason I would rather state plainly than hide.
Pick Deepgram if you are building your own healthcare agent, you want a cheap certified runtime with a BAA on request, and you have the developers to assemble and certify the rest of the stack. The Deepgram review covers the bring-your-own options.
6. ElevenLabs: best voice, but HIPAA is Enterprise-gated
ElevenLabs is the voice-quality leader of the whole directory, and it is not close. The library runs past 10,000 voices in 70-plus languages, the cloning is the best in the business, and on a blind listen most people cannot tell it from a human. So why last on a HIPAA list? Because for a healthcare buyer the deciding factor is not the voice, it is the gate in front of the compliance.
On ElevenLabs, HIPAA, SOC 2 and GDPR all sit on the Enterprise plan. The self-serve tiers, from the $11 a month Creator plan up through Pro, Scale and Business, do not carry those guarantees. The compliant configuration does come with real substance once you are on Enterprise: EU data residency and a zero-retention mode, exactly what a privacy-conscious or EU-based healthcare operation wants. But you reach it only through an Enterprise contract, so the low-cost subscription tiers are not the compliant ones, and the true cost of HIPAA here is whatever that Enterprise deal lands at, which is not published.
This puts ElevenLabs in a similar spot to Retell, gated to Enterprise, but a notch lower for a pure healthcare-agent shortlist because Retell is built as a turnkey calling platform while ElevenLabs leans more toward narration, voiceover and video, with the live-agent product a strong but secondary use. If your healthcare project is as much about narrated patient-education content as live calls, ElevenLabs climbs your list fast. If it is purely a compliant phone agent you want, the Enterprise gate and the narration-first centre of gravity put it at the back of this queue, with no slight to the voice.
Pick ElevenLabs if voice quality is your deciding factor, you need EU data residency or zero-retention, and an Enterprise contract is on the table. The ElevenLabs review has the agent-versus-narration pricing split.
The compliance reality check
Here is the part buyers skip until it bites, and it deserves saying plainly. A platform’s HIPAA tick does not make your deployment compliant. It makes the platform willing to be part of a compliant deployment, which is not the same thing.
Two reasons. First, the stack. A voice agent’s compliance posture is only as strong as every supplier that touches PHI, which often includes telephony and storage providers sitting underneath the platform you signed with. Deepgram needs Twilio bolted on, and Twilio touches the call. Vapi passes the speech, model and voice through to providers you choose, each of which handles PHI. A BAA with the headline vendor does not automatically cover the carrier or the model underneath it, so map every part that sees patient data and confirm each one is covered.
Second, a BAA is not the same as being secure. The agreement is a legal allocation of responsibility, not a guarantee that your specific configuration is safe. You can hold a valid BAA and still leak PHI because you left recording on when the compliant setting was to turn it off, or because a staff member exported a transcript somewhere uncovered. The vendor gives you a compliant building block. Configuring it correctly, switching on the retention and logging settings the BAA assumes, and training the humans around it, is your job and stays your job. The tool cannot do that part for you.
Who I left off, and why
Four other platforms in our directory cover voice work but do not earn a place on a HIPAA list, and the honest reasons matter.
- Cartesia is the speed specialist, fast and cheap for live calls and narration, but its profile marks HIPAA, SOC 2, GDPR all as not present. No BAA, no compliant path, so it cannot carry PHI today. Excellent engine, wrong list.
- Hume is the interesting edge case, and it shows why “has HIPAA” needs care. Hume states it is HIPAA compliant and will sign a BAA on request, which is real and would normally qualify it. But its SOC 2 Type II and GDPR appear only as Enterprise features with no certificate we can point to, so our record leaves those two unticked pending verification. That partial, unverified posture is not yet solid enough to recommend over the six above, so it sits out until we can confirm the rest of the paperwork.
- Murf is a narration studio, built for voiceover rather than live calls, and its profile marks HIPAA, SOC 2 and GDPR all as not present. No compliant path, and not a live-agent tool anyway.
- Telnyx is the closest miss. It owns its phone network, carries SOC 2 Type 1 and Type 2 and GDPR, and is a genuinely capable carrier-grade agent platform. But at the time of writing its profile does not mark HIPAA, and on a list that exists specifically to separate real compliant paths from near-misses, a strong SOC 2 posture without a marked HIPAA path keeps it off. If you are calling on behalf of a healthcare client, that is exactly the gap to check before you build on it.
I have also kept our own site off this list, and I always will. A directory that ranks itself into its own “best” roundups has told you everything you need to know about trusting it. The only names here are platforms a clinic could actually buy.
Before you commit, test this
Do not sign an annual healthcare deal off a polished demo and a green compliance tick. Spend an afternoon confirming the four things that actually decide whether your deployment is compliant.
- Get the BAA in writing, signed, before any real PHI flows. Not “we are HIPAA compliant” on a marketing page. The actual signed agreement. If a vendor is vague about producing one, that is your answer.
- Confirm exactly which plan the BAA needs. On Retell and ElevenLabs it is Enterprise. On Vapi it is a paid add-on. On Bland it comes with the platform. Pin down the plan and the real price of the compliant tier.
- Check the retention and logging settings. Find out what is recorded and stored by default, what the compliant configuration changes, and whether turning HIPAA on disables recordings and transcripts the way Vapi’s does. Decide whether you can operate, audit and train under those constraints.
- Ask where the recordings and PHI live, and who else touches them. Map every supplier in the stack: platform, speech, model, voice and carrier. Confirm each one that sees patient data is covered by its own BAA. Deepgram plus Twilio is two agreements, not one.
That afternoon will tell you more than any roundup, this one included. When our test rig ships we will publish measured results, and if they contradict what a vendor told you, the measured numbers win.
Bottom line
There is no single winner, because “best for HIPAA” depends on how much of the stack you want handled and how you want the compliance billed.
- A clean included path with one accountable supplier and a flat rate: Bland.
- A turnkey contact-centre agent, if you are at Enterprise scale already: Retell, BAA gated to Enterprise.
- Component-level control with a published, if pricey, compliant add-on: Vapi, about $2,000 a month plus no call logging.
- A no-code compliant agent without engineers: Synthflow, with the SOC 2 scope and the affiliate dispute checked.
- The strongest paperwork for a team that will build the agent themselves: Deepgram, a component, not a turnkey tool.
- Best-in-class voice where Enterprise and EU data residency are on the table: ElevenLabs, HIPAA gated to Enterprise.
If you are still torn, let the shape of your team break the tie. A clinic without engineers almost always wants Bland or Synthflow, because the scarce resource is hands, not budget. A healthcare operation with a developer leans Vapi or Deepgram, where the control and the lower floor pay back. None of these is a wrong answer. They are answers to different versions of the same question.
Start with the Bland and Retell reviews if you want a turnkey compliant agent, read the Vapi and Deepgram profiles if you have engineering to spare, and put your real call volume through the cost calculator before you commit, because the compliant tier, not the headline rate, is the number that lands on the invoice.