Is OpenAI HIPAA Compliant? Current Status, BAAs, and Secure Alternatives

OpenAI's HIPAA Compliance Overview

Short answer: OpenAI supports HIPAA-compliant use, but only with the right product tier, a signed Business Associate Agreement (BAA), and a HIPAA secure deployment that protects Protected Health Information (PHI). As of February 19, 2026, you can pursue two main paths: ChatGPT for Healthcare (a secure, enterprise workspace) and the OpenAI API (for Healthcare API Integration) configured with zero data retention on eligible endpoints.

Consumer ChatGPT (Free/Plus) and standard Business workspaces are not covered by a BAA and must not be used with PHI. For regulated scenarios, OpenAI’s enterprise offerings provide guardrails such as “no training on your data,” auditability, Role-Based Access Control (RBAC), SAML SSO/SCIM, data retention controls, and data residency options. Your organization remains responsible for end‑to‑end safeguards and Healthcare Data Privacy under HIPAA’s shared responsibility model.

Business Associate Agreements (BAAs)

OpenAI signs BAAs for two categories: (1) the OpenAI API for healthcare workloads and (2) eligible ChatGPT enterprise offerings. For the API, BAAs cover only endpoints that qualify for zero retention. For ChatGPT, BAAs are available to sales‑managed Enterprise/Edu accounts and to ChatGPT for Healthcare customers. ChatGPT Business is not eligible for a BAA.

How the BAA process typically works

• Scope your use of PHI (who, what, where) and map data flows and retention needs.
• Confirm your API endpoints are zero‑retention eligible or use ChatGPT for Healthcare with a workspace‑level BAA.
• Request a BAA from OpenAI (API) or work with sales (ChatGPT Enterprise/Edu or Healthcare). Approval is case‑by‑case.
• Finalize Regulated Workspace Configuration and policies (access control, retention, DLP, incident response).
• Validate controls through testing and document your HIPAA Secure Deployment posture.

ChatGPT for Healthcare Deployment

ChatGPT for Healthcare provides a secure workspace designed to support HIPAA compliance. It adds healthcare‑tuned models and clinical search with transparent citations, while keeping PHI under your control. Content shared with ChatGPT for Healthcare is not used to train OpenAI models.

Deployment blueprint

• Sign the BAA for ChatGPT for Healthcare and define permitted PHI use cases.
• Enable SAML SSO and SCIM; enforce RBAC, IP allowlisting, and group‑based permissions.
• Turn on audit logs and Compliance APIs to feed your SIEM/eDiscovery/DLP.
• Set data retention policies, disable unnecessary features, and restrict external apps.
• Choose data residency (and where eligible, inference residency) to meet Data Residency Compliance needs.
• Optionally use customer‑managed encryption keys (EKM) and enable Lockdown Mode for stricter data egress control.
• Pilot with de‑identified data, then phase in PHI once safeguards are validated and monitored.

Data Residency and Regional Compliance

OpenAI offers data residency for ChatGPT Enterprise/Edu and the API, allowing you to keep customer content at rest in specific regions. Supported regions commonly include the United States, Europe (EEA + Switzerland), United Kingdom, Canada, Japan, South Korea, Singapore, Australia, India, and the United Arab Emirates. Residency applies to customer content; some operational metadata may be processed outside region.

Inference residency keeps GPU execution in‑region for supported locations. It is available in the United States and is expanding to additional regions (for some customers, Europe is available). For HIPAA programs that require strict locality, combine data residency, inference residency (where offered), and tight controls on connectors that could move data cross‑border.

Azure OpenAI Service HIPAA Coverage

If you prefer a Microsoft‑anchored path, Azure OpenAI Service is HIPAA‑eligible under Microsoft’s BAA (incorporated via the Product Terms and DPA) when you have eligible licensing. Compliance still depends on configuration: deploy in covered regions, restrict network paths (VNets/private endpoints), enforce Entra ID and RBAC, and review logs. Azure OpenAI does not train on customer prompts by default, and platform diagnostics exclude prompt content; you should still avoid logging PHI at the application layer.

