Is ChatGPT HIPAA Compliant for Medical Clinics?

Short answer

ChatGPT is not HIPAA compliant on consumer plans. OpenAI offers a BAA through ChatGPT Enterprise, which changes the data handling terms and provides contractual coverage. Without an Enterprise agreement, any clinic staff member entering PHI into ChatGPT — including through free or Plus accounts — is creating an unprotected disclosure. This is one of the most common unacknowledged compliance risks in small clinic operations today.

BAA availability

OpenAI provides a HIPAA-eligible Business Associate Agreement through ChatGPT Enterprise and through qualifying API enterprise agreements. The following plans have no BAA path:

• ChatGPT Free
• ChatGPT Plus
• ChatGPT Team

The Enterprise plan requires direct engagement with OpenAI’s sales team. Pricing is not published on OpenAI’s website. The BAA covers the ChatGPT Enterprise product and the specific API usage covered under the enterprise agreement; it does not automatically extend to all OpenAI products or to consumer API usage.

The training data risk on consumer tiers

Consumer ChatGPT accounts (Free and Plus) include a setting that allows users to opt out of model training. However, the default behavior — and the behavior of staff who have not reviewed their account settings — is that prompts may be used. A patient’s name, diagnosis, or treatment detail entered into a free ChatGPT session is potentially being processed by OpenAI’s systems in ways the clinic cannot audit or retrieve.

ChatGPT Enterprise’s data terms are different: OpenAI states that Enterprise prompt data is not used for training by default. Confirm the current terms in OpenAI’s Enterprise Privacy documentation before relying on this for compliance purposes.

What the Enterprise BAA covers and does not cover

Assuming the clinic has executed a ChatGPT Enterprise BAA, the agreement covers the ChatGPT Enterprise service. It does not:

• Cover personal OpenAI accounts staff may use at home or on personal devices
• Cover third-party applications built on the OpenAI API unless those vendors have their own BAA with you
• Eliminate the clinic’s responsibility to conduct a workforce training and AI use policy
• Remove the need for a risk assessment of AI use in patient-adjacent workflows

Staff use of consumer AI is an active risk

The most common real-world compliance problem with ChatGPT at small clinics is not enterprise deployment — it is staff members using their personal or free-tier ChatGPT accounts for work tasks. Drafting patient correspondence, summarizing visit notes, or generating prior authorization letters through a consumer account exposes PHI without any contractual protection.

Addressing this requires:

1. A written workforce policy that prohibits use of non-approved AI tools for any task involving patient information
2. Training at onboarding and annually thereafter
3. A process for approving new AI tools before staff adoption

What not to enter into ChatGPT even with an Enterprise BAA

Even under a compliant Enterprise deployment, certain practices carry risk:

• Do not enter patient names combined with diagnoses, treatment plans, or test results unless the workflow requires it and access controls are in place
• Do not store ChatGPT outputs containing PHI outside of a HIPAA-covered system
• Do not allow staff to copy ChatGPT-generated text into external systems without verifying those systems are also BAA-covered

When AI tools require a broader compliance program

For similar analyses of competing AI tools, see is Claude HIPAA compliant, is Anthropic HIPAA compliant, is Perplexity HIPAA compliant, and is DeepSeek HIPAA compliant.