AI call screening for senior-living: a 2026 procurement guide

This is a procurement guide for senior-living facility executive directors, family-caregiver service operations leads, and hospice / palliative directors evaluating AI call-screening for resident phone lines. If you're a single-family caregiver protecting one parent, the Q1 2026 phone-scam patterns report may be a better starting point. This post is for the institutional buyer running a procurement process for 25, 75, or 500+ residents.

Why this is procurement-relevant in 2026

For most of the 2010s and early 2020s, "AI call screening for senior living" wasn't a real procurement category. The technology wasn't viable: voice-AI couldn't handle a three-turn elderly conversation without losing context, and the false-positive rate from autoblocking was high enough to alienate families.

That changed in late 2024 and 2025. Two specific shifts:

• Voice-cloning attacks on elderly residents went from rare to routine. Cloned-grandchild emergency-bail scams (FBI 2024 advisory), virtual-kidnapping with cloned voices, and the Phantom Hacker 3-phase ruse (FBI + NY AG 2024, $1B+ stolen since 2024) are no longer fringe. Front desks aren't trained to recognize them; voicemail isn't a defense.
• Deepfake voice detection became feasible. Voice-authenticity models trained on the open-source clone tools attackers actually use (ElevenLabs API, Tortoise, RVC) ship at production confidence ranges. False-positive rates are low enough that an AI-flagged call can sit in a soft-block-with-staff-review state without blocking grandma's actual grandson. We wrote up the Voipy Shield detection pipeline.

Net: institutional buyers who were waiting for the technology can buy now without being the technical pilot. The vendors are real, the false-positive rates are documented, the procurement frameworks are starting to standardize.

What "AI call screening" actually means (and what it doesn't)

Worth distinguishing from adjacent categories so the procurement scope is right:

• AI call screening (Voipy Shield, etc.) — answers inbound calls before residents pick up, classifies against known scam patterns, blocks confirmed scams, escalates ambiguous calls to staff. Optionally generates a family-facing weekly digest of what was blocked. This is the category this guide covers.
• Robocall blocking (Hiya, Nomorobo, Robokiller, carrier-side STIR/SHAKEN) — number-reputation filtering at the carrier level. Blocks high-volume known-bad numbers but doesn't catch the bespoke voice-cloned attack that originates from a one-time-use spoofed number.
• AI receptionist for medical staff (Voipy Receptionist, Smith.ai, Ruby) — answers calls for the facility's clinical or billing line, books appointments, routes inquiries. Different product; different buyer. Some vendors offer both (Voipy does).
• Call recording / compliance archive (CallRail, Gong) — captures and stores call audio for review. Doesn't screen or block in real time.

If your procurement scope is "block scam calls before they reach residents", you're in category 1. If it's "answer the facility's main line", you're in category 3. Two different RFPs.

The 5 questions to ask before signing

1. What's your false-positive rate, and how is it measured?

The most damaging metric in the category. A 0.5% false-positive rate against grandma's actual family is enough to destroy trust in the product within 30 days. Ask the vendor:

• What's the auto-block threshold confidence? (Voipy Shield's is 0.4; below that, ambiguity routes to staff review, not auto-block.)
• What's your published false-positive rate on a benchmark dataset? Is the benchmark dataset publicly described?
• How are families recruited to the trusted-caller list? (A pre-registered allowlist is the simplest mitigation; vendors who don't offer one are starting from a worse base rate.)

2. What happens when the AI is uncertain?

Auto-block on uncertainty is the wrong default — you'll block real grandsons and the family will switch you off. The right pattern is a soft-block with a 15-30 second staff-review window. Ask:

• What does an ambiguous call look like to your staff? Is there a clear UI for the override?
• How fast does staff get paged on an ambiguous-call event? (SMS-paging from a Tier-1 vendor should be sub-30s.)
• What happens if staff doesn't respond within the override window — auto-block, auto-allow, or ring-the-resident?

3. Is there a Business Associate Agreement?

For residents covered by Medicare or Medicaid, your facility is a HIPAA Covered Entity. Any vendor handling resident-related call audio is a Business Associate. Sign a BAA before piloting; don't sign retroactively. Ask:

• Send me your standard BAA template for review. (If they have to "draft one for you," it's a flag.)
• What sub-processors do you use, and do they each have a BAA with you? (Vendor + sub-processor list should be public — Voipy publishes ours on /security.)
• Where is the call audio stored, what's the encryption posture (TLS in transit, AES-256 at rest are table stakes), and what's the retention default?

4. What does the family-facing report look like?

The single biggest difference between an AI screening product that customers love and one they forget about. A weekly plaintext email to registered family members, listing what was blocked and why, with severity tags, turns the product from "insurance you forget about" into "look what this saved Grandma from this week." Ask:

• Show me a sample weekly digest from a real facility (anonymized).
• What categorization do family members see? (Generic "scam blocked" is forgettable; specific "Medicare-flex-card scam blocked Tuesday at 2:14pm" is shareable.)
• Can families forward the report to siblings? Is there a public link?

