Is ChatGPT HIPAA Compliant? What Teams Must Know

Practical guidance for healthcare teams and business associates
Chuck Weiselberg
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
11 min read

Your staff is already using ChatGPT. That is not a guess. That is what happens at every healthcare organization right now.

Someone in billing uses it to draft appeal letters. A nurse uses it to summarize discharge instructions. An admin pastes in a case note to clean up the language. It feels harmless. It is fast. And nobody has told them not to.

That is the problem.

AI carries real HIPAA risk when it interacts with patient information. The risk is not hypothetical. It comes from specific behaviors that already exist in your organization. These behaviors develop when there isn't any policy in place.

This post covers what you need to know: BAA's, PHI in AI prompting, and how to build the right policy for your staff.

The Short Answer: Is ChatGPT HIPAA Compliant?

For the free tier and the standard paid tier (ChatGPT Plus), the answer is no.

OpenAI does not offer a Business Associate Agreement for those products. No BAA means disclosure of PHI. It's that simple.

Under HIPAA, any vendor who will experience a disclosure of PHI as part of why they work with the CE is a BA.

Before sharing PHI with a vendor, you need a signed BAA in place. Without one, you are in for a bad time.

The free version of ChatGPT uses conversation data to train future models by default. Setting BAA issues aside, a BAA isn't a data handling agreement for PHI.

What About ChatGPT Enterprise and the API?

This is where it gets more nuanced.

OpenAI does offer BAAs for ChatGPT Enterprise customers. Organizations must also use the OpenAI API. If you have a signed BAA with OpenAI under one of these arrangements, you have cleared the first hurdle.

A BAA alone doesn't make a company HIPAA compliant. The BAA is a contract. It shifts some liability and documents the relationship. Configuration is a large factor in your compliance.

Some questions to ask before treating Enterprise as 'HIPAA-ready':

  • Is your data used for model training? (Under Enterprise, the default is no - verify this in your agreement.)
  • Who in your organization has access to the account?
  • Is access logged and auditable?
  • What data retention policies apply?
  • How does it fit into your existing ePHI access controls?

If you cannot answer those questions, you are not ready to use Enterprise AI for PHI-related tasks. Consult an attorney before finalizing any arrangement. Especially where AI tools will touch patient data.

What Counts as PHI in an AI Prompt?

This is the question most organizations get wrong, and it is where most of the real risk lives.

Staff think of PHI as a medical record or a lab result. Something formal. Something that looks like a file. So when they paste a case summary into ChatGPT, they do not think of it as a PHI disclosure. They think of it as a writing task.

But PHI is broader than most people realize. Under HIPAA, PHI is any individually identifiable health information. Names, dates, geo-data, phone numbers, email addresses, account numbers, and more all qualify.

A prompt like this is PHI:

"Can you help me write a follow-up note? It is for a 67-year-old male patient seen on April 14 in our downtown clinic for Type 2 diabetes management? His A1C was 8.2."

The patient is not named. The disclosure can still be identifiable. This depends on context, and it contains health information tied to age, date, and location. That is the kind of detail that can qualify as PHI.

The same logic that applies to de-identification requirements applies here. Information is not safe because a name is absent. If the combination of details can identify a patient, it is PHI and it requires protection.

Common PHI that ends up in AI prompts:

  • Patient names embedded in draft letters or notes
  • Diagnosis or treatment details tied to age, date, or location
  • Insurance or billing information pasted for formatting help
  • Appointment details that include identifiers
  • Case descriptions meant to be anonymous yet contain enough detail to ID a patient in context

The Real Risk: Copy-Paste Behavior

The biggest HIPAA risk with AI tools is not a technical exploit. It is copy-paste.

Staff paste from EHRs, from email threads, from billing systems. They do it fast and without thinking. They focus on their task, not on what is in the clipboard.

This is especially common with:

  • Clinical documentation - "Help me clean up this note"
  • Prior authorization letters - "Make this more persuasive"
  • Patient communication drafts - "Rewrite this with more simplicity"
  • Billing appeal letters - "I need help appealing this denied claim."
  • Incident summaries - "Summarize what happened for the report"

In every one of these scenarios, the staff member may paste raw PHI into tools. Tools with no BAA, no access controls, and no audit trail. That is a potential violation each time it happens.

The problem compounds because AI tools are useful. Staff who discover a shortcut do not stop using it. They tell coworkers. The behavior spreads. By the time leadership finds out, dozens of staff members may have learned a habit that is hard to unwind.

How to Build an AI Acceptable Use Policy for Healthcare

You need a written policy before you can manage this risk. A verbal directive is not enough. Staff need clear, written rules they can follow and that you can enforce.

Your AI acceptable use policy should cover:

1. Which Tools Are Okay

Name permitted tools. If a tool is not on the approved list, staff should not be using it for work tasks. This stops someone from finding a program and using it without checking for a BAA. The app may not even be proper for healthcare.

2. What Data Is Off-Limits

Be explicit. Do not say "do not enter sensitive information." Say what's prohibited:

  • Patient names
  • Dates of service or birth
  • Diagnoses, medications, or treatment details
  • Insurance or billing information
  • Any content copied from the EHR, patient portal, or clinical systems

The more specific you are, the fewer interpretations staff can make in the moment.

