Explore with AI
ChatGPTClaudeGeminiPerplexity
Essay

HIPAA-Compliant AI Tools in 2026: What Qualifies, What Does Not, and the Architecture That Works

Mike Ritchie7 min read
Cover image for HIPAA-Compliant AI Tools in 2026: What Qualifies, What Does Not, and the Architecture That Works

Start with the fact that saves you the most time: there is no such thing as a HIPAA-certified AI tool. Not from OpenAI, not from Google, not from us, not from anyone. HHS does not endorse or recognize any HIPAA certification, and says so directly. Microsoft's compliance docs say the same thing: no certification standard exists that HHS approves. So does Google's.

Any vendor with a "HIPAA certified" badge on its pricing page is telling you something about its marketing, not its compliance.

What exists instead is a set of requirements your deployment has to meet, with the vendor covering part and you covering the rest. This page walks through what those requirements actually are for AI on PHI, why most AI tools fail them, and the architecture that passes a security review without a year of exceptions.

What HIPAA actually requires when AI touches PHI

HIPAA does not mention AI. It regulates protected health information: who can hold it, what they owe you when they do, and what happens when it leaks. Run patient data through an AI tool and four requirements do the real work.

1. An unbroken BAA chain. Every party that creates, receives, maintains, or transmits PHI on your behalf is a business associate and needs a signed business associate agreement. This chains: if your AI vendor sends prompts to a model provider, that provider is a subcontractor and needs equivalent terms. One link missing anywhere in the path, and every PHI-bearing request through that path is an impermissible disclosure. Most AI tool evaluations die right here, because the chain behind a SaaS AI product is longer than the vendor's security page admits.

2. Minimum necessary. You disclose the least PHI needed for the purpose. For analytics this has a sharp edge: an AI analyst with access to your whole warehouse sees whatever its queries return. You need row and column controls that scope what the AI can read, not a policy document saying it should behave.

3. Security Rule safeguards, including audit trails. The Security Rule requires access controls, encryption, and audit controls: mechanisms that record activity in systems containing PHI. For AI, that means you can answer "who asked what, when, and what did the model return" for every interaction. Consumer chat history is not an audit trail. If the tool cannot produce these logs, it cannot live in a covered workflow.

4. Shared responsibility, always. No vendor can make you HIPAA compliant. A vendor that signs a BAA covers its side: safeguards on its infrastructure, breach notification, subcontractor terms. Your side never goes away: workforce training, access policies, minimum necessary, risk analysis, and using the covered service in the covered configuration. Both AWS and Google put this in writing. Treat any "we make you compliant" pitch as a red flag.

Why generic AI tools fail these requirements

The pattern repeats across nearly every AI tool a clinician or analyst will try this year.

No BAA at the tier people actually use. The free and pro tiers of ChatGPT, Claude, Gemini, and Copilot have no BAA. Full stop. Pasting a patient note into a consumer chatbot is a reportable disclosure, and it happens in hospitals every day.

Training and retention defaults. Consumer AI products may retain conversations and may use them to improve models, depending on tier and settings. PHI in a training corpus is a disclosure you cannot un-make. Enterprise tiers fix this contractually, which is exactly why the BAA paperwork matters more than the model.

Your data leaves your boundary. Even with a BAA, a hosted AI tool processes PHI on the vendor's infrastructure. That is a new third party in your risk register, a new vendor review, a new breach surface. Sometimes that trade is worth it. It is never free.

Wrappers add links to the chain. A "HIPAA-compliant ChatGPT" wrapper sits between you and the model provider, so now two vendors touch your PHI, and the wrapper's BAA is only as good as its subcontractor agreement upstream. Some are diligent. All of them make the chain longer.

No audit trail. Most AI tools log for their own debugging, not for your compliance. If you cannot export per-user, per-query activity, your auditor finds the gap before your vendor does.

The honest BAA table

Here is where the major AI tools actually stand, verified against each vendor's own published policies in June 2026. The per-model detail, with sources, is in Is ChatGPT HIPAA compliant? (and Claude, Gemini, Copilot).

AI tools and their actual HIPAA BAA status, June 2026
Tool Consumer tier on PHI BAA path Where PHI is processed
ChatGPT (OpenAI) Never (no BAA on Free, Plus, or Business) ChatGPT Enterprise, or zero-retention API endpoints, BAA from OpenAI OpenAI's infrastructure
Claude (Anthropic) Never (no BAA on Free, Pro, Max, or Team) Claude Enterprise or first-party API with BAA; also via Bedrock under your AWS BAA Anthropic's infrastructure, or your cloud account via Bedrock
Gemini (Google) Never (consumer app and AI Studio are outside any BAA) Workspace BAA for Gemini in Workspace; Google Cloud BAA for listed Gemini services Google's infrastructure, inside your Workspace or Cloud agreements
Copilot (Microsoft) Never (personal accounts are outside the BAA) Microsoft 365 Copilot is in scope for the Microsoft BAA on enterprise SKUs Microsoft 365 service boundary
Amazon Bedrock n/a (API service) HIPAA-eligible under your existing AWS BAA Your AWS account's cloud boundary
Azure OpenAI n/a (API service) In scope for the Microsoft BAA via the Online Services DPA Your Azure tenant's cloud boundary
Definite n/a (analytics platform) Signs a HIPAA BAA, for Definite Cloud and self-hosted deployments Your environment when self-hosted; PHI never reaches us

Notice the shape of the last three rows. The cleanest BAA chains are the ones where the model endpoint sits under an agreement you already hold with your cloud provider, or where the tool runs inside your environment entirely. That is not an accident.