5. How is the threat library kept current?

Scam scripts mutate every 4-8 weeks. A library that ships at procurement and never updates is a dead library by month four. Ask:

• How often is the pattern library updated? (Voipy Shield ships monthly with FTC / FBI / SEC / CFTC / FCC / FEMA / CFPB / SSA-OIG / AARP advisory citations per pattern.)
• Is the library public, or vendor-internal? (Voipy's 93-pattern Pattern Library is public. A public library is auditable; a private library is a marketing claim.)
• Are there free monthly updates included in the price, or is library access tier-gated?

HIPAA + state procurement requirements

For senior-living facilities operating Medicare-funded units, the relevant federal frameworks are:

• HIPAA Privacy & Security Rules (45 CFR Parts 160 & 164) — covered above; needs a BAA.
• HIPAA Breach Notification Rule — vendor must notify your facility within 60 days of a breach, with prompt good-faith effort. Ask about their incident-response timeline.
• State elder-abuse mandatory-reporter laws — vary by state, but most require facilities to report suspected financial exploitation of a resident within 24 hours. AI scam-screening generates exactly the audit trail this requires; ensure the vendor's data export supports your state's reporting format.

For Medicaid-only facilities, add:

• State Medicaid OIG audit requirements — vendor's data retention should match your state's audit window (typically 6-10 years).
• CMS Conditions of Participation for SNFs (42 CFR Part 483) include resident-rights provisions covering communication; document how the screening product upholds resident rights to receive intended communications.

Implementation timeline expectations

For a 25-75 resident facility on a SIP-trunk-based phone system, realistic timeline:

• Week 1: signed BAA, vendor provisions a Shield number per resident, family registration emails go out.
• Week 2: family enrollment in trusted-caller list (typically 60-80% completion in first cycle), staff training on the override-pager workflow.
• Week 3: carrier-side call-forwarding configuration on the resident lines (2-day forward + 2-day verification window).
• Week 4: parallel-running with existing process; first family digest goes out.
• Month 2 onward: normal operation; tune false-positive thresholds based on first-cycle data.

Multi-facility (200+ residents) or operators with non-SIP analog phone systems should add 2-4 weeks. Federation (multiple operators sharing a Shield instance) is an Enterprise-tier conversation, not a self-serve flow.

Pricing across the category

As of April 2026:

• Per-facility flat-tier products (Voipy Shield is the example): $499-1499/mo per facility. Unlimited resident lines included on the per-facility tier; no per-call or per-minute charges. Voipy Shield pricing.
• Per-resident metered products (some early-stage entrants): $25-50/resident/mo with minimum facility commitments. Comes out cheaper for 10-resident facilities, more expensive at 50+.
• Add-on to PBX (some carrier offerings): $5-15/line/mo as an upsell on existing telephony. Generally less feature-rich; minimal pattern library; no family-facing report.
• Custom enterprise (multi-facility operators, hospice systems): typically $999-2499/mo per facility with discounts at 5+ facilities. Sales-led; expect a 30-60 day procurement cycle.

The four landmines

1. The auto-block threshold is too aggressive.

If the vendor's default is to auto-block on confidence below 0.6, expect 1-2% false-positive rate against real family calls. That's enough to alienate residents and families within 60 days. Negotiate the threshold or add the trusted-caller allowlist as a pre-condition.

2. The "weekly family digest" doesn't exist or is generic.

This is the single biggest retention lever in the category. A facility that signs without a working family digest will let it slide; a facility with a working family digest gets the families themselves invested in the product. Ask for a sample before signing.

3. The pattern library hasn't been updated in 90 days.

"We ship monthly updates" should be verifiable on a public changelog. If the vendor's last library update is 90 days old, they're not maintaining it and you'll be back to procurement in six months when the threats have rotated. Voipy's library updates are visible on /changelog; expect similar transparency from vendors.

4. The vendor uses third-party LLM APIs without disclosing it.

If the vendor routes resident-related call audio through OpenAI / Anthropic / Google / Cohere as a sub-processor, your BAA needs to cover those flows too. Some vendors omit this. Ask for the full sub-processor list. Voipy publishes ours on /security — Anthropic and Google Cloud are listed there as failover-only routes for transcript snippets, never full call audio.

Where Voipy Shield fits

Voipy Shield is the AI scam-screening product from Voipy. We're a small founder-led team that ships the entire pipeline ourselves — GPU-hosted LLM, Whisper STT, Orpheus TTS, Telnyx telephony, PostgreSQL persistence — without commercial voice-AI APIs in the critical path. More about us; security and compliance posture; 93-pattern public library; Shield pricing; changelog.

If your procurement is for senior-living scam screening specifically: /shield walks the buyer journey. The 14-day trial is a real DID with full feature access; we don't charge until day 15. If you want to talk to a human before committing, anton@voipy.app reaches the founder directly.

— Anton