3. What AI Can Be Used For

Give staff a positive list, not a negative one. Approved uses might include:

  • Drafting general policy or procedure language (with no patient data)
  • Summarizing non-clinical administrative topics
  • Writing staff communications, job postings, or training outlines
  • Grammar and clarity edits on documents that contain no PHI

If staff know what they can do, they are less likely to improvise in ways that create risk.

4. Approval Process for New Tools

Any AI tool a staff member wants to use for work needs to go through a review process before using it. This review checks if a BAA is available. Then, what data gets stored, and how the tool fits into existing HIPAA controls.

5. Sanctions

This policy needs teeth. An AI acceptable use policy should be subject to the same sanctions as other violations. Staff need to know this is a real rule with real consequences, not a suggestion.

What to Tell Staff

Policy language is for documentation. What you actually say to staff has to be simpler.

Here is a usable framework for talking to your team:

The one-sentence rule: If it has anything to do with a patient, do not put it in ChatGPT or any AI tool.

When in doubt: If you are not sure whether something counts as patient information, assume it does not. Do not paste it!

Approved tools are on the list: If the tool is not on the approved list, do not use it for work tasks. Period.

What to do instead: If you want to use an AI tool for a task, ask your supervisor or compliance contact first. They will check on approval and what the rules are.

Staff are not trying to cause problems. Most of them do not know that pasting a clinical note into a free chatbot is a HIPAA concern. Clear, plain-language guidance matters more than long policy documents most people never read.

This is a topic that should be part of an ongoing HIPAA privacy program. This is not a one-time announcement. AI will be a recurring conversation. This is why it gets backed up with written policy and real training.

The Encryption and Data Handling Side

If you move forward with Enterprise or API vendors, make sure they sign a BAA. From there, data handling still deserves review.

Questions to work through with your vendor and your IT or security team:

  • Is data encrypted in transit and at rest? See our breakdown of HIPAA encryption requirements for what the standard looks like.
  • Where is data stored geographically?
  • How long does the vendor hang onto conversation data?
  • Who can access your organization's data on the vendor side?
  • How does the vendor handle a breach involving your data?

These are not hypothetical questions. They are the same questions you should be asking every business associate. The fact that the vendor is a well-known tech company does not reduce your obligation to vet them with care.

Where This Fits in Your HIPAA Program

AI tools are a new surface for an old problem. In turn, workforce behavior creates PHI disclosure risk.

The same program elements that address other workforce risks apply here. Written policies. Staff training with real examples. Sanctions for violations. Periodic review as tools and behaviors change.

The difference is pace. AI tools spread through organizations fast! They move fast because they are useful, free or cheap. Best of all, they likely won't need an IT team to deploy. The policy and training have to get ahead of the behavior, not chase it.

If your organization does not have an AI acceptable use policy in place yet, that gap belongs on your to-do list. A HIPAA risk assessment should ID this as a current exposure, not a future concern.

Bottom Line

  • ChatGPT free and Plus tiers are not HIPAA compliant. No BAA is available. Do not use them with any patient information.
  • ChatGPT Enterprise and the API can include a BAA, but a BAA alone is not compliance. Configuration, access controls, and staff behavior all matter.
  • The biggest risk is copy-paste. Staff paste PHI into free AI tools without realizing it is a problem.
  • You need a written AI acceptable use policy that names approved tools. It prohibits specific data types, and includes sanctions.
  • Train staff with plain language. The one-sentence rule covers most situations: if it involves a patient, do not put it in an unapproved AI tool.
  • Consult your attorney before using any AI tool in workflows that touch PHI. This post is information, not legal advice.

Need help building an AI acceptable use policy? Or getting your workforce trained on new HIPAA risks?

One Guy Consulting works with healthcare organizations to build practical compliance programs.

FAQ

Is ChatGPT HIPAA compliant for healthcare use?

Not by default. The free and Plus tiers do not come with a Business Associate Agreement. Without a BAA, you cannot use those products in workflows that involve PHI. ChatGPT Enterprise and the API can include a BAA. However, configuration and policy needs documenting.

What is a Business Associate Agreement and why does it matter?

A BAA is a contract required under HIPAA when you share PHI with a vendor. The vendor promises to protect the data and follow HIPAA requirements. If no BAA exists, sharing PHI with that vendor is a HIPAA violation regardless of whether any harm occurs.

What if my staff removes patient names before using ChatGPT?

Removing a name does not de-identify PHI. If details like dates, diagnoses, locations, or other identifiers can ID a patient, it's PHI. The information is still PHI. The same standard that applies to formal de-identification applies here.

Can I use AI tools for administrative tasks that do not involve patient data?

Yes. Drafting policies, writing job descriptions, having training, and tasks that involve no PHI. These are lower-risk uses. The issue arises when any patient information enters the conversation.

Do I need a lawyer to set up an AI acceptable use policy?

That depends on your organization's situation. For arrangements involving PHI and AI vendors, consulting an attorney is a good idea. For internal policy about how staff uses AI, your compliance officer can handle it. They may need a touch of guidance. When in doubt, ask your attorney.

Related Reading

Keep Reading

More archive content for healthcare teams working through HIPAA operations, policy, and risk.

All Articles