Is ChatGPT HIPAA Compliant? What Healthcare Must Know About AI
ChatGPT and OpenAI's API are increasingly used in healthcare for clinical documentation, patient communication, and administrative tasks. However, HIPAA compliance is only possible with ChatGPT Enterprise or the OpenAI API with a signed BAA. The free, Plus, and Team versions of ChatGPT are not HIPAA compliant and must not be used with protected health information.
ChatGPT is HIPAA compliant ONLY on the Enterprise plan, where OpenAI signs a BAA and does not use your data for training. Free, Plus, and Team plans are NOT compliant and must never be used with PHI. The OpenAI API also supports BAAs for developers building healthcare applications.
Compliance Assessment
OpenAI encrypts data in transit (TLS 1.2+) and at rest (AES-256) across all plans. Enterprise adds additional encryption controls.
BAA is available only for ChatGPT Enterprise and OpenAI API customers. Not available for Free, Plus, or Team plans.
Enterprise data is never used for model training. On other plans, data may be used for training unless manually opted out in settings.
Enterprise offers SSO (SAML), SCIM provisioning, domain verification, and admin controls. Other plans have minimal access management.
Enterprise provides admin-level audit logs for user activity. Other plans have no audit logging capabilities.
Enterprise allows custom data retention windows. API customers can set zero data retention. Other plans retain conversations per OpenAI's standard policy.
OpenAI does not currently offer data residency controls or guarantee that data stays in a specific geographic region.
AI-generated content can contain hallucinations. Clinical use requires human review of all outputs for patient safety and compliance.
ChatGPT plugins and GPTs created by third parties are not covered under OpenAI's BAA and should not be used with PHI.
OpenAI maintains infrastructure redundancy but does not provide user-facing backup or data recovery for conversation data.
Business Associate Agreement (BAA)
OpenAI offers a BAA for ChatGPT Enterprise customers and OpenAI API customers on qualifying plans. The BAA covers the core ChatGPT Enterprise service and API endpoints. It does not cover third-party plugins, custom GPTs from the GPT Store, or features explicitly excluded in the BAA terms. Contact OpenAI sales to execute the BAA.
How to Make ChatGPT HIPAA Compliant
Subscribe to ChatGPT Enterprise or use the OpenAI API with a qualifying plan and sign the BAA with OpenAI.
Enable SSO (SAML) and SCIM provisioning to manage user access through your identity provider.
Configure custom data retention policies to minimize PHI storage duration.
Disable or restrict access to third-party plugins and GPT Store applications that are not covered under the BAA.
Implement human review workflows for all AI-generated clinical content before it is used in patient care.
Train staff on what information can and cannot be entered into ChatGPT, even on Enterprise plans.
Limitations
- Free, Plus, and Team plans do not offer BAAs and cannot be used with PHI under any circumstances.
- No data residency controls — data may be processed in any region where OpenAI operates.
- AI outputs can contain errors (hallucinations) and must be reviewed by qualified personnel before clinical use.
- Third-party plugins and custom GPTs are not covered under the BAA.
- ChatGPT is not a medical device and should not be used for clinical decision-making without human oversight.
Frequently Asked Questions
Is ChatGPT HIPAA compliant?
Only ChatGPT Enterprise is HIPAA compliant with a signed BAA from OpenAI. The free, Plus, and Team plans are not HIPAA compliant and must not be used with protected health information.
Does OpenAI offer a BAA?
Yes. OpenAI offers a BAA for ChatGPT Enterprise customers and qualifying OpenAI API customers. The BAA covers core services but excludes third-party plugins and custom GPTs.
Can doctors use ChatGPT?
Doctors can use ChatGPT Enterprise (with a BAA) for tasks like documentation and research, but must never enter PHI into non-Enterprise versions. All AI-generated clinical content must be reviewed before use in patient care.
Does ChatGPT use my data for training?
On Free, Plus, and Team plans, conversations may be used for model training (you can opt out in settings). ChatGPT Enterprise data is never used for training, which is critical for HIPAA compliance.
What is the difference between ChatGPT Enterprise and Plus for HIPAA?
Enterprise offers a BAA, SSO, SCIM, audit logs, no data training, custom retention, and admin controls. Plus has none of these features and cannot be used with PHI.
Can I use the OpenAI API for healthcare apps?
Yes. The OpenAI API supports BAAs for qualifying customers. You can build HIPAA-compliant healthcare applications using the API with proper data handling, encryption, and access controls in your application layer.
Is Microsoft Copilot HIPAA compliant?
Microsoft Copilot for Microsoft 365 is covered under Microsoft's BAA for Enterprise customers. However, the free Copilot chat (Bing Chat) is not covered and should not be used with PHI.
Generate HIPAA policies for your stack
PoliWriter creates all the HIPAA policies you need, customized to tools like ChatGPT and your specific configuration. AI-powered, audit-ready, hours not months.
Get Started Free