Is ChatGPT HIPAA Compliant? What You Need to Know About PHI and BAAs

ChatGPT Standard Service Limitations

Consumer ChatGPT plans (Free, Plus, Go, Pro) are not designed for HIPAA-regulated workflows. By default, OpenAI may use content from consumer plans to improve models unless you opt out in Data Controls, so you should not enter Protected Health Information (PHI) in these versions. ([help.openai.com](https://help.openai.com/en/articles/7039943?utm_source=openai))

OpenAI does not offer a Business Associate Agreement (BAA) for ChatGPT Business. BAAs for ChatGPT are limited to eligible, sales-managed ChatGPT Enterprise or Edu accounts and are evaluated case by case. ([help.openai.com](https://help.openai.com/en/articles/8660679-how-can-i-get-a-business-associate?utm_source=openai))

Some capabilities are explicitly out of HIPAA scope. For example, Web Search is not HIPAA‑eligible and is not covered by a BAA, so any workflow that might expose PHI should avoid it. ([platform.openai.com](https://platform.openai.com/docs/models/how-we-use-your-data/?utm_source=openai))

ChatGPT Enterprise HIPAA Compliance

ChatGPT Enterprise can support HIPAA‑compliant use when your organization has an executed BAA and uses a regulated configuration that disables features not suitable for PHI (for example, via a “ChatGPT Regulated Workspace”). In this setup, OpenAI does not train models on your business data by default, and conversations are encrypted in transit and at rest. ([cdn.openai.com](https://cdn.openai.com/osa/chatgpt-regulated-workspace.pdf?utm_source=openai))

OpenAI’s Healthcare Addendum identifies “Eligible Services” for HIPAA use—including ChatGPT Enterprise and the Zero‑Retention API—so PHI handling remains within the contracted scope. Work with OpenAI Sales to obtain a BAA for eligible Enterprise/Edu deployments. ([cdn.openai.com](https://cdn.openai.com/osa/healthcare-addendum.pdf?utm_source=openai))

ChatGPT Health Overview

ChatGPT Health is a consumer feature focused on personal wellness. HIPAA does not apply to consumer health products like ChatGPT Health; health data in this space is encrypted at rest, and Health chats, files, and memories are not used to train foundation models by default. ([help.openai.com](https://help.openai.com/en/articles/20001036-what-is-chatgpt-health?utm_source=openai))

You can optionally connect sources like medical records and Apple Health; Health keeps these conversations and data separate from your main chats and adds layered safeguards beyond standard ChatGPT protections. For HIPAA‑regulated use in clinical settings, OpenAI offers ChatGPT for Healthcare rather than ChatGPT Health. ([openai.com](https://openai.com/index/introducing-chatgpt-health//?utm_source=openai))

Business Associate Agreements

A BAA is required before transmitting PHI to OpenAI’s API services. Only specific, zero‑retention–eligible endpoints are covered under the BAA, and OpenAI evaluates requests individually; contact baa@openai.com to begin the process. ([help.openai.com](https://help.openai.com/en/articles/8660679-how-can-i-get-a-business-associate?utm_source=openai))

For ChatGPT, BAAs are available to eligible, sales‑managed ChatGPT Enterprise or Edu customers; OpenAI does not offer a BAA for ChatGPT Business. The Healthcare Addendum further clarifies the scope of “Eligible Services,” such as ChatGPT Enterprise and the Zero‑Retention API, for HIPAA use. ([help.openai.com](https://help.openai.com/en/articles/8660679-how-can-i-get-a-business-associate?utm_source=openai))

Data Privacy Measures

For business offerings—including ChatGPT Enterprise and ChatGPT for Healthcare—OpenAI does not use your organization’s inputs or outputs to train models by default. Your data is encrypted in transit (TLS 1.2+) and at rest (e.g., AES‑256), with options like Enterprise Key Management (EKM), retention controls, and data residency to support AI healthcare compliance. ([openai.com](https://openai.com/index/business-data))

