We've been hosting a series of dinners around the country with healthcare executives. Our central topic of conversation: What is your AI toolkit for greater efficiency?
Invariably, the topic of whether ChatGPT can be used in a HIPAA compliant manner comes up.
This post is about whether ChatGPT is HIPAA compliant.
See related: Industry Dinner in Nashville with Paubox and Steel Patriot Partners
As you're likely aware, ChatGPT is an AI chatbot created by OpenAI that uses large language models to have conversations with users. It was first released in November 2022 and quickly became very popular.
We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
We checked OpenAI's site and found an article called, "How can I get a Business Associate Agreement (BAA) with OpenAI for the API Services?"
It says:
"Are all API services covered by the BAA?
No, only endpoints that are eligible for zero retention are covered by the BAA. You can see a list of those endpoints here."
"Can I get a BAA for ChatGPT?
If you're interested in exploring a BAA for ChatGPT Enterprise or Edu, please contact sales. Only ChatGPT Enterprise or Edu customers that have a sales-managed account are eligible for a BAA for ChatGPT at this time. Please note that we don’t offer a BAA for ChatGPT Team."
In a nutshell, OpenAI is open to signing a BAA for ChatGPT, provided you have:
Even then, you'll need to contact their sales department to get the process started.
If you need a BAA for OpenAI API Services, only endpoints that configured for Zero Data Retention are considered in scope. More info on Zero Data Retention can be found here.
Conclusion: Yes, it’s apparently possible to get a BAA for ChatGPT and use it in a HIPAA compliant manner, though we haven’t found anyone who actually has one.
See also: Industry Dinner with Paubox and Steel Patriot Partners (San Francisco)