Guide · Call Tracking
Only two call-tracking vendors in our catalog confirm both HIPAA support and a signed BAA
Most call-tracking platforms say nothing about HIPAA at all — and of the three that do, one offers compliance only as a tier-gated upgrade without confirming the paperwork that makes it legal.
If you run a healthcare practice, the compliance filter eliminates most of this market before price is even worth discussing. Of the 16 call-tracking vendors in our catalog, 13 publish nothing at all about HIPAA — not a flag, not a BAA mention, nothing. Only three say anything, and the distinctions between those three are the entire story. Two — CallRail and Invoca — confirm both HIPAA support and an available signed Business Associate Agreement. The third, CallTrackingMetrics, states HIPAA compliance but does not publish BAA specifics, and offers it only from its Marketing Pro tier at $179/mo and up.
That is the answer in one paragraph. The rest is why those three are not interchangeable.
The two that confirm both HIPAA and a BAA
A HIPAA “flag” without a Business Associate Agreement is close to useless to a covered entity. Under the rule, the vendor handling call recordings and transcripts of patient calls is a business associate; without the signed BAA, you’re the one exposed. So the column that matters isn’t “HIPAA: yes” — it’s “BAA: available.”
| Vendor | HIPAA | BAA | Entry into compliance | Source posture |
|---|---|---|---|---|
| CallRail | Yes | Yes | Lead Tracking, $50/mo | Published pricing |
| Invoca | Yes | Yes | Quote-only | Sales-gated |
| CallTrackingMetrics | Yes | Not published | Marketing Pro, $179/mo | Published pricing |
CallRail is the only vendor in the catalog that pairs confirmed HIPAA-plus-BAA with a fully published, low-entry price. Its Lead Tracking plan is $50/mo, bundling 5 local tracking numbers and 250 local minutes, with platform-wide metered usage on top at $0.045/min local and $0.065/min toll-free. For a small practice, that’s the cleanest path: a known base price, a documented BAA for healthcare accounts, and no requirement to climb a tier ladder to reach compliance.
Invoca also confirms both — its pricing page states HIPAA compliance alongside SOC 2 Type 2, PCI DSS, and BAA support. The catch is economic, not legal: Invoca publishes no monthly figure. Its tiers (Pro / Enterprise / Elite) are scaled by annual phone-number volume in the 6,000–18,000 range and route to a sales form. This is enterprise infrastructure — appropriate for a hospital network or a multi-location group, materially oversized for a single practice.
The third one is the trap
CallTrackingMetrics is where healthcare buyers get caught. It does state HIPAA compliance — but only from Marketing Pro at $179/mo, not on the Marketing Lite tier at $79/mo that a cost-conscious buyer would naturally start with. And our dataset records its BAA status as not published: the HIPAA claim is there, the paperwork commitment isn’t spelled out the way CallRail’s and Invoca’s are.
Marketing Pro is a capable plan on its own terms — it bundles 3,000 transcribed minutes with $0.02/min overage and adds white-label and HubSpot integration. But for compliance purposes, the relevant fact is that CTM’s HIPAA posture is tier-gated and BAA-ambiguous. If you go this route, the signed BAA is a question to settle in writing with their sales team before you send a single patient call through it — not an assumption you can make from the pricing page.
What the silence means
The thirteen vendors that publish nothing — WhatConverts, Ringba, Nimbata, Infinity, Convirza, WildJar, Dialics, Mediahawk, and the quote-only set including Marchex, Phonexa, CallSource, Retreaver, and TrackDrive — are not necessarily non-compliant. In our data, null means not published, not confirmed absent. Convirza, for instance, references “Caller Privacy (HIPAA & Legal)” on its site without detailing it in any tier.
But a healthcare buyer cannot run a practice on a maybe. If a vendor won’t put HIPAA and BAA support in writing on a public page, the burden is entirely on you to extract that commitment in a contract — and for most of these vendors, billed at attractive rates like Convirza’s $29/mo Starter or WhatConverts’ $30/mo entry, the saving evaporates the moment legal has to negotiate a one-off agreement.
How to read this
For a single healthcare practice that wants a documented BAA and a price it can see, CallRail at $50/mo is the default answer — it’s the only vendor combining confirmed HIPAA, confirmed BAA, and published pricing. Invoca is the same compliance posture at enterprise scale and enterprise (quote-only) economics. CallTrackingMetrics can work, but only from $179/mo and only after you’ve pinned down the BAA that its pricing page leaves unstated. Everything else in the category is a compliance unknown — which, for protected health information, is the same as a no until proven otherwise.