Before any AI tool touches protected health information (PHI), one question decides whether you can use it at all: will the vendor sign a business associate agreement (BAA)?
For healthcare developers, the answer is better than it was a year ago. Most major AI providers now sign a BAA. Each one puts it behind a particular plan, setting, or request, and a signed BAA on its own does not make your application HIPAA compliant.
This guide covers which providers sign, how to turn the BAA on for each, and the part of your stack a provider BAA never touches.
What a BAA does, and what it leaves to you
A BAA is the contract that lets a covered entity or business associate hand PHI to a vendor and hold that vendor to HIPAA's rules. Without one, sending PHI into a tool is a violation by itself.
Signing a BAA is the first requirement, not the finish line. Every provider that signs one still puts the day-to-day work back on you: minimum necessary access, audit logging, encryption, and breach procedures stay your responsibility.
AWS calls this the shared responsibility model, and every other provider describes some version of it. So "the vendor signed a BAA" and "our app is HIPAA compliant" describe two different things, and any tool that blurs them is overselling. You can read the government's own summary of what a BAA has to contain on the HHS business associate guidance page.
Which AI providers will sign a BAA
The table below reflects the major providers as of mid-2026. Terms change often, so confirm the current agreement with each vendor before you rely on it.
| Provider | Signs a BAA? | What it takes |
|---|---|---|
| Anthropic (Claude API) | Yes, with conditions | The account owner signs the BAA and asks Anthropic to enable PHI. Some features stay out of scope. |
| Anthropic (Claude for Work) | Enterprise only | Turn on HIPAA in the Enterprise plan. Free, Pro, and Max are excluded. |
| OpenAI (API platform) | Yes | Request one from OpenAI. Available without an enterprise contract. |
| OpenAI (ChatGPT) | Enterprise and Edu only | ChatGPT Business does not qualify. |
| Amazon Bedrock | Yes | Accept the AWS addendum in AWS Artifact. Free, any account. |
| Google Cloud (Vertex AI) | Yes, with conditions | Accept the Google Cloud BAA. Generally available services only. |
| Google Workspace (Gemini) | Yes