Is ChatGPT HIPAA Compliant? What Healthcare Teams Need to Know in 2026

Q: How do I get a BAA with OpenAI?

For the API, email baa@openai.com with your company and use-case details; OpenAI typically responds within one to two business days, and the BAA covers Zero Data Retention-eligible endpoints. For ChatGPT itself, contact OpenAI sales, since only sales-managed Enterprise or Edu accounts qualify.

Q: What is Zero Data Retention and why does it matter for HIPAA?

Zero Data Retention means OpenAI does not store, log, or train on the content you send through eligible API endpoints. OpenAI's API BAA applies specifically to ZDR-eligible endpoints, so routing PHI workloads through them is a condition of using the API compliantly.

Short answer: it depends entirely on which version of ChatGPT you use and whether you have a signed Business Associate Agreement (BAA) in place. The consumer ChatGPT that most people log into is not HIPAA compliant, and entering protected health information (PHI) into it is a HIPAA violation. But OpenAI does offer paths — the API and sales-managed ChatGPT Enterprise — that can be used compliantly when configured correctly. This guide explains the difference, what a BAA actually covers, and how to build a safe AI-use policy for your organization.

HIPAA does not “approve” software — it governs how you use it

There is no government list of “HIPAA-certified” AI tools. Under the HIPAA Security Rule and the Privacy Rule, a tool can be used with PHI only when the vendor will sign a BAA agreeing to safeguard that data and accept liability as a business associate. Without a BAA, any service that receives, stores, or processes PHI on your behalf is operating outside HIPAA — regardless of how secure the technology is. So the real question is never “is ChatGPT compliant?” but “will OpenAI sign a BAA for the specific product I’m using, and am I using it the way that BAA requires?”

Which versions of ChatGPT can be used with PHI

As of 2026, OpenAI offers a BAA through two paths, and excludes the rest:

OpenAI API (eligible): Organizations can request a BAA by emailing baa@openai.com. The BAA covers API endpoints configured for Zero Data Retention (ZDR) — meaning request and response content is not stored, logged, or used to train models. PHI workloads must run through these ZDR-eligible endpoints.
ChatGPT Enterprise / Edu (eligible, conditionally): Only customers with a sales-managed ChatGPT Enterprise or Edu account are eligible for a BAA. You must contact OpenAI sales — a self-serve upgrade does not qualify.
ChatGPT Free, Plus, Pro, Team, and self-serve Business (NOT eligible): These tiers cannot have a BAA. Pasting PHI into any of them is a HIPAA violation, full stop.

The practical takeaway: the blue-and-white chat window your staff already use at home is almost certainly one of the ineligible tiers. Compliant use requires deliberate setup — an enterprise contract or API integration with a signed BAA and ZDR configured — not a personal login.

A BAA is necessary, but it is not the whole job

Even with a BAA in place, the HIPAA Security Rule still requires you to do the surrounding work. You need to document the tool in your HIPAA risk assessment, set access controls and minimum-necessary limits on who can send what, train your workforce on what may and may not be entered, and keep the signed BAA in your business-associate inventory. AI tools are a fast-moving category, so this is not a one-time checkbox — it belongs in your ongoing AI governance program, reviewed as vendors change their terms.

The bigger risk: shadow AI

The most common way ChatGPT creates HIPAA exposure isn’t a flawed enterprise deployment — it’s an unmanaged one. Clinicians and staff paste patient notes into a personal account to draft a letter or summarize a chart, with no BAA, no ZDR, and no record that it happened. This “shadow AI” is invisible to compliance until something goes wrong. The fix is a clear, written acceptable-use policy that names which AI tools are approved for PHI, plus inventory and monitoring so unapproved use is caught early. For a broader view of which assistants will and won’t sign a BAA, see our roundup of HIPAA-compliant AI tools.

How Medcurity helps

Medcurity doesn’t make ChatGPT compliant — no vendor can do that for you. What we do is run the HIPAA compliance program around your AI use: the Security Risk Analysis that documents AI tools as systems handling PHI, BAA tracking so signed agreements don’t fall through the cracks, policy and workforce-training support, and the AI-governance workflow that keeps shadow AI in check. That’s the difference between “we signed a BAA” and “we can prove we use AI safely.”

Frequently asked questions

Can I use the free version of ChatGPT for patient information?

No. ChatGPT Free, Plus, Pro, Team, and self-serve Business are not eligible for a BAA with OpenAI. Entering PHI into any of them is a HIPAA violation. Compliant use requires the OpenAI API or a sales-managed ChatGPT Enterprise/Edu account with a signed BAA.

How do I get a BAA with OpenAI?

For the API, email baa@openai.com with your company and use-case details; OpenAI typically responds within one to two business days, and the BAA covers Zero Data Retention–eligible endpoints. For ChatGPT itself, contact OpenAI sales — only sales-managed Enterprise or Edu accounts qualify.

Does signing a BAA make my AI use automatically HIPAA compliant?

No. A BAA is required, but you must also document the tool in your risk assessment, enforce access controls and minimum-necessary limits, train staff, and monitor for unapproved use. Compliance is the whole program, not a single signature.

What is Zero Data Retention and why does it matter for HIPAA?

Zero Data Retention (ZDR) means OpenAI does not store, log, or train on the content you send through eligible API endpoints. OpenAI’s API BAA applies specifically to ZDR-eligible endpoints, so routing PHI workloads through them is a condition of using the API compliantly.

Ready to put AI governance on a compliant footing? Talk to Medcurity about documenting AI tools in your Security Risk Analysis and BAA inventory.