1 min read

Can I use ChatGPT and be HIPAA compliant?

Picture of Hoala Greevy Hoala Greevy August 09, 2025

From the founder HIPAA Compliance
Can I use ChatGPT and be HIPAA compliant?

We've been hosting a series of dinners around the country with healthcare executives. Our central topic of conversation: What is your AI toolkit for greater efficiency?

Invariably, the topic of whether ChatGPT can be used in a HIPAA compliant manner comes up.

This post is about whether ChatGPT is HIPAA compliant.

See related: Industry Dinner in Nashville with Paubox and Steel Patriot Partners

 

About ChatGPT 

As you're likely aware, ChatGPT is an AI chatbot created by OpenAI that uses large language models to have conversations with users. It was first released in November 2022 and quickly became very popular.

 

ChatGPT, OpenAI, and the business associate agreement

We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

We checked OpenAI's site and found an article called, "How can I get a Business Associate Agreement (BAA) with OpenAI for the API Services?

It says:

  • "If you require a BAA before you can use our API, email us at baa@openai.com with details about your company and use case."

  • "Are all API services covered by the BAA?

    No, only endpoints that are eligible for zero retention are covered by the BAA. You can see a list of those endpoints here."

  • "Can I get a BAA for ChatGPT?

    If you're interested in exploring a BAA for ChatGPT Enterprise or Edu, please contact sales. Only ChatGPT Enterprise or Edu customers that have a sales-managed account are eligible for a BAA for ChatGPT at this time. Please note that we don’t offer a BAA for ChatGPT Team."

 

Does ChatGPT offer HIPAA compliant service?

In a nutshell, OpenAI is open to signing a BAA for ChatGPT, provided you have:

  • A sales-managed account that's an Enterprise or Edu tier

Even then, you'll need to contact their sales department to get the process started.

If you need a BAA for OpenAI API Services, only endpoints that configured for Zero Data Retention are considered in scope. More info on Zero Data Retention can be found here.

 

Conclusion: Yes, it’s apparently possible to get a BAA for ChatGPT and use it in a HIPAA compliant manner, though we haven’t found anyone who actually has one.

 

See also: Industry Dinner with Paubox and Steel Patriot Partners (San Francisco)
Send PHI securely—No portals required. The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.