The 5 Questions Every California Med Spa Should Ask Any AI Voice Vendor in 2026

Voice AI is moving fast into medical aesthetic practices. The pitches are compelling: 24/7 call answering, automated booking, no missed appointments. But beneath the pitch, there's a layer most vendors don't bring up — and that you, as a covered entity under HIPAA, need to understand before signing. Here are the five questions that separate compliance-conscious vendors from everyone else.

Why this matters more than vendor pitches suggest

If you operate a medical aesthetic practice in California, you're a covered entity under HIPAA. That means when you let a third party handle patient calls — voice AI included — that third party becomes a business associate. Under HIPAA, business associates must have a signed Business Associate Agreement (BAA) with your practice. No BAA, no compliant data handling. Period.

Many voice AI vendors operating in the med spa space don't sign BAAs by default. They might say they're "HIPAA-friendly" or "secure" or "encrypted" — but those aren't the same thing as having a signed BAA. And if regulators ever come asking, the exposure lands on you as the covered entity, not on them.

So before signing with any AI voice vendor — whether it's Lani, ServiceAgent, an agency reselling Vapi, or anyone else — these are the five questions to ask. Get the answers in writing.

Quick note: This article is educational, not legal advice. For your specific situation, work with a California healthcare attorney. We're happy to provide referrals to attorneys who specialize in AI vendor due diligence for medical practices.

Question 1: Will you sign a BAA with our practice?

This is the gating question. If the vendor doesn't sign BAAs, they cannot legally handle patient health information for your practice. Full stop.

Many vendors will dodge this question. Common responses to watch for:

"We're HIPAA-compliant." Not the same as signing a BAA. Compliance is a posture; the BAA is the legal document.
"Our infrastructure is HIPAA-eligible." Possibly true, but doesn't mean they'll sign a BAA with you.
"We can sign a BAA for enterprise customers." Usually means it's expensive, slow, or comes with operational restrictions.
"We don't store PHI." They probably do — voice recordings, transcripts, caller details. They just haven't categorized it that way.

What good looks like: "Yes, we sign a BAA with every client as part of standard onboarding. Here's a sample BAA to send to your attorney before we proceed."

Question 2: Who are your sub-processors, and do they each have BAAs in place?

Voice AI runs on a stack. Typically: a voice engine (Retell, Vapi, Bland), a backend (Xano, Supabase, custom), a telephony layer (Twilio, Telnyx), and AI models (OpenAI, Anthropic). Each of these is a sub-processor that may touch your patient data.

For your practice to be compliant, every sub-processor in the chain must have a BAA with the vendor. If even one link in the chain is missing, the chain is broken — and your data is exposed.

Many vendors don't disclose their sub-processors. Some don't even know which sub-processors are in their stack because they used a no-code builder or white-label platform.

What good looks like: "Here's our current sub-processor list. Each one has a signed BAA with us. Here's the documentation."

Question 3: Where is patient data stored, and what's the retention policy?

You need to know:

Which cloud provider hosts the data (AWS, GCP, Azure, other)?
Which geographic region — and is it US-based?
How long is data retained?
How is data deleted when our contract terminates?
Can we request data return or destruction at any time?

HIPAA requires "data minimization" — meaning vendors should retain only what they need, for as long as they need it. A vendor who can't answer these questions specifically has a data governance gap.

What good looks like: "Data is hosted on [specific cloud provider] in US regions. Retention is [X days/months]. On contract termination, all client data is returned or destroyed within 30 days, with documentation provided."

Question 4: What's your breach notification process and timeline?

HIPAA requires breach notification — your patients must be notified, and depending on scope, regulators and media. Your vendor's role in that process matters.

Industry standard is 24-72 hours from breach discovery for the vendor to notify you. Anything longer than 72 hours is a yellow flag. Anything vague ("we'll notify you in a timely manner") is a red flag.

You also want to know: what's their incident response procedure? Have they ever had a breach, and how was it handled? Who is the point of contact for breach communication?

What good looks like: "Breach notification within 24 hours of confirmed discovery. Here's our incident response SOP. Here's the point of contact. Here are documented test exercises showing the process works."

Question 5: How does the AI handle clinical questions?

This one is California-2026-specific but applies anywhere with state-level medical practice regulations. Your AI front desk should never:

Recommend treatments based on caller descriptions ("for those wrinkles, Botox would work")
Quote pricing for specific patient situations
Discuss dosing, units, or treatment quantities
Compare treatments clinically ("Juvederm is better than Restylane for lips")
Make promises about outcomes
Confirm whether a caller is a candidate for any procedure

If the AI does any of these, your practice has regulatory exposure under California's January 2026 Medical Board updates. The AI is administrative. Clinical work belongs to your licensed provider.

Ask the vendor: "Show me how your agent handles a caller who says 'what would you recommend for my forehead wrinkles?' What's the documented behavior?"

What good looks like: "The agent has explicit guardrails preventing clinical recommendations. Clinical questions are redirected to consultation booking with your provider. Here's the documented behavior, tested in production."

What to do with the answers

After you've asked these five questions, you'll have three buckets of vendors:

Vendors who answer all five clearly, in writing. These are the ones operating with compliance posture as a foundation. Even if they're more expensive than the alternatives, they reduce your regulatory exposure significantly.

Vendors who answer some but dodge others. Treat with caution. The dodges usually indicate gaps in their compliance posture. You may be able to negotiate stronger contractual protections, but you're starting from a weaker position.

Vendors who can't or won't answer. These are not vendors for a regulated practice. Whatever they're charging, the regulatory risk you're absorbing is worth more.

One honest disclosure

We wrote this article. We have an obvious interest in you asking these questions — because we built Claustro AI specifically to answer all five with concrete documentation. If you ask us these questions, we'll send you our sub-processor list, our BAA template, our breach notification SOP, and detailed documentation of our clinical guardrails.

But the questions stand on their own. If you ask them of every vendor you evaluate — including us — you'll get the kind of clarity your practice deserves before letting any third party touch your patient communications.

Want to see how we answer these questions?

Book a 30-minute call. We'll walk through our compliance posture, send our documentation, and tell you honestly whether we're the right fit for your practice. If we're not, we'll point you to a vendor who is.

Call (951) 418-2579