Based on publicly available information, ChatGPT it is unclear if it is HIPAA compliant. OpenAI does not indicate that it offers a Business Associate Agreement (BAA), which is generally required for handling protected health information (PHI) in a HIPAA-compliant manner.
ChatGPT includes certain security measures, such as encryption and access controls. However, OpenAI does not state in its product materials that ChatGPT is HIPAA compliant, and does not list a Business Associate Agreement among its contractual offerings. In the absence of a BAA, covered entities—such as healthcare providers, insurers, or their business associates—may be unable to use the service to create, receive, maintain, or transmit PHI in a way that satisfies HIPAA requirements.
OpenAI’s published policies also note that user-provided content may be reviewed or used to improve the service. This means that, if PHI were entered into ChatGPT, it could be accessible in ways inconsistent with HIPAA’s privacy rules. Even with strong technical safeguards, HIPAA compliance typically depends on both the technical protections and the contractual commitments outlined in a BAA.
