HIPAA & BAA · AI / LLM
Is Anthropic (Claude) HIPAA compliant?
Conditionally. Anthropic signs a BAA covering its first-party API and HIPAA-ready Claude Enterprise plans, but consumer and team tiers, Console/Workbench, and beta features are excluded.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: First-party API (with sales enablement) and HIPAA-ready Claude Enterprise (admin must enable HIPAA and accept the BAA). Free, Pro, Max, Team, Workbench/Console, and beta features are NOT covered.
- Official source: Anthropic Privacy Center — BAA for Commercial Customers — https://privacy.claude.com/en/articles/8114513-business-associate-agreements-baa-for-commercial-customers (verified 2026-06)
How to use Anthropic (Claude) in a HIPAA-compliant way
- For Claude Enterprise, have an administrator enable HIPAA in admin settings under Data & Privacy and accept Anthropic's click-to-accept BAA.
- For the first-party API, sign the BAA and contact Anthropic Sales to have HIPAA-ready use enabled before sending PHI.
- Confirm you are only using BAA-covered models and features, and avoid Console/Workbench, Free/Pro/Max/Team, and beta features for PHI.
- Apply your own access controls, audit logging, and minimum-necessary practices around the integration.
Important caveats
- Standard Enterprise plans are NOT BAA-covered until an admin explicitly enables HIPAA and accepts the BAA.
- Console/Workbench and beta features are excluded even for otherwise-eligible orgs.
- Only specific covered models fall under the BAA; verify the current covered-model list.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Anthropic (Claude) correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Anthropic (Claude).
Frequently asked questions
Does Anthropic (Claude) sign a BAA?
On specific plans. First-party API (with sales enablement) and HIPAA-ready Claude Enterprise (admin must enable HIPAA and accept the BAA). Free, Pro, Max, Team, Workbench/Console, and beta features are NOT covered. A signed BAA is required before any PHI is involved.
Is Anthropic (Claude) HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Anthropic (Claude) offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Anthropic (Claude) with PHI?
Standard Enterprise plans are NOT BAA-covered until an admin explicitly enables HIPAA and accepts the BAA.