Skip to main content
Article

Is CallRail HIPAA Compliant? Call Tracking Rules for Medical Practices

Is CallRail HIPAA compliant? Conditionally, yes. CallRail offers a Healthcare plan that includes a signed Business Associate Agreement (BAA) and specific safeguards for call recordings and form submissions. However, the standard CallRail plans without a BAA are not HIPAA compliant, and even the Healthcare plan requires careful configuration to avoid exposing protected health information (PHI) through call recordings, transcriptions, keyword-level attribution, and integrations with ad platforms. As of July 2026, the single most important condition is this: you must be on CallRail's Healthcare plan with a signed BAA and disable or restrict features that store or transmit PHI to non-covered third parties.

TL;DR

  • CallRail offers a Healthcare plan with a signed BAA; standard plans are not HIPAA compliant and must not be used by medical practices.
  • Call recordings and AI-generated transcriptions contain PHI by default and require access controls, encryption, and retention policies to remain compliant.
  • Keyword-level call attribution that passes caller identity or health condition data to Google Ads or Meta without de-identification violates the HIPAA Privacy Rule.
  • A CallRail BAA covers CallRail's handling of PHI but does not cover downstream platforms (Google, Meta, CRMs) that receive data through CallRail integrations.
  • HHS OCR's December 2022 guidance on online tracking technologies applies directly to call tracking pixels and dynamic number insertion scripts on healthcare websites.
  • Practices must audit every integration, disable non-essential data sharing, and confirm the BAA scope before going live.

What CallRail Does With Visitor and Patient Data

CallRail is a call tracking, form tracking, and conversation analytics platform. It assigns dynamic phone numbers to website visitors or marketing channels, records and transcribes calls, scores leads using AI, and attributes conversions back to paid media sources. For medical practices, each of these features touches data that qualifies as PHI under HIPAA when it can be linked to an individual.

Data CallRail collects that may constitute PHI

  • Caller phone number (a direct identifier under HIPAA's 18 identifiers)
  • Call recordings and AI transcriptions (often contain health conditions, appointment details, insurance information)
  • Form submissions with patient names, email addresses, and reason-for-visit fields
  • IP addresses and device fingerprints captured by the dynamic number insertion JavaScript
  • Keyword and landing page data tied to a specific caller session (which can reveal health intent, such as "opioid treatment near me")

Any of these data points, when linked to a specific individual, creates a PHI record that falls under the HIPAA Privacy Rule and Security Rule.

CallRail BAA: Availability and Scope

CallRail provides a BAA exclusively on its Healthcare plan tier. The BAA is not available on the Essentials, Standard, or other lower-tier plans. Practices that sign up for a non-Healthcare plan and use CallRail for patient-facing tracking are operating without a BAA, which is a direct HIPAA violation regardless of how carefully the tool is configured.

Key terms to confirm with CallRail

  • The BAA covers data CallRail stores and processes on its servers, including recordings, transcriptions, and form data.
  • The BAA does not extend to third-party integrations you configure (e.g., pushing call data to a Google Ads account, HubSpot CRM, or Slack channel).
  • CallRail's Healthcare plan includes features like automatic transcription redaction and configurable data retention windows; confirm current feature availability with the vendor as plan details change.
  • The BAA may require you to enable specific security settings (role-based access, two-factor authentication) as a condition of coverage.

A signed BAA is a necessary but not sufficient condition for HIPAA compliance. The BAA shifts some liability to CallRail for data it handles, but your practice remains responsible for how data flows out of CallRail into other systems.

HHS OCR Guidance and Why It Applies to Call Tracking

The HHS Office for Civil Rights published guidance in December 2022 (updated June 2024) on the use of online tracking technologies by HIPAA-covered entities. The guidance states that any tracking technology on a covered entity's website or app that collects and transmits individually identifiable health information to a third party is subject to HIPAA, including the requirement for a BAA with that third party.

