Explore with AI
ChatGPTClaudeGeminiPerplexity
Essay

Is ChatGPT HIPAA Compliant? (And Claude, Gemini, and Copilot)

Mike Ritchie6 min read
Cover image for Is ChatGPT HIPAA Compliant? (And Claude, Gemini, and Copilot)

Short version: the versions of ChatGPT, Claude, Gemini, and Copilot that most people use are not HIPAA compliant, and putting PHI into them is a reportable disclosure. Every one of these vendors has an enterprise or API tier that can be used on PHI, but only with a signed business associate agreement and the specific configuration that BAA requires.

One correction before the per-model answers, because it changes how you read every vendor's page: software is never "HIPAA compliant" on its own. HHS recognizes no HIPAA certification for anyone. Compliance describes your deployment: the agreements, configuration, and controls around the tool. So the honest answer for each model below has the same shape: which tiers can sit inside a compliant deployment, and which never can.

All four vendor policies below were verified against the vendors' own published documents in June 2026. Policies change; the links are the source of truth.

Is ChatGPT HIPAA compliant?

Consumer ChatGPT: no. Free, Plus, and Pro have no BAA. OpenAI's help center also states it does not offer a BAA for ChatGPT Business. No BAA means no PHI, regardless of how you configure chat history.

Where OpenAI will sign: OpenAI's Healthcare Addendum and BAA defines exactly two eligible services: the Zero Retention API and ChatGPT Enterprise. The fine print matters:

  • API coverage applies only to organizations approved for zero data retention, and only on endpoints eligible for it. Standard API usage is not covered.
  • PHI through third-party GPTs, plugins, and shared links is explicitly excluded.
  • ChatGPT Enterprise (and Edu) BAAs go through sales; API BAAs go through baa@openai.com and are reviewed case by case.

So "is ChatGPT HIPAA compliant" resolves to: the consumer product, never; ChatGPT Enterprise or the zero-retention API, yes, once your BAA is signed and your configuration matches it. Your prompts still process on OpenAI's infrastructure either way, which makes OpenAI a business associate you now manage.

Is Claude HIPAA compliant?

Consumer Claude: no. Anthropic's BAA documentation is explicit that the BAA does not cover Claude Free, Pro, Max, or Team plans, nor the developer Console and Workbench, nor beta features.

Where Anthropic will sign: Anthropic offers BAAs for its HIPAA-ready services: the first-party API (the Messages API with a defined feature subset) and sales-assisted Claude Enterprise plans, where an admin enables HIPAA mode and accepts the BAA in-product. Excluded features stay excluded even under the BAA, and some (like Claude Code) require zero data retention to qualify.

The third path, and the interesting one: Claude also runs on Amazon Bedrock, which is a HIPAA-eligible AWS service. There, the BAA is the one you already hold with AWS, prompts stay inside your AWS account's boundary, and Anthropic never becomes your business associate at all. Same model, shorter chain.

Is Gemini HIPAA compliant?

Consumer Gemini: no. The Gemini app under a personal Google account is outside any BAA, and Google AI Studio, the free developer playground, is not covered either.

Where Google covers it: two separate agreements, and it matters which one you are under.

  • Google Workspace: Gemini in Workspace can be covered by the Workspace BAA on covered business and enterprise editions, configured per Google's HIPAA implementation guide.
  • Google Cloud: the Google Cloud BAA covers Google's infrastructure plus a published list of covered products. As of June 2026 that list includes Gemini Enterprise, Gemini Code Assist, Gemini in BigQuery, and Google's enterprise generative AI platform services. Check the live list before you build; Google has renamed its AI surfaces more than once, and only named products are covered.

Google's own compliance page carries the line worth quoting in your vendor review: there is "no certification recognized by the US HHS for HIPAA compliance," and complying with HIPAA is "a shared responsibility between the customer and Google."

Is Microsoft Copilot HIPAA compliant?

Consumer Copilot: no. Copilot under a personal Microsoft account sits outside the BAA, whatever app it shows up in.

Where Microsoft covers it: Microsoft 365 Copilot and Microsoft 365 Copilot Chat appear on the in-scope services list for Microsoft's HIPAA BAA on commercial enterprise and GCC plans, and the BAA itself is included in the standard Online Services Data Protection Addendum, so most enterprise tenants already have it. Copilot inherits the Microsoft 365 service boundary: prompts and responses stay inside it and are not used to train foundation models, per Microsoft's Copilot privacy documentation.

