Vendor documentation review

Is ChatGPT HIPAA Compliant? (2026 Verdict)

Conditionally

Only specific HIPAA-eligible ChatGPT offerings and functionality can be covered by an OpenAI BAA; ordinary consumer use is outside that path.

Last verified:

At a glance

BAA available
Yes
Plan required
ChatGPT for Healthcare or another BAA-covered regulated workspace
Configuration required
Contract for an eligible workspace, execute the BAA, restrict features and connectors, and govern prompts, files, outputs, and users.
Category
Ai Tools
Official site
Visit ChatGPT

What OpenAI says officially

OpenAI publishes a current list of HIPAAeligible products and functionality . It includes ChatGPT for Healthcare, ChatGPT Enterprise with a Regulated Workspace, ChatGPT FedRAMP, ChatGPT for Clinicians, and certain API configurations. The page distinguishes eligible features from additional functionality that is not covered for PHI use.

OpenAI’s BAA instructions route eligible ChatGPT customers through a managed sales process. The ChatGPT for Healthcare overview describes a healthcare workspace with a BAA, enterprise controls, retention options, and no training on business data.

Those sources support a conditional verdict for the specifically contracted workspace. They do not turn a personal ChatGPT account, an ordinary self-service workspace, or every connector and feature into a PHI-ready service.

What this means for a medical practice

PHI can enter an AI system through prompts, uploaded charts, screenshots, dictated notes, connected drives, copied email, or a custom assistant’s knowledge files. Outputs can repeat or transform that information and may be pasted into another record. The data map needs to cover both directions.

Workspace ownership matters. If a clinician uses a personal login, the practice cannot reliably enforce feature scope, retention, membership, or offboarding. A contracted regulated workspace gives administrators a control surface, but staff still need rules for minimum necessary use, human review, and approved clinical purposes.

The practice should also define which decisions the tool may assist and which require a separate clinical system or direct professional judgment.

This is the same vendor-boundary problem found in a HIPAAconscious medical website . A chatbot or AI form on the public site may add developers, hosting, logging, and integration vendors beyond the ChatGPT contract. Our guide to AI search for medical practices focuses on public discoverability, which should remain separate from clinical prompt data.

How to use it safely

  1. Work with OpenAI to select a currently eligible ChatGPT offering and confirm the exact functionality the practice needs.
  2. Execute the BAA and retain the applicable service terms before entering PHI.
  3. Provision a practice-owned workspace, require managed identities, limit administrators, and remove former users promptly.
  4. Disable or prohibit features, connectors, actions, and integrations that are not on the eligible-functionality list.
  5. Define approved use cases and the minimum data needed. Do not use AI output without qualified human review.
  6. Set retention and deletion controls to the practice’s documented policy and test them.
  7. Review browsers, endpoint logs, copied outputs, connected storage, and custom applications as separate parts of the flow.

Compliant alternatives

Microsoft 365 provides a broad BAA scope for named productivity services and may be a better location for ordinary documents that do not need AI processing. Google Drive offers managed storage under Google’s Workspace BAA path. Neither alternative should receive PHI through an unreviewed AI add-on.

Recheck OpenAI’s eligible-functionality list whenever the workspace adds a feature, because product access and BAA coverage are separate decisions.

Bottom line

ChatGPT can support a healthcare workflow only through a specifically eligible offering, executed BAA, and covered feature set. Keep PHI out of personal and ordinary workspaces, govern every user and connector, and require human review of outputs.

Frequently asked questions

Does OpenAI offer a BAA for ChatGPT?

Yes, for specific eligible offerings such as ChatGPT for Healthcare and certain regulated workspaces. Eligibility must be confirmed through OpenAI's documented contracting path.

Can staff paste PHI into a personal ChatGPT account?

No. A personal or ordinary consumer account is not the practice's BAA-covered regulated workspace and should not receive PHI.

Does an OpenAI BAA cover every ChatGPT feature?

No. OpenAI publishes an eligible-functionality list and notes that additional features may be unavailable or must not be used with PHI.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review