Is ChatGPT HIPAA Compliant? What Clinics Need to Know Before Staff Use It
TLDR
No — not for most users. ChatGPT Free, Plus, and Team plans do not include a BAA from OpenAI. Only ChatGPT Enterprise and the OpenAI API offer BAA eligibility. If any staff member pastes patient information into a standard ChatGPT account, that is a HIPAA violation, regardless of whether they opted out of data training.
The short answer
No — not on the plans most people use.
ChatGPT Free, Plus, and Team do not include a BAA. OpenAI will not sign a BAA for those plans. That means any patient information typed into a standard ChatGPT account is PHI leaving your practice without a compliant data handling agreement in place.
The only paths to a ChatGPT BAA are ChatGPT Enterprise (custom pricing, direct sales) or the OpenAI API (developer access, requires building your own interface).
What opting out of training actually does
ChatGPT lets users turn off chat history and opt out of having conversations used to train future models. This is useful for general privacy. It is not HIPAA compliance.
A BAA is a signed legal contract that defines how a vendor handles PHI, what they must do in the event of a breach, and what your rights are as a covered entity. A settings toggle in a consumer app does not carry any of those obligations. OpenAI has been explicit that these settings do not make Free or Plus plans HIPAA compliant.
The PHI risk problem in clinics
The problem is not that staff intend to violate HIPAA. The problem is that ChatGPT is genuinely useful for drafting prior authorization letters, summarizing clinical notes, writing referral correspondence, and answering insurance coding questions. Staff find it and start using it — with real patient data — before anyone has thought through the compliance implications.
A front-office coordinator drafts a prior auth letter by pasting a patient’s name, diagnosis, and treatment plan into ChatGPT Plus. That conversation is now outside any BAA. One incident report to HHS is all it takes.
This is accelerating. AI tool adoption in healthcare is growing faster than compliance policies can keep up with, and most staff reach for their personal free accounts first.
Who can use ChatGPT with PHI
ChatGPT Enterprise is a reasonable path for large health systems that want GPT-4 capabilities, have an IT team to manage the rollout, and can negotiate directly with OpenAI. The per-seat cost is higher than Plus and requires a multi-seat contract.
For developers, the OpenAI API with a signed BAA lets engineering teams build HIPAA-compliant clinical tools on top of GPT models. This requires infrastructure work — it is not a plug-and-play solution for a 10-person medical practice.
Who should look elsewhere
Small clinics that need AI drafting capabilities for clinical correspondence have better options than negotiating an enterprise contract with OpenAI.
Microsoft Azure OpenAI Service covers GPT-4 under Microsoft’s existing HIPAA BAA for Azure — accessible if your practice is already on Microsoft 365. Google Vertex AI with Gemini is covered under Google Cloud’s HIPAA BAA for practices on Google Workspace.
For practices that need HIPAA-compliant task management and workflow tooling without the AI complexity, PHIGuard starts at $20/month flat for up to 10 staff. We built PHIGuard after seeing how many small clinics were managing patient-adjacent tasks in tools with no BAA at all. Every PHIGuard tier includes a BAA, no sales call required.
Like what you're reading?
Try PHIGuard free — no credit card required.
- Business Associate Agreement (BAA)
- A contract required by HIPAA that your practice must sign with any vendor handling protected health information. OpenAI provides BAAs only for ChatGPT Enterprise and API customers — not for Free, Plus, or Team plans.
DEFINITION
- ChatGPT Enterprise
- OpenAI's top-tier paid offering for organizations. It includes a BAA, excludes your data from model training by default, and adds admin controls. Access requires a direct sales conversation with OpenAI — there is no self-serve sign-up.
DEFINITION
Q&A
Is ChatGPT HIPAA compliant?
ChatGPT is not HIPAA compliant on Free, Plus, or Team plans. Only ChatGPT Enterprise and the OpenAI API include BAA eligibility. Most clinic staff use personal Free or Plus accounts, which have no BAA and cannot legally handle PHI.
Q&A
Does turning off chat history make ChatGPT HIPAA compliant?
No. Disabling chat history or opting out of training in ChatGPT settings does not create a BAA. HIPAA compliance requires a signed Business Associate Agreement — a settings preference is not a legal substitute.
Q&A
What plan do I need for ChatGPT to be HIPAA compliant?
ChatGPT Enterprise is the only consumer-facing ChatGPT plan that includes a BAA. It requires a custom sales engagement with OpenAI and has no public pricing. The OpenAI API is an alternative for developers who want to build HIPAA-compliant workflows using GPT models.
Want to learn more?
Is ChatGPT HIPAA compliant?
Does OpenAI sign a BAA for ChatGPT?
What changes in ChatGPT Enterprise for HIPAA compliance?
Can opting out of data training make ChatGPT HIPAA compliant?
Are there HIPAA-compliant alternatives to ChatGPT for clinical tasks?
Keep reading
What Is a Business Associate Agreement (BAA)? HIPAA Explained
A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.
Best HIPAA Compliance Software for Small Medical Practices (2026)
We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.
Best Asana HIPAA Alternative for Medical Practices
Looking for an Asana alternative that handles HIPAA without degrading features? PHIGuard is built for small clinics — $20/mo flat, BAA included, audit-ready from day one.