Architecture tips for HIPAA Secure Deployment on Azure

• Use private networking, managed identities, and Conditional Access to isolate PHI.
• Choose HIPAA‑eligible models and avoid preview features or modalities not explicitly covered.
• Enable Azure Monitor/Sentinel for audit trails; validate that logs don’t capture PHI.
• Consider customer‑managed keys in Azure Key Vault for encryption at rest.
• Document shared responsibilities and periodically test disaster recovery and access reviews.

ChatGPT Regulated Workspace Features

In regulated environments, your ChatGPT Enterprise/Edu or ChatGPT for Healthcare workspace can be configured to meet stringent controls without sacrificing usability. Core capabilities include:

• “No training on your data” by default for business tiers, plus data retention controls.
• SAML SSO, SCIM provisioning, RBAC, IP allowlisting, and domain verification.
• Compliance APIs and audit logs for eDiscovery, DLP, and SIEM integration.
• Data residency (and inference residency where eligible) to localize storage and processing.
• Enterprise Key Management (customer‑managed encryption keys) to control cryptographic custody.
• Lockdown Mode to constrain access to external systems and reduce data egress risk.

Regulated Workspace Configuration checklist

• Restrict external apps/connectors; allow only vetted integrations.
• Set least‑privilege roles; segregate clinical users from builders/admins.
• Apply content retention policies aligned to HIPAA and organizational policy.
• Enable compliance feeds; archive and supervise high‑risk user groups.
• Train users on PHI handling; test with red‑team exercises and periodic audits.

Third-Party HIPAA Compliance Partnerships

OpenAI provides enterprise compliance integrations to help you meet regulatory archiving, supervision, and DLP requirements. Through Compliance APIs and the Compliance Logs Platform, organizations can connect to established providers for policy enforcement, audit trails, and eDiscovery/records management. Common integrations include Microsoft Purview, Global Relay, Netskope, Forcepoint, and Palo Alto Networks.

Conclusion

OpenAI can be part of a HIPAA Secure Deployment when you select the right product tier, sign an appropriate BAA, and implement strict technical and administrative safeguards. For PHI workflows, use ChatGPT for Healthcare or the API with zero‑retention endpoints, combine residency and encryption controls, and integrate auditing and DLP. If you need Microsoft‑anchored assurances, Azure OpenAI’s HIPAA coverage is a proven alternative with strong enterprise controls.

FAQs

Does OpenAI provide a HIPAA-compliant API?

Yes—OpenAI offers a HIPAA‑supporting API path when you sign a BAA and use only zero‑retention eligible endpoints. Coverage is endpoint‑specific, and some features or modalities may be out of scope. You must also implement appropriate access, logging, and retention controls to satisfy HIPAA.

How do I obtain a BAA from OpenAI?

For the API, request a BAA by contacting OpenAI with your company details and healthcare use case; approvals are case‑by‑case. For ChatGPT, BAAs are available for sales‑managed Enterprise/Edu customers and for ChatGPT for Healthcare. ChatGPT Business is not eligible.

Is ChatGPT for Healthcare HIPAA compliant out of the box?

It is designed to support HIPAA‑compliant use, but compliance is not automatic. You must finalize a BAA, configure the workspace (RBAC, SSO/SCIM, retention, Lockdown Mode as needed), establish data residency/inference residency where required, and integrate auditing and DLP before using PHI.

What are the data residency options for HIPAA compliance?

For ChatGPT Enterprise/Edu and eligible API customers, OpenAI provides at‑rest data residency in regions such as the United States, Europe (EEA + Switzerland), United Kingdom, Canada, Japan, South Korea, Singapore, Australia, India, and the UAE. Inference residency keeps GPU execution in‑region for supported locations (available in the U.S. and expanding). Always align residency choices with your HIPAA and Data Residency Compliance requirements.