CallRail's dynamic number insertion (DNI) script runs on your website, collects visitor-level data, and sends it to CallRail's servers. If CallRail has signed a BAA with you, this transmission is permissible under the Privacy Rule's business associate provisions. The problem arises when CallRail then forwards that data, or data derived from it, to platforms like Google Ads or Meta that will not sign a BAA with your practice.

This is the same risk pattern described in Google Ads Call Tracking for Medical Practices: HIPAA-Compliant Phone Attribution. Google's call forwarding numbers and conversion import features do not operate under a BAA, so sending caller-level PHI to Google for optimization purposes violates HIPAA unless the data is fully de-identified or aggregated before transmission.

Configurations That Are Safe vs. Unsafe for Healthcare

Generally safe configurations (with Healthcare plan and BAA)

  • Using CallRail for internal call routing and lead management without exporting caller-level data to non-BAA platforms
  • Enabling automatic PHI redaction in transcriptions (CallRail's Healthcare plan offers this; confirm current feature set)
  • Restricting access to call recordings to authorized workforce members with role-based permissions
  • Setting data retention periods that align with your organization's minimum necessary retention policies
  • Using aggregate (non-identifiable) reporting for channel attribution without passing individual caller details downstream

Unsafe or high-risk configurations

  • Pushing caller phone numbers and recording URLs to Google Ads, Meta, or Microsoft Ads conversion APIs without de-identification
  • Storing call recordings indefinitely with no access controls or audit logging
  • Using CallRail integrations to send call data to CRMs (HubSpot, Salesforce) that do not have their own BAA with your practice
  • Enabling keyword-level attribution that ties a specific health-related search query to an identifiable patient
  • Embedding CallRail tracking scripts on patient portal pages or authenticated appointment-scheduling flows

Practices using Meta advertising should also review how conversion data is handled; the risks are similar to those described in Leveraging Meta's Conversion API for HIPAA-Compliant Data Tracking for Psychology Practices.

State Laws and Additional Regulatory Exposure

HIPAA is not the only law that applies. Washington State's My Health My Data Act (MHMDA), effective March 2024, extends health data protections to entities that may not be HIPAA-covered and requires explicit consumer consent before collecting or sharing health data. The FTC Health Breach Notification Rule applies to health apps and services not covered by HIPAA, and the FTC has signaled aggressive enforcement (as seen in the BetterHelp, GoodRx, and Cerebral settlements). Even if your CallRail configuration passes HIPAA muster, transmitting identifiable health-related call data to advertising platforms without consent could trigger state law violations or FTC enforcement.

Safe-Use Checklist for Medical Practices Using CallRail

Before you go live

  • Confirm you are on CallRail's Healthcare plan and have a fully executed BAA on file.
  • Enable two-factor authentication for all users with access to call recordings or transcriptions.
  • Configure role-based access so only authorized staff can view or export PHI.
  • Enable automatic transcription redaction if available on your plan.
  • Set a data retention policy (e.g., 90 or 180 days) and enable automatic deletion after that window.
  • Audit every active integration; disable any that send caller-level data to platforms without a BAA.

Ongoing compliance

  • Review CallRail's subprocessor list quarterly to confirm no new data sharing that could expose PHI.
  • Document your CallRail configuration in your HIPAA risk assessment.
  • Train staff not to include PHI in call tags, notes, or custom fields that sync to non-covered systems.
  • Monitor for new integrations or features added by CallRail that may change the data flow.
  • If you use CallRail with a website builder, confirm that the site itself does not introduce tracking risks; see Is Webflow HIPAA Compliant? Website Builder Tracking Risks for Medical Practice Sites for related guidance.

How Call Tracking Architecture Affects Compliance

The underlying architecture of a call tracking system determines whether PHI can be isolated from advertising data. In a typical setup, the DNI script runs client-side, captures visitor session data, and associates it with a phone number. When the call occurs, the platform matches the session to the caller and (if configured) sends a conversion event to the ad platform with the caller's number or a click ID attached.

A HIPAA-compliant architecture separates these concerns: the conversion signal sent to the ad platform contains only a de-identified event (e.g., "a call lasting over 60 seconds occurred from this campaign") without transmitting the caller's phone number, name, or session-level health data. For a deeper look at this architectural approach, see Healthcare Call Tracking: HIPAA-Compliant Phone Attribution Architecture for Marketing Teams.

