HIPAA & BAA · AI / LLM
Is OpenAI (ChatGPT / API) HIPAA compliant?
Conditionally. OpenAI will sign a BAA for its API and for ChatGPT Enterprise/Edu, but the consumer and self-serve ChatGPT tiers are never covered, so putting PHI in those is a violation.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: API Platform (Zero Data Retention-eligible endpoints) and ChatGPT Enterprise/Edu on a sales-managed account, via a signed BAA. ChatGPT Free, Plus, Pro, Team, and self-serve Business are NOT eligible.
- Official source: OpenAI Help Center — How to get a BAA — https://help.openai.com/en/articles/8660679-how-can-i-get-a-business-associate-agreement-baa-with-openai (verified 2026-06)
How to use OpenAI (ChatGPT / API) in a HIPAA-compliant way
- For the API, email baa@openai.com with your company and use case to request and sign a BAA before sending any PHI; the BAA covers only Zero Data Retention-eligible endpoints.
- For ChatGPT, contact OpenAI Sales to obtain a BAA for ChatGPT Enterprise or Edu on a sales-managed account.
- Never use ChatGPT Free, Plus, Pro, Team, or self-serve Business with PHI.
- Restrict to the specific covered endpoints/services named in your executed BAA and disable any out-of-scope features.
- Apply access controls, logging, and your own HIPAA risk assessment around the integration.
Important caveats
- The API BAA only covers endpoints eligible for Zero Data Retention, not every model or feature.
- Consumer ChatGPT apps look identical but carry no BAA; staff must be trained not to paste PHI there.
- A BAA alone is not compliance; correct configuration and minimum-necessary use are still required.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring OpenAI (ChatGPT / API) correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with OpenAI (ChatGPT / API).
Frequently asked questions
Does OpenAI (ChatGPT / API) sign a BAA?
On specific plans. API Platform (Zero Data Retention-eligible endpoints) and ChatGPT Enterprise/Edu on a sales-managed account, via a signed BAA. ChatGPT Free, Plus, Pro, Team, and self-serve Business are NOT eligible. A signed BAA is required before any PHI is involved.
Is OpenAI (ChatGPT / API) HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when OpenAI (ChatGPT / API) offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using OpenAI (ChatGPT / API) with PHI?
The API BAA only covers endpoints eligible for Zero Data Retention, not every model or feature.