The API path: Azure OpenAI is Microsoft's BAA-covered route for building on the same model families, inside your own Azure tenant. Microsoft's compliance page also repeats the theme of this whole post: no HHS-approved certification standard exists for HIPAA.

The question is slightly wrong

Notice what actually separated yes from no in every section above. It was never the model. Claude is "not compliant" as a consumer app and fine on Bedrock. The same OpenAI models are off-limits in ChatGPT Plus and workable through a zero-retention API or Azure OpenAI. The model never changed. The deployment did.

So the better question is not "is ChatGPT HIPAA compliant." It is: where does the model run, and who holds the BAA? There are only three clean answers:

  1. The model vendor holds it. Enterprise tiers and covered APIs from OpenAI or Anthropic. Workable, but you have added a new business associate, and the covered configuration is narrower than the product.
  2. Your cloud provider holds it. Bedrock on AWS, Azure OpenAI on Azure, Google's covered services on GCP. Frontier models under agreements you already have, inside a cloud boundary you already audit. For most healthcare teams this is the sweet spot, and we broke down the options in how to run a HIPAA-compliant LLM.
  3. Nobody holds it, because there is no third party. Open-weights models on GPUs you operate. The only fully egress-free answer.

And one step further, because chat is rarely the actual goal: if you want AI answering questions about patient data, the model is one component of several that will touch PHI. The agent runtime, the warehouse, the BI layer, and the query logs all sit in the chain too. An enterprise ChatGPT BAA does not help if the analytics tool feeding it is a SaaS with no BAA of its own. That is the architecture problem we covered in the private AI data analyst: run the whole stack, model endpoint included, inside your environment, and the per-vendor interrogation above mostly disappears. For the full tool-by-tool view, see HIPAA-compliant AI tools.

FAQ

Is ChatGPT HIPAA compliant? The consumer versions (Free, Plus, Pro) are not, and OpenAI offers no BAA for ChatGPT Business either. OpenAI signs BAAs for ChatGPT Enterprise and for API usage restricted to zero-retention endpoints on an approved organization. Without one of those tiers, a signed BAA, and the required configuration, PHI in ChatGPT is an impermissible disclosure.

Is Claude HIPAA compliant? Not on consumer plans. Anthropic's BAA does not cover Claude Free, Pro, Max, or Team. Anthropic signs BAAs for its HIPAA-ready services, which are the first-party API and sales-assisted Claude Enterprise plans. Claude also runs on Amazon Bedrock, where it is covered by your AWS BAA instead of an Anthropic one, since Bedrock is a HIPAA-eligible AWS service.

Is Google Gemini HIPAA compliant? The consumer Gemini app and Google AI Studio are outside any BAA and should never see PHI. Gemini can be used on PHI under Google's Workspace BAA on covered business and enterprise editions, and under the Google Cloud BAA for the Gemini services on Google's published covered-services list. Google itself notes there is no HHS-recognized HIPAA certification and that compliance is shared.

Is Microsoft Copilot HIPAA compliant? Copilot under a personal Microsoft account is not covered. Microsoft 365 Copilot and Copilot Chat on commercial enterprise and GCC plans are in scope for Microsoft's HIPAA BAA, which is part of the standard Online Services Data Protection Addendum. Azure OpenAI is Microsoft's BAA-covered path for API access to the same model families.

Do I need a BAA to use AI on patient data? Yes, whenever a third party processes PHI on your behalf. That includes the AI vendor and any model provider it sends prompts to. The only architecture with no model BAA at all is serving an open-weights model on hardware you operate, and even then, cloud infrastructure holding PHI still needs your cloud provider's BAA.

What matters more than which AI model I pick? Where the model runs and who holds the BAA. The same model can be a compliance violation as a consumer app, acceptable via an enterprise BAA, and clean inside your own cloud through Bedrock or Azure OpenAI. Architecture decides compliance; the model name does not.

If the question behind your question is "can my team use an AI analyst on patient data without a year of vendor review," the answer is the architecture on our private deployment page: the whole stack in your environment, the model on your endpoint, and a BAA we will sign either way. Grab 30 minutes and I'll show you Fi running against a Bedrock endpoint inside a single tenant.

Your answer engine
is one afternoon away.

Book a 30-minute call and watch us build your first dashboard live, with your own data.