What OpenAI says officially
OpenAI publishes a current list of HIPAAeligible products and functionality . It includes ChatGPT for Healthcare, ChatGPT Enterprise with a Regulated Workspace, ChatGPT FedRAMP, ChatGPT for Clinicians, and certain API configurations. The page distinguishes eligible features from additional functionality that is not covered for PHI use.
OpenAI’s BAA instructions route eligible ChatGPT customers through a managed sales process. The ChatGPT for Healthcare overview describes a healthcare workspace with a BAA, enterprise controls, retention options, and no training on business data.
Those sources support a conditional verdict for the specifically contracted workspace. They do not turn a personal ChatGPT account, an ordinary self-service workspace, or every connector and feature into a PHI-ready service.
What this means for a medical practice
PHI can enter an AI system through prompts, uploaded charts, screenshots, dictated notes, connected drives, copied email, or a custom assistant’s knowledge files. Outputs can repeat or transform that information and may be pasted into another record. The data map needs to cover both directions.
Workspace ownership matters. If a clinician uses a personal login, the practice cannot reliably enforce feature scope, retention, membership, or offboarding. A contracted regulated workspace gives administrators a control surface, but staff still need rules for minimum necessary use, human review, and approved clinical purposes.
The practice should also define which decisions the tool may assist and which require a separate clinical system or direct professional judgment.
This is the same vendor-boundary problem found in a HIPAAconscious medical website . A chatbot or AI form on the public site may add developers, hosting, logging, and integration vendors beyond the ChatGPT contract. Our guide to AI search for medical practices focuses on public discoverability, which should remain separate from clinical prompt data.
How to use it safely
- Work with OpenAI to select a currently eligible ChatGPT offering and confirm the exact functionality the practice needs.
- Execute the BAA and retain the applicable service terms before entering PHI.
- Provision a practice-owned workspace, require managed identities, limit administrators, and remove former users promptly.
- Disable or prohibit features, connectors, actions, and integrations that are not on the eligible-functionality list.
- Define approved use cases and the minimum data needed. Do not use AI output without qualified human review.
- Set retention and deletion controls to the practice’s documented policy and test them.
- Review browsers, endpoint logs, copied outputs, connected storage, and custom applications as separate parts of the flow.
Compliant alternatives
Microsoft 365 provides a broad BAA scope for named productivity services and may be a better location for ordinary documents that do not need AI processing. Google Drive offers managed storage under Google’s Workspace BAA path. Neither alternative should receive PHI through an unreviewed AI add-on.
Recheck OpenAI’s eligible-functionality list whenever the workspace adds a feature, because product access and BAA coverage are separate decisions.
Bottom line
ChatGPT can support a healthcare workflow only through a specifically eligible offering, executed BAA, and covered feature set. Keep PHI out of personal and ordinary workspaces, govern every user and connector, and require human review of outputs.