HIPAA and Home Service: Privacy Considerations for Contractor Call Data

The headline is intentionally provocative: HIPAA — the Health Insurance Portability and Accountability Act — does not apply to HVAC companies, plumbers, or electricians. Home service contractors are not covered entities under HIPAA and do not handle protected health information. So why the title? Because every week, a contractor asks us about HIPAA when what they actually want to know is: 'Is it legal for you to record my customers' calls, and how do you protect that data?' Those are legitimate questions, and they deserve straight answers.

What Laws Actually Apply to Contractor Call Recordings

Call recording law in the United States is governed primarily at the state level. States are categorized as either 'one-party consent' or 'two-party consent' (also called 'all-party consent') jurisdictions. In one-party consent states, a call can be recorded with the consent of only one participant — typically the business. In two-party consent states, all parties on the call must be informed that the call is being recorded. Currently, two-party consent states include California, Florida, Illinois, Maryland, Massachusetts, Nevada, New Hampshire, Oregon, Pennsylvania, Washington, and a handful of others. If you operate in any of these states, callers must be notified at the start of the call.

How CallJolt Handles Recording Disclosure

CallJolt can be configured to play a brief disclosure at the start of every call — 'This call may be recorded for quality purposes' — which satisfies the notification requirement in all US states, including two-party consent states. This disclosure is standard practice and does not deter callers. It is the same message they hear when calling any major business. We recommend enabling this disclosure for all CallJolt accounts regardless of state, as it protects your business and sets a consistent standard.

TCPA Considerations for Post-Call SMS

The Telephone Consumer Protection Act (TCPA) governs automated text messages. When CallJolt sends an SMS confirmation to a caller after booking, that message is a transactional communication — a confirmation of an appointment the caller actively requested. TCPA generally permits transactional messages without prior written consent. However, if you use CallJolt to send marketing messages or promotional follow-ups, prior express written consent is required. CallJolt's default SMS behavior (booking confirmation and call summary) is transactional and compliant.

AI Disclosure Laws

Several states have enacted or are considering laws that require businesses to disclose when a caller is speaking to AI rather than a human. The regulatory landscape is evolving, and more states are likely to add disclosure requirements. CallJolt's virtual assistant identification — 'Hi, this is CallJolt, the virtual assistant for [Your Company]' — satisfies current disclosure requirements in all enacted state laws and positions your business ahead of requirements that may be coming.

How CallJolt Protects Customer Data

• All call recordings are encrypted at rest using AES-256 and in transit using TLS 1.3
• Call data is stored in US-based data centers
• Access to call recordings is restricted to authenticated account users
• Data retention policies are configurable — you can set automatic deletion after a specified period
• CallJolt does not sell or share caller data with third parties
• SOC 2 Type II compliance in progress

What You Should Tell Your Customers

You do not need to make a big announcement that you are using AI. Most businesses simply update their privacy policy to note that inbound calls are answered and processed by AI and that calls may be recorded. Your privacy policy should be accessible from your website. If a customer directly asks whether they spoke to a human or AI, be straightforward — the relationship is better served by honesty.