Regaldi Notes ← All notes
Notes · Privacy and consent Published June 11, 2026 · Regaldi practice notes

HIPAA and call recording in a pharmacy

By the Regaldi practice · Reviewed by Veronica Taran, Florida-licensed pharmacist · This note is general information about a regulatory framework, not legal or pharmacy advice.

Recording calls is the most valuable and the most legally layered thing a pharmacy CRM can do. Three bodies of law meet on one phone line, and each asks a different question.

HIPAA: the recording is PHI

A recorded patient call held by a pharmacy is protected health information, and the pharmacy is the covered entity. That brings the familiar obligations of 45 CFR Part 164: use and disclosure within permitted purposes, the minimum-necessary standard, safeguards in storage and transmission, and inclusion in the pharmacy's risk analysis. Any vendor that hosts or processes those recordings handles PHI on the pharmacy's behalf and belongs under a business associate agreement. HIPAA itself does not bar recording; it governs what the recording is and how it is protected once it exists.

State law: who must consent

Whether the call may be recorded at all is state law, and the states split. Most accept one-party consent; a significant minority, Florida and California among them, require all parties to consent. A pharmacy serving patients across state lines cannot assume its home rule travels with the call. The operational answer is notice and consent at the start of the call, captured and retrievable, with the configuration deciding which calls record at all.

TCPA: a different statute for the outbound direction

The Telephone Consumer Protection Act (47 U.S.C. 227) governs the outbound side: automated dialing and artificial or prerecorded voices, which the FCC has confirmed includes AI-generated voices. Routine refill and outreach calls placed with an artificial voice require the consent the statute prescribes, and some states add private rights of action on top. The practical consequence for software: an assistant may place an outbound call only where that call is configured and the required consent is on file, and the system should be able to show both facts for any call it placed.

What the software must provide

  • Consent as configuration, not folklore. Which calls record, what notice plays, and what consent is captured are settings the pharmacy controls, with the captured consent stored against the contact.
  • The transcript bound to the record. A transcription that lives in a side tool is a second PHI store to secure and a discovery surface no one is watching. Bound to the interaction record, it is one record under one set of controls.
  • Retention the pharmacy sets. Recordings and transcripts follow a configured retention period, not "forever by default."
  • Access within roles. Who can play a recording or read a transcript is a permission, logged like any other access to PHI.

The division of responsibility

No software makes a pharmacy HIPAA-compliant, and a vendor who claims otherwise is describing a poster, not a control. The software provides the mechanism: consent capture, scoped recording, bound transcripts, retention, and access control. The pharmacy, as the covered entity, decides the policy and owns the obligation. The well-built system makes the lawful configuration the easy one.

Related on this site

How Regaldi Herald handles consented transcription, script-adherence review, and the live whisper at the operator's shoulder is shown on the product page; the practice's approach to machine assistance under signature is documented at the assist layer.