Labsco
openai logo

twilio-security-compliance-hipaa

✓ Official4,081

by openai · part of openai/plugins

Configure Twilio accounts for HIPAA compliance. Covers BAA requirements, HIPAA Project designation (self-service and support), eligible services list, per-product requirements (Voice, SMS, ConversationRelay, Conversation Intelligence, Flex, Verify), message redaction, and what is NOT eligible. Use this skill when developers are building healthcare workflows on Twilio.

🧩 One of 7 skills in the openai/plugins package — works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.

Overview

HIPAA compliance on Twilio is a shared responsibility — Twilio provides eligible services and configuration tools, but your application must architect correctly. Getting this wrong means PHI exposure and compliance violations.

Sequence: Execute BAA → Designate HIPAA Project(s) → Use only eligible services → Follow per-product requirements


Step 1: Execute a BAA

  • Contact your Twilio Account Representative to execute a Business Associate Addendum
  • Purchase a Twilio Editions package that includes HIPAA Accounts
  • BAA is required before any PHI touches Twilio infrastructure

Step 2: Designate HIPAA Project(s)

Self-Service (BAA initiated after June 6, 2024)

  1. Create an Organization in Twilio Console
  2. Link accounts/projects/subaccounts to the Organization
  3. Console → Twilio Admin → Accounts → Select account → Enable HIPAA flag
  4. Save

Support Ticket (BAA initiated before June 6, 2024)

Open a Support ticket through Console to request HIPAA designation for specific accounts/projects/subaccounts.

Subaccount Behavior

  • Existing subaccounts are NOT auto-designated — Must be individually flagged
  • New subaccounts created AFTER designation DO auto-inherit HIPAA status
  • Verify each subaccount's HIPAA flag — don't assume inheritance

What Changes When HIPAA Is Enabled

  • Console auto-logoff after 15 minutes of inactivity
  • Account exempt from certain content moderation (but still subject to carrier complaint review)
  • No PHI in support tickets — use SIDs (CallSid, MessageSid) instead of phone numbers

HIPAA Eligible Services

Eligible (use these for PHI workflows)

CategoryServices
VoiceProgrammable Voice, Recordings*, Transcription*, Media Streams*, ConversationRelay*, Conversational Intelligence for Voice*, SIP Interface*, Elastic SIP Trunking*, Voice Insights, AMD, <Pay>, Conference, Coaching, Transfers
SMSProgrammable SMS, MMS, Long Codes, Toll-Free, Short Codes, Messaging Services (opt-out, fallback, geomatch, sticky sender, scheduling, link shortening)
IdentityVerify (SMS + Voice + Push only), Lookup
ConversationsChat, SMS, MMS, Group Texting (NOT WhatsApp)
FlexVoice, SMS, Chat, Conversations, Webchat 3.x.x*, TaskRouter, Proxy, Flex Insights*
SegmentConnections (Sources, Destinations*, Functions*), Reverse ETL*, Unify, Engage Foundations*, Protocols, Privacy Portal*
RuntimeStudio*, Functions, Debugger, API Explorer, Sync, Private Assets*, TwiML Bin*
DataEvent Streams

Items marked with * require additional configuration per "Architecting for HIPAA on Twilio" guidance.

NOT Eligible (do NOT use for PHI)

  • WhatsApp — Meta does not offer a BAA
  • SendGrid Email (including Email in Flex and Verify Email channel)
  • AI Assistants (including Voice for AI Assistants)
  • Verify Fraud Guard
  • Conversational Intelligence for Conversations (only Voice channel is eligible)
  • Agent Copilot, Unified Profiles in Flex
  • Engage Premier, Generative Audiences, Campaigns
  • Twilio Marketplace add-ons — even with third-party BAA
  • Autopilot
  • Flex Webchat 2.x.x (must migrate to 3.x.x)

Geographic restriction: Only US area codes for Voice and SMS HIPAA traffic.


CANNOT

  • Cannot use WhatsApp for HIPAA workflows — Meta does not offer a BAA. Applies to all Twilio products (Conversations, Flex, Frontline).
  • Cannot use SendGrid Email — Not HIPAA eligible in any context (Verify, Flex, standalone).
  • Cannot use Verify Fraud Guard or Email channel — Not eligible. Only SMS, Voice, Push.
  • Cannot use AI Assistants — Even with ConversationRelay, AI Assistants integration is not eligible.
  • Cannot use non-US area codes — Voice and SMS HIPAA traffic limited to US area codes.
  • Cannot put PHI in support tickets — Use SIDs for troubleshooting. Use Console chat, email, or Support Center.
  • Cannot assume subaccount HIPAA inheritance — Existing subaccounts must be individually flagged.
  • Cannot use GET webhooks with Message Redaction — GET parameters are logged for 7 days.
  • Cannot use Marketplace add-ons — Even with a third-party BAA, Marketplace is not eligible.
  • Cannot use Conversation Intelligence for Conversations — Only Voice channel is HIPAA eligible.

Next Steps

  • Authentication setup: twilio-security-api-auth
  • Account structure for HIPAA isolation: twilio-account-setup
  • Credential security: twilio-security-hardening
  • Traffic compliance (TCPA, GDPR, PCI): twilio-compliance-traffic

Official docs: HIPAA Eligible Services (PDF) | Architecting for HIPAA (PDF) | HIPAA account flag | Message Redaction