Under HIPAA, protected health information (PHI) includes any individually identifiable health information transmitted or maintained in any form, electronic, paper, or oral, that relates to a patient's health condition, treatment, or payment for care. HHS guidance on this provision confirms that oral communications are covered specifically so that information doesn't lose its protected status simply because it was spoken rather than written down, coverage of oral information ensures that health information retains protections when discussed or read aloud, rather than allowing any health information to be freely disclosed so long as the disclosure is spoken. A voicemail describing symptoms, requesting a prescription refill, or referencing a diagnosis qualifies as PHI the moment it's recorded, regardless of whether it's transcribed.
Read also: Can healthcare providers leave HIPAA compliant voicemails?
From temporal to searchable
Before auto-transcription became common, voicemails were often treated as temporal. Staff would listen, write down relevant details into the actual medical record or a call log, and the voicemail itself might be deleted after a retention window. The audio was rarely indexed, rarely searchable, and rarely thought of as a standalone document.
This treatment of recordings as temporal isn't accidental, HHS guidance addresses the point, noting that covered entities are not required to tape or digitally record oral communications, and are not required to retain recordings or transcriptions once a conversation has passed. In other words, the expectation under HIPAA has always been that oral communications are temporal unless an organization chooses to make them otherwise.
A transcribed voicemail becomes text, which means it can be indexed, searched, copied, forwarded, and stored less friction than an audio file. It can end up sitting in an email inbox, a cloud storage folder, a CRM tool, or a voicemail-to-text app's own servers. Transcription does not invent new PHI, it adds onto the number of places sensitive information is stored.
This isn't just a HIPAA concern, it has emerged in evidence law too. In The Evidentiary Value of Automatically Transcribed Voicemail Messages, George Cornell distinguishes between the parts of a transcript a machine generates on its own, like a timestamp or caller ID, and the parts that are really just a human's spoken words converted into text. The latter, he argues, remains a human statement, and courts have generally agreed that converting an oral message into text doesn't change its nature, only its form. Cornell also makes a point that, "With a machine, however, there is no possibility of a conscious misrepresentation." A transcription engine can mishear, garble, or drop words, but it isn't capable of intentional deception in the way a human transcriber might be, which is part of why courts have been willing to treat machine transcripts similarly to other electronically stored communications despite their imperfections. The same logic applies in healthcare, an auto-transcribed voicemail can be inaccurate, but the risk isn't fabrication, it's an unreviewed error.
Does it become part of the designated record set?
HIPAA distinguishes between PHI in general and PHI that falls within a "designated record set," the formal collection of records used to make decisions about a patient, such as medical and billing records. This term is defined at 45 CFR § 164.501, and it determines the patient right-of-access provisions at 45 CFR § 164.524. Whether a transcribed voicemail belongs in that formal record set depends on context.
HHS guidance clarifies that the term "record" within "designated record set" does not include purely oral information, it refers to information that has been recorded in some manner. But the guidance goes further by stating that if a covered entity does maintain a recording or transcription, and that record is actually used to make decisions about the individual, it can meet the definition of a designated record set.
Applied to voicemail transcripts, this means to determine if it counts as a designated record set the question of whether "is this transcript actually informing care or administrative decisions about the patient" must be answered. If the transcription captures clinically relevant information, say, a description of symptoms, a request related to treatment, or details that influence a care decision, there's an argument it should be incorporated into the patient's chart, reviewed, and retained according to the organization's medical record retention schedule.
However, even non-clinical voicemails containing a patient's name, phone number, and reason for calling meet the definition of PHI under § 160.103 and need to be protected, even if they don't belong in the official chart.So organizations need a policy on which transcribed voicemails get put into the formal record, and which are retained as communications, but protected either way.
The ‘permanent record’
Some transcription systems were not built with healthcare retention and disposal requirements in mind. They might retain transcripts longer than an organization's policies call for, or they might not provide a straightforward way to delete a specific transcript when requested.
This creates two opposing risks. On one hand, if transcripts are kept indefinitely in a system without proper governance, an organization may be retaining PHI beyond what's necessary or appropriate. On the other hand, if a transcript actually documents clinically relevant information and gets deleted quickly by an auto-purge policy, you may have destroyed part of a legitimate medical record.
HIPAA itself doesn't set a universal medical record retention period. 45 CFR § 164.316(b)(2), requires HIPAA-related documentation (policies, risk assessments, BAAs, and similar compliance records) to be retained for six years, but actual patient record retention timelines are governed by state law, which differ and can be longer. Organizations need to consider state requirements alongside HIPAA's baseline rather than relying on HIPAA alone.
What a good approach can look like
Firstly, any vendor providing voicemail transcription for a healthcare organization needs to operate under a signed business associate agreement. If the transcription service has access to PHI it becomes a business associate under HIPAA.
Secondly, organizations should decide, in writing, which categories of transcribed voicemails get incorporated into the official medical record and which are retained separately as operational communications, along with a defined retention and deletion policy for each category.
Thirdly, access controls matter for transcripts as they do for the original audio or the EHR. The minimum necessary standard applies as a searchable, easily forwarded text transcript can be easier to mishandle than an audio file, so the same minimum-necessary access principles should apply.
Lastly, staff training needs to be incorporated. Employees might not think of a voicemail transcript as a "real" document, which means it can get forwarded, screenshotted, or left in an unsecured inbox without anyone recognizing the compliance exposure.
Read also: How voicemail-to-email transcription can create privacy exposure
FAQs
Does HIPAA apply to text messages and emails, not just voicemail?
Yes, HIPAA's protections extend to any form of PHI, including text messages and emails, not just oral or recorded communications.
What happens if an organization violates HIPAA's retention or disclosure rules?
Violations can result in civil penalties from HHS's Office for Civil Rights, and in some cases criminal penalties or state-level enforcement.
How does HIPAA relate to state privacy laws?
HIPAA sets a federal protection, and state laws can impose additional or stricter requirements that organizations must also follow.