CallRail's Healthcare plan provides some of the tools needed to achieve this separation, but the burden of configuration falls on the practice or its agency. Misconfiguration, particularly enabling Google Ads or Meta integrations in their default state, can silently transmit PHI to non-covered third parties.

Email and Multi-Channel Attribution Risks

Many practices use CallRail alongside email marketing platforms. If call tracking data flows into an email tool (for example, triggering a follow-up email sequence based on a recorded call topic), that email platform must also have a BAA. Most mainstream email platforms, including Mailchimp, do not offer BAAs on standard plans. For more detail, see Is Mailchimp HIPAA Compliant: Email Marketing Risks for Medical Practices.

Compliant Alternatives and Complementary Tools

CallRail on its Healthcare plan is a legitimate option for HIPAA-compliant call tracking when configured correctly. Other platforms in the healthcare call tracking space include Phonexa (which offers a healthcare vertical) and specialized healthcare marketing analytics tools. Each has different BAA terms, feature sets, and architectural approaches; evaluate based on your specific integration needs and risk tolerance.

For practices that need HIPAA-compliant tracking and analytics beyond call tracking, including website analytics, form tracking, session replay, and server-side conversion delivery to Google, Meta, and Microsoft, Curve provides a purpose-built platform with a signed BAA, PHI-safe data handling, and conversion delivery architecture designed specifically for healthcare marketers. Curve strips PHI before sending conversion signals to ad platforms, so your marketing team gets accurate attribution without creating compliance exposure.

Frequently Asked Questions

Does CallRail sign a BAA for medical practices?

Yes, but only on the Healthcare plan. Standard, Essentials, and other non-healthcare tiers do not include a BAA. You must specifically request and execute the BAA as part of your Healthcare plan enrollment. Confirm current plan availability and BAA terms directly with CallRail, as pricing and features may change.

Can I use CallRail call recordings if I have a BAA?

You can store and access call recordings under a BAA, but you must restrict access to authorized workforce members, enable encryption at rest and in transit, set appropriate retention limits, and never share recordings with parties who are not covered by the BAA. Recordings almost always contain PHI because patients discuss symptoms, medications, and insurance details on calls.

Is it safe to send CallRail conversion data to Google Ads?

Not in its default configuration. Sending caller phone numbers or identifiable session data to Google Ads for conversion optimization transmits PHI to a platform that does not sign a BAA with healthcare providers. You must either de-identify the data before transmission or use an intermediary architecture that strips PHI and sends only aggregate or pseudonymized conversion signals.

What happens if I use CallRail without the Healthcare plan for my medical practice?

You are operating without a BAA, which means any PHI that CallRail processes on your behalf constitutes a HIPAA violation. This is true even if no breach occurs. HHS OCR can impose civil monetary penalties of up to $2,067,813 per violation category per year (as adjusted for inflation). You also face state attorney general enforcement and potential FTC action if consumer health data is shared with advertising platforms without consent.

Does CallRail's automatic transcription redaction make it fully HIPAA compliant?

Transcription redaction reduces risk but does not eliminate it. Automated redaction tools may miss PHI in unusual formats, accented speech, or complex medical terminology. You should treat redacted transcriptions as potentially containing residual PHI and apply the same access controls and retention policies as you would to unredacted recordings. Redaction is one layer in a defense-in-depth approach, not a standalone compliance solution.

Can I use CallRail and Curve together?

Yes. Some practices use CallRail for internal call management and routing (under a BAA) while using Curve for HIPAA-compliant conversion tracking and attribution to ad platforms. This approach keeps call recordings and PHI within the BAA-covered CallRail environment while ensuring that conversion signals sent to Google, Meta, and Microsoft are de-identified and compliant.

Stay Compliant. Scale Confidently.

Join healthcare innovators who trust Curve for HIPAA-compliant ad tracking.Launch in hours, not months. Your growth stack, now HIPAA-safe.