The architecture that works

For AI analytics on PHI, the pattern that passes security review looks like this:

  1. The whole stack runs inside your environment. Connectors, the lakehouse, the BI layer, and the AI analyst deploy into your cloud account or your data center. PHI never transits a new vendor's infrastructure, so there is no new business associate for the data plane. Your existing compliance boundary, the one you have already documented and audited, stays the boundary.

  2. The model endpoint is one you control. The AI analyst calls Amazon Bedrock, Azure OpenAI, or Google's covered Gemini services inside your own cloud account, under the BAA you already have with that cloud provider. Bedrock is on AWS's HIPAA-eligible list; Azure OpenAI is in scope for Microsoft's BAA; Google publishes its covered services list. For zero-egress requirements, serve an open-weights model on your own GPUs and no model provider exists in the chain at all. The full breakdown of these options is in how to run a HIPAA-compliant LLM.

  3. Governance is built in, not bolted on. Per-user access controls scope what the AI can query (minimum necessary, enforced). Every question, every generated query, and every answer is logged (audit controls, satisfied). A semantic layer keeps the AI's answers tied to governed definitions instead of guesses, which matters for accuracy long after it matters for compliance.

This is the same architecture we laid out in the private AI data analyst, applied to healthcare's hardest constraint. The short version: instead of moving PHI to the intelligence, move the intelligence to the PHI.

Where Definite stands

Honest position, the same one we give compliance officers on calls:

  • Definite is not HIPAA certified, and neither is anything else. See above.
  • Definite holds a SOC 2 Type II attestation. Report and security documentation are at trust.definite.app.
  • Definite signs HIPAA BAAs, including for Definite Cloud. If you want the managed product on PHI, we will hold up our end as a business associate.
  • Self-hosted is the cleanest boundary. Definite's private deployment puts the entire stack (connectors, DuckDB and DuckLake lakehouse, BI, semantic layer, and Fi, the AI analyst) inside your environment, with the model served from your Bedrock, Azure OpenAI, or Google endpoint, or a self-hosted model on your GPUs. PHI never reaches Definite, which means the vendor-review conversation gets very short.
  • Compliance stays shared. A BAA from us, or anyone, covers the vendor side. Your policies, training, access controls, and risk analysis remain yours.

We wrote up the broader deployment philosophy in the self-hostable data stack; the healthcare case is the strongest version of it.

FAQ

Which AI tools are HIPAA compliant? None, strictly speaking. HIPAA compliance applies to organizations and deployments, not software. The real question is which AI tools can be used in a compliant deployment: the enterprise and API tiers of OpenAI, Anthropic, Google, and Microsoft (each with a signed BAA and the right configuration), cloud model endpoints like Amazon Bedrock and Azure OpenAI under your cloud BAA, and self-hosted platforms that keep PHI inside your own environment.

Is there such a thing as HIPAA-certified AI? No. There is no HIPAA certification for any software, AI or otherwise. HHS does not endorse or recognize any certification of HIPAA compliance. Any vendor claiming its product is "HIPAA certified" is describing something that does not exist. Look for a signed BAA and documented safeguards instead.

Does signing a BAA make an AI tool HIPAA compliant? No. A BAA is necessary, not sufficient. HIPAA is a shared responsibility: the vendor commits to safeguards on its side, and your organization is still responsible for access controls, minimum necessary use, workforce training, audit trails, and using only the covered services in the covered configuration.

Can I make ChatGPT HIPAA compliant? Not the consumer product. ChatGPT Free, Plus, and Business have no BAA and should never touch PHI. OpenAI signs BAAs for ChatGPT Enterprise and for API usage on zero-retention endpoints. The cleaner path for most healthcare teams is running models through a cloud endpoint you control, like Amazon Bedrock or Azure OpenAI, under the BAA you already have with your cloud provider.

Can AI analytics run on PHI without violating HIPAA? Yes, if the architecture is right. The safest pattern keeps the whole analytics stack, including the AI analyst, inside your own environment, with the model served from an endpoint covered by your cloud BAA or self-hosted on your own GPUs. PHI never reaches a new third party, so your existing compliance boundary stays the boundary.

If your team wants AI on patient data and your compliance officer wants to keep their weekends, the private deployment page has the architecture, or grab 30 minutes and I'll walk you through the full stack running inside a single tenant, BAA chain and all.

Your answer engine
is one afternoon away.

Book a 30-minute call and watch us build your first dashboard live, with your own data.