Skill v1.0.0

version: "1.0.0" name: twilio-security-compliance-hipaa description: > Configure Twilio accounts for HIPAA compliance. Covers BAA requirements, HIPAA Project designation (self-service and support), eligible services list, per-product requirements (Voice, SMS, ConversationRelay, Conversation Intelligence, Flex, Verify), message redaction, and what is NOT eligible. Use this skill when developers are building healthcare workflows on Twilio.

Overview

HIPAA compliance on Twilio is a shared responsibility — Twilio provides eligible services and configuration tools, but your application must architect correctly. Getting this wrong means PHI exposure and compliance violations.

Sequence: Execute BAA → Designate HIPAA Project(s) → Use only eligible services → Follow per-product requirements

Step 1: Execute a BAA

• Contact your Twilio Account Representative to execute a Business Associate Addendum
• Purchase a Twilio Editions package that includes HIPAA Accounts
• BAA is required before any PHI touches Twilio infrastructure

Step 2: Designate HIPAA Project(s)

Self-Service (BAA initiated after June 6, 2024)

1. Create an Organization in Twilio Console
2. Link accounts/projects/subaccounts to the Organization
3. Console → Twilio Admin → Accounts → Select account → Enable HIPAA flag
4. Save

Support Ticket (BAA initiated before June 6, 2024)

Open a Support ticket through Console to request HIPAA designation for specific accounts/projects/subaccounts.

Subaccount Behavior

• Existing subaccounts are NOT auto-designated — Must be individually flagged
• New subaccounts created AFTER designation DO auto-inherit HIPAA status
• Verify each subaccount's HIPAA flag — don't assume inheritance

What Changes When HIPAA Is Enabled

• Console auto-logoff after 15 minutes of inactivity
• Account exempt from certain content moderation (but still subject to carrier complaint review)
• No PHI in support tickets — use SIDs (CallSid, MessageSid) instead of phone numbers

HIPAA Eligible Services

Eligible (use these for PHI workflows)

Items marked with require additional configuration per "Architecting for HIPAA on Twilio" guidance.*

NOT Eligible (do NOT use for PHI)

• WhatsApp — Meta does not offer a BAA
• SendGrid Email (including Email in Flex and Verify Email channel)
• AI Assistants (including Voice for AI Assistants)
• Verify Fraud Guard
• Conversational Intelligence for Conversations (only Voice channel is eligible)
• Agent Copilot, Unified Profiles in Flex
• Engage Premier, Generative Audiences, Campaigns
• Twilio Marketplace add-ons — even with third-party BAA
• Autopilot
• Flex Webchat 2.x.x (must migrate to 3.x.x)

Geographic restriction: Only US area codes for Voice and SMS HIPAA traffic.

Per-Product Requirements

Voice & Recordings

• HTTP auth required for recording URLs — Enable in Console → Voice Settings. Recording URLs are public by default.
• Voice Recording Encryption recommended — Encrypts with your public key before cloud storage
• ConversationRelay: Your AI Provider must have their own BAA. Cannot use for clinical/medical decision-making.
• Conversation Intelligence for Voice: Only Azure OpenAI for generative operators. No PHI in operator prompts. Data use auto-disabled for HIPAA accounts. PII Redaction recommended (auto-redacts 21 PHI field types).

SMS & MMS

• HTTP auth required for MMS Media URLs — Enable in Console → Messaging → Settings → General
• Message Redaction recommended — Redacts message bodies and phone numbers from Console/API/support
• No PHI in Message Tags — custom attributes in Message Tagging must not contain PHI
• Message Redaction prerequisites:

1. Disable Sticky Sender and Fallback to Long Code on Messaging Services
2. Contact Support to disable built-in STOP filtering (then implement custom STOP handling)
3. Set all webhooks to POST (GET logs params for 7 days, defeating redaction)
4. Incompatible with Studio, Flex, and Conversations

Verify

• Only SMS, Voice, and Push channels — Email channel is NOT eligible
• Fraud Guard is NOT eligible — do not enable for HIPAA workflows

Flex

• Flex Insights: Twilio auto-redacts PII from TaskRouter attributes (names, phone, email). Visual waveform and speech metrics disabled.
• Customer must: Ensure no PHI in preserved Attribute fields, Comments, or Assessments. Implement session timeout (Flex has no built-in timeout). Secure Flex Plugins for HIPAA.
• No WhatsApp, Facebook Messenger, or SendGrid Email in Flex HIPAA workflows

Event Streams

• Customer responsible for HIPAA-compliant sink configuration (e.g., AWS Kinesis requires Amazon's HIPAA architecture)
• Non-eligible product event types must not process PHI

CANNOT

• Cannot use WhatsApp for HIPAA workflows — Meta does not offer a BAA. Applies to all Twilio products (Conversations, Flex, Frontline).
• Cannot use SendGrid Email — Not HIPAA eligible in any context (Verify, Flex, standalone).
• Cannot use Verify Fraud Guard or Email channel — Not eligible. Only SMS, Voice, Push.
• Cannot use AI Assistants — Even with ConversationRelay, AI Assistants integration is not eligible.
• Cannot use non-US area codes — Voice and SMS HIPAA traffic limited to US area codes.
• Cannot put PHI in support tickets — Use SIDs for troubleshooting. Use Console chat, email, or Support Center.
• Cannot assume subaccount HIPAA inheritance — Existing subaccounts must be individually flagged.
• Cannot use GET webhooks with Message Redaction — GET parameters are logged for 7 days.
• Cannot use Marketplace add-ons — Even with a third-party BAA, Marketplace is not eligible.
• Cannot use Conversation Intelligence for Conversations — Only Voice channel is HIPAA eligible.

Next Steps

• Authentication setup: twilio-security-api-auth
• Account structure for HIPAA isolation: twilio-account-setup
• Credential security: twilio-security-hardening
• Traffic compliance (TCPA, GDPR, PCI): twilio-compliance-traffic

Official docs: HIPAA Eligible Services (PDF) | Architecting for HIPAA (PDF) | HIPAA account flag | Message Redaction