Administrators can configure retention periods and opt for zero data retention in the API platform. These controls help you align PHI data safeguards with your internal policy and the HIPAA Security Rule’s technical safeguard expectations. ([platform.openai.com](https://platform.openai.com/docs/models/how-we-use-your-data/?utm_source=openai))

Data Security Concerns

OpenAI cites regular third‑party penetration testing, independent audits, and a 24/7 security operations posture across its infrastructure. Business services also align with standards like SOC 2 Type 2 and CSA STAR to reinforce healthcare data encryption and access control expectations. ([openai.com](https://openai.com/index/business-data))

Risk‑manage features that fall outside BAA scope. Web Search is not HIPAA‑eligible, and GPTs or connected apps may transmit inputs to third‑party services with their own terms—avoid routing PHI through them unless contracts explicitly cover those flows. ([platform.openai.com](https://platform.openai.com/docs/models/how-we-use-your-data/?utm_source=openai))

Regulatory and Legal Considerations

HIPAA compliance depends on your role (covered entity or business associate), your lawful basis to use/disclose PHI, and your implementation of safeguards under the HIPAA Privacy Rule and HIPAA Security Rule. A BAA with OpenAI does not by itself make your workflows compliant; you must configure eligible services, restrict features, enforce access controls, and train your workforce. ([cdn.openai.com](https://cdn.openai.com/osa/healthcare-addendum.pdf?utm_source=openai))

Outside HIPAA, consumer features like ChatGPT Health may implicate state consumer health data laws (for example, Washington’s My Health My Data Act and Nevada’s Consumer Health Data Privacy law), which OpenAI addresses in its Health Privacy Notice. Your legal team should review these overlays when designing patient‑facing experiences. ([openai.com](https://openai.com/policies/health-privacy-policy/?utm_source=openai))

Summary

• Consumer ChatGPT and ChatGPT Health aren’t for PHI; HIPAA doesn’t apply to them.
• HIPAA‑eligible use requires an executed BAA and eligible services (e.g., ChatGPT Enterprise in a regulated workspace or the Zero‑Retention API).
• OpenAI’s business offerings default to no training on your data, with encryption, retention, and residency controls to support compliance.
• Disable or avoid features outside BAA scope (e.g., Web Search, third‑party apps) when handling PHI.

FAQs.

Is ChatGPT Enterprise covered under HIPAA?

It can be. ChatGPT Enterprise supports HIPAA‑compliant use when your organization signs a BAA with OpenAI and uses a HIPAA‑eligible, regulated configuration that disables non‑supported features for PHI. The Healthcare Addendum identifies ChatGPT Enterprise as an Eligible Service for HIPAA use. ([cdn.openai.com](https://cdn.openai.com/osa/chatgpt-regulated-workspace.pdf?utm_source=openai))

Can healthcare providers use ChatGPT with patient data?

Yes—if they use eligible products covered by a BAA and appropriate safeguards. Options include ChatGPT for Healthcare (enterprise deployment with governance controls) or the OpenAI API with zero‑retention endpoints. Do not use consumer ChatGPT or ChatGPT Health for PHI, and avoid Web Search or third‑party apps unless those flows are contractually covered. ([help.openai.com](https://help.openai.com/pt-pt/articles/20001046-chatgpt-for-healthcare?utm_source=openai))

What protections does a BAA provide?

A BAA contractually obligates both parties to safeguard PHI and limits use and disclosure to defined purposes. OpenAI’s Healthcare Addendum and BAA specify HIPAA‑eligible services (e.g., ChatGPT Enterprise, Zero‑Retention API) and the technical/operational controls that apply to PHI processed through those services. ([cdn.openai.com](https://cdn.openai.com/osa/healthcare-addendum.pdf?utm_source=openai))

Is ChatGPT Health fully HIPAA compliant?

No. ChatGPT Health is a consumer wellness feature, so HIPAA does not apply. Data is encrypted and Health chats, files, and memories are not used to train foundation models by default, but organizations needing HIPAA support should use ChatGPT for Healthcare with a BAA. ([help.openai.com](https://help.openai.com/en/articles/20001036-what-is-chatgpt-health?utm_source=openai))