Is ChatGPT HIPAA Compliant?
Direct answer: only Enterprise with a BAA. The harder question is what to use instead, and what to actually require from any vendor.
ChatGPT Free, Plus, Pro, and Team are not HIPAA-compliant. ChatGPT Enterprise with a signed BAA is. The standard OpenAI API doesn't include a BAA either; you need the Enterprise/business arrangement to get one. If Enterprise is out of reach, BAA-backed alternatives exist that work for solo and small practices.
The direct answer
Putting it as plainly as possible:
- ChatGPT Free, Plus, Pro: not HIPAA-compliant. No Business Associate Agreement is offered. Don't put PHI into them.
- ChatGPT Team: not HIPAA-compliant. Team is the small-business tier with admin controls and no training on your data, but OpenAI does not sign a BAA at this tier.
- ChatGPT Enterprise with a signed BAA: HIPAA-compliant when configured properly. This is the only ChatGPT tier that qualifies.
- OpenAI API standard tier: no BAA included. Not HIPAA-compliant out of the box.
- OpenAI API Enterprise/business arrangement: BAA available on request. Compliant when properly configured.
If you're a covered entity or business associate under HIPAA and you're using ChatGPT Plus or Pro for clinical work, you're already over the line. The fix isn't a more careful prompt. The fix is a BAA. If you don't have a BAA with OpenAI, you don't have HIPAA coverage. Period.
For a wider survey of which AI chat products will actually sign a BAA, see our HIPAA-compliant AI chat guide.
Why consumer, Plus, Pro, and Team don't qualify
HIPAA requires that any vendor handling Protected Health Information on your behalf sign a Business Associate Agreement. The BAA is the legal contract that makes the vendor a "business associate" with direct obligations under HIPAA. Without it, the vendor isn't bound by HIPAA at all, and putting PHI through them is a violation regardless of what their privacy policy says.
OpenAI's consumer products don't offer a BAA. That's not a technical problem; it's a contractual one. Even if Plus and Pro were technically secure, the absence of a BAA alone disqualifies them.
On top of that, here's what consumer tiers actually do with your data:
- Conversations are stored on OpenAI servers attached to your account, accessible if your account is compromised.
- Training is on by default on free ChatGPT, opt-out only. Plus and Pro give you more control but the storage is the same.
- The 2024 NYT v OpenAI preservation order requires OpenAI to retain consumer ChatGPT and standard API logs indefinitely, overriding their normal deletion windows. ChatGPT Enterprise with Zero Data Retention is exempt; consumer tiers are not.
For HIPAA, that last point is significant. You can't tell a patient "we'll delete that conversation" if the underlying logs are subject to a federal preservation order you can't override.
What ChatGPT Enterprise actually offers
ChatGPT Enterprise is OpenAI's HIPAA-eligible tier. Here's what comes with it once a BAA is signed:
- Signed BAA covering OpenAI as a business associate.
- Zero Data Retention (ZDR) available, meaning prompts and outputs aren't stored beyond the active request.
- No training on your data. Enterprise data is contractually excluded from model training.
- SSO/SAML for centralized authentication.
- Admin console for user management, role-based access, and audit log access.
- SOC 2 Type II compliance and other certifications.
- Per-seat pricing with annual contracts and seat minimums.
Configured properly, with the BAA signed and ZDR turned on, ChatGPT Enterprise is a defensible HIPAA setup. The question for most small practices is whether they can actually get to this tier.
The pricing reality
OpenAI does not publish ChatGPT Enterprise pricing. It's contact-sales, with seat minimums (commonly cited as 150 seats, though this shifts) and annual contracts. In practice, that puts Enterprise out of reach for:
- Solo practitioners (therapists, psychiatrists, primary care, dentists)
- Small group practices under 10 clinicians
- Independent billing companies and small medical staffing firms
- Most non-hospital business associates (medical transcription, healthcare IT consultants, small SaaS vendors serving healthcare)
This is the gap in the market. A solo therapist who wants AI for clinical notes can't realistically buy ChatGPT Enterprise. The minimums and pricing don't fit. So either she breaks HIPAA by using Plus, or she finds a different vendor. The "find a different vendor" path is now well-established.
What you can use if Enterprise isn't accessible
Several BAA-backed AI chat products exist specifically for the small-and-solo healthcare gap. They work for one user or a hundred, with a BAA signed up front.
| Vendor | Underlying model(s) | BAA | Fit |
|---|---|---|---|
| Private Claude Business | Claude (Opus, Sonnet, Haiku) | Yes, included | Solo and small teams. Self-serve onboarding. |
| Hathr.AI | Claude on AWS Bedrock | Yes | Solo and small teams. Per-user pricing. |
| BastionGPT | GPT via Azure OpenAI | Yes | Healthcare-focused, common in clinical workflows. |
| CompliantChatGPT | GPT via Azure OpenAI | Yes | Healthcare-focused. Solo-friendly pricing. |
| Microsoft Azure OpenAI | GPT in your Azure tenant | Yes (Microsoft BAA) | If you already have Azure. Build-your-own-UI required. |
| Anthropic Enterprise | Claude direct from Anthropic | Yes | Mid-market and up. Similar profile to ChatGPT Enterprise. |
For a deeper side-by-side, see our HIPAA AI vendor comparison. The short version: if you want a turnkey BAA-backed chat experience without procurement friction, BAA-backed AI chat products like Private Claude Business, Hathr, BastionGPT, and CompliantChatGPT all clear the bar.
The real question: do you need ChatGPT, or do you need AI?
