In August I wrote a post titled, Can I use ChatGPT and be HIPAA compliant?
We concluded that OpenAI, the creator of ChatGPT, is willing to sign a business associate agreement for HIPAA compliance, although we didn't know of any organization who had one in place for ChatGPT.
Instead, covered entities and business associates we've spoken with got a BAA with OpenAI for use with its API platform instead.
The goal of this post is to explain how to actually get a BAA signed with OpenAI. In our case, the process took us over a month.
According to this help article, you need to do the following to get a BAA signed for ChatGPT:
"If you're interested in exploring a BAA for ChatGPT Enterprise or Edu, please contact sales. Only ChatGPT Enterprise or Edu customers that have a sales-managed account are eligible for a BAA for ChatGPT at this time. Please note that we don’t offer a BAA for ChatGPT Business."
Other than filling out a contact form for their sales department and meeting the aforementioned product requirements, we don't have any useful tips here.
It should be noted that during a series of industry dinners we held around the country in San Francisco, Nashville, and Honolulu, we did not find anyone who had a BAA in place for ChatGPT.
Getting a business associate agreement for the OpenAI API is more straightforward.
According to their help center, it's a matter of sending an email:
"If you require a BAA before you can use our API, email us at baa@openai.com with details about your company and use case.
Our team will respond within 1-2 business days. We review each BAA request on a case-by-case basis and may need additional information. The process is usually completed within a few business days."
Only certain parts of their API platform fall within the scope of the OpenAI BAA. These are specifically the endpoints eligible for zero retention, which can be found here.
In our case, we sent an email to OpenAI on July 18. After some back and forth, our request wasn’t approved and the BAA put in place until August 23.
We also did the following:
In the end, it was the email sent to baa@openai.com that proved successful. As the help center stated :)
If you need a BAA with OpenAI for their API platform, we recommend starting the process now. In our case, it took over a month a get one in place.
The documentation on their site for getting a BAA is accurate- you just need to be patient.
As for getting a BAA for ChatGPT, we assume the documentation is also correct, but we haven’t yet come across an organization that has one.