Is ChatGPT HIPAA compliant? Not by itself, and neither is any other AI tool, because HIPAA compliance is not a property a product can have. It is a property of how a covered entity uses the product: the agreements in place, the controls around access and disclosure, and the records the institution keeps. There is also no such thing as certified HIPAA compliant AI, because HIPAA has no product certification at all. The useful question for healthcare teams is narrower: under what conditions can protected health information (PHI) touch a given tool, and does our actual use meet the obligations we already carry.
HIPAA certification does not exist, for ChatGPT or anything else
The Department of Health and Human Services is direct about this: no standard in the HIPAA rules requires or provides for a certification of compliance, and OCR does not endorse or certify any product as HIPAA compliant. HHS states it plainly in its own compliance FAQ. Any seal or badge that reads “HIPAA certified” is a marketing artifact, not a regulatory status.
What a product can honestly offer is support for compliance: it can sign a business associate agreement, implement the Security Rule safeguards on its side, and give your institution the controls and records it needs. Whether the use is compliant is decided by what your institution does with it.
Compliance is something an institution does, not something a product is. A business associate agreement is necessary before PHI touches an AI provider. It is never sufficient on its own.
Consumer ChatGPT: no BAA, so PHI cannot go in
Under HIPAA, an outside organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate, and PHI cannot be disclosed to one without a signed business associate agreement. OpenAI does not offer a BAA for consumer ChatGPT accounts, free or paid. Typing patient information into one is therefore a disclosure of PHI to a party with no contractual duty to safeguard it, which is exactly the kind of event breach-notification obligations exist for.
Careful wording does not fix this. De-identification under HIPAA is a defined standard, not a judgment call, and removing a name while leaving dates, record numbers, and clinical detail rarely meets it. If a prompt is about a real patient, treat it as PHI.
What a business associate agreement changes on enterprise and API tiers
As of mid-2026, OpenAI offers a BAA for its API on eligible endpoints and for sales-managed ChatGPT Enterprise and Edu plans; consumer accounts and the ChatGPT Business tier are not eligible, per OpenAI’s help center. Other major providers offer equivalent agreements on their enterprise and API tiers, with similar boundaries: the consumer product is out, the managed product is in, and coverage is spelled out per service. Check the current terms before relying on them, because eligibility changes.
| Tier | BAA available | What that means for PHI |
|---|---|---|
| ChatGPT Free and Plus | No | PHI cannot go in, full stop |
| ChatGPT Business | No, as of mid-2026 | PHI cannot go in |
| ChatGPT Enterprise and Edu (sales managed) | By request | PHI only after the BAA is signed and your own controls hold |
| OpenAI API (eligible endpoints) | By request | Same: BAA plus your own controls |
A signed BAA changes the contractual posture. The provider accepts legal obligations for safeguarding PHI, and your institution gains a defined counterparty if something goes wrong. What a BAA does not do is make your usage compliant. That part stays with you.
The obligations the institution still owns
The Privacy Rule and Security Rule assign duties to the covered entity that no agreement can transfer away. Four of them decide most AI cases:
- Minimum necessary. 45 CFR 164.502(b) requires reasonable efforts to limit PHI to the minimum necessary for the purpose. Pasting a full chart into an AI tool to draft a two-line summary fails that test even under a signed BAA.
- Access control. 45 CFR 164.312(a) requires technical policies that limit access to electronic PHI to authorized people and programs. That now includes who can reach the sanctioned AI deployment and the PHI inside it.
- Audit controls. 45 CFR 164.312(b) requires mechanisms that “record and examine activity in information systems that contain or use electronic protected health information.” If staff send PHI to AI tools and you cannot produce a record of that activity, you have an audit-controls gap regardless of the BAA.
- Workforce behavior. Training, a sanctions policy, and what people actually do at the keyboard. The BAA binds the provider. It does not bind your staff.
The gap: the BAA covers one tool, staff use dozens
Here is where an AI program in healthcare quietly fails. The BAA covers the sanctioned deployment. Meanwhile clinicians and staff reach for browser assistants, note summarizers, transcription tools, and whatever launched last month: PHI AI tools your institution has no agreement with, no approval for, and often no visibility into. This is shadow AI, and in a HIPAA context every one of those tools is a consumer-grade endpoint with no BAA.
A policy memo that names the sanctioned tool and forbids the rest is necessary, but a memo does not stop a paste. The exposure happens at the device, in the seconds between writing a prompt and sending it.
What a defensible posture looks like
- Decide before data leaves. Enforce policy at the device, at the moment a request is sent, so PHI is redacted or the request is blocked before it reaches any provider, sanctioned or not. A decision made after transmission is a report, not a control.
- Keep evidence of what was sent where. A record of which tool was used, by whom, what data crossed, and what policy did about it. That is what audit controls ask for, and it is the first thing an investigator or your own privacy officer will request after an incident.
- Put sanctioned and unsanctioned tools under one policy. If control exists only inside the sanctioned product, everything outside it is ungoverned by definition.
- Keep the paper current. A BAA on file for the covered tiers, terms reviewed when the provider changes them, and training that matches what enforcement actually does.
Where Verillian fits
Verillian is runtime governance and evidence for regulated AI, built for HIPAA-regulated environments. A sentinel on each device intercepts requests from any AI tool or agent that reaches a provider and enforces your policy at the moment of execution: PHI is redacted or the request is blocked before it leaves the device. Detection is best-effort, not a guarantee that every value is caught, and the decision happens before transmission rather than after.
Every captured interaction is signed on the device and hash-chained into a tamper-evident record the institution holds under its own keys, with retention designed to align with HIPAA’s six-year documentation requirement. Sanctioned and unsanctioned tools live under one policy, so the BAA-covered deployment and everything around it produce the same evidence. Governance is a meeting; enforcement is what Verillian does. See how this maps to healthcare and other regulated sectors.