A lot of small practices walk into this thinking "we need ChatGPT for clinical notes." What they actually need is an AI chat tool with a BAA that handles clinical text well. ChatGPT is one option. Claude is another, and it's often stronger on long medical text, intake summaries, treatment plan drafts, and structured clinical documentation.
Claude is available with a BAA two ways for a small practice:
- Private Claude Business: BAA included, self-serve, Claude Opus/Sonnet/Haiku, no seat minimum.
- Anthropic Enterprise: direct from Anthropic, similar profile to ChatGPT Enterprise (contact-sales, larger commitments).
The model brand matters less than the contract. Pick the vendor that will sign a BAA, that fits your scale, and that handles your actual clinical text well. Test both before you commit.
What an auditor will actually ask
If OCR (the HIPAA enforcement office) audits you, or if you're going through a security review for a contract, the questions about your AI tool are predictable. Have the answers ready:
- Show me the BAA. Signed, dated, with the right legal entity on both sides. If you don't have one, the audit ends here.
- Show me your workflow document. Which staff use the tool, for what tasks, with what data, under what review process.
- Show me staff training records. Everyone touching the tool needs documented HIPAA training, including AI-specific guidance about what can and can't go in.
- Show me audit logs. Who used what, when. The vendor needs to make this available to you.
- Show me your retention policy. How long is data retained at the vendor, in your account, in your records. In writing.
- Show me your breach response plan. If the vendor has an incident, what happens, who you notify, on what timeline.
Most small practices fail at #2 and #3, not #1. They get the BAA, then never document the workflow or train the staff. The BAA alone isn't a compliance program. It's the foundation.
What to require from any AI vendor before signing
Whether you're evaluating ChatGPT Enterprise, Private Claude Business, BastionGPT, or anything else, ask for these eight things in writing before you sign:
- Signed BAA covering the actual product you're buying, with the right legal entity on the vendor side.
- List of sub-processors. Who else touches your data (cloud provider, monitoring tools, support vendors). Each one needs to be covered downstream.
- Retention policy in writing. How long prompts and outputs are stored, where, and when they're deleted. "Zero retention" should be a contract term, not marketing copy.
- Audit log access. You need to see who used the tool, when, and for what. Logs you can export, not screenshots from a dashboard.
- Breach SLA. How fast they notify you of a security incident. HIPAA requires you to notify within 60 days of discovery; your vendor needs to give you time to do that.
- Encryption details. TLS in transit, AES-256 at rest, key management approach. If they can't answer this clearly, walk.
- Deletion on request. You can ask them to delete a specific user's data and it actually happens, with confirmation. Test this once before you go live.
- Termination clause. When the contract ends, what happens to your data. Returned, deleted, or both, on a defined timeline.
If a vendor can't answer all eight in writing, they're not ready to be a HIPAA business associate. Doesn't matter how good the product is. Move on.
Frequently asked questions
Is ChatGPT HIPAA compliant?
Only ChatGPT Enterprise with a signed Business Associate Agreement (BAA) qualifies as HIPAA-compliant. ChatGPT Free, Plus, Pro, and Team are not HIPAA-compliant because OpenAI does not offer a BAA on those tiers. The standard OpenAI API also does not include a BAA by default; you need the Enterprise/business arrangement to get one.
Can I use ChatGPT Plus or Pro for patient data if I'm careful?
No. Without a BAA, putting Protected Health Information (PHI) into ChatGPT Plus, Pro, or Team is a HIPAA violation regardless of how careful you are. Removing names is not enough. HIPAA defines 18 identifiers, and most clinical context contains several. The fix is a BAA-backed product, not a more careful prompt.
Does ChatGPT Team include a BAA?
No. ChatGPT Team is a small-business plan with admin controls and no training on your data, but OpenAI does not sign a BAA at the Team tier. Team is not HIPAA-eligible. Enterprise is the only ChatGPT tier with a BAA.
How much does ChatGPT Enterprise cost?
OpenAI does not publish ChatGPT Enterprise pricing. It's contact-sales with seat minimums and annual contracts. In practice, most small practices and solo practitioners find it out of reach, which is why BAA-backed alternatives exist.
Is the OpenAI API HIPAA compliant?
The standard OpenAI API tier does not include a BAA. To get a BAA on the API, you need the Enterprise/business arrangement with OpenAI, or you can use Microsoft Azure OpenAI Service, which runs the same models inside your Azure tenant and offers a BAA as part of Microsoft's standard HIPAA-eligible services.
What does the 2024 NYT v OpenAI court order mean for HIPAA?
A 2024 preservation order in the New York Times lawsuit requires OpenAI to retain consumer ChatGPT and standard API logs indefinitely, overriding their normal 30-day deletion. ChatGPT Enterprise with Zero Data Retention (ZDR) is exempt. For HIPAA, this is another reason consumer and standard API tiers are not appropriate for PHI: you cannot honor a deletion request, and retention is no longer in your control.
What's the cheapest way to get HIPAA-compliant AI chat for a solo practice?
BAA-backed alternatives like Private Claude Business, Hathr.AI, BastionGPT, and CompliantChatGPT typically start around $30 to $100 per user per month with a BAA included. That's a fraction of ChatGPT Enterprise and works for solo and small-team practices.
Do I have to use ChatGPT specifically, or will Claude work?
Claude works for the same use cases (clinical notes, documentation, drafting, summaries) and is often stronger on long medical text. You can get Claude with a BAA through Private Claude Business or Anthropic Enterprise. The model brand matters less than whether the vendor will sign a BAA and stand behind it.
Private Claude for regulated teams.
BAA available. Zero data retention. Self-serve or deploy in your VPC. Talk to us about your compliance requirements.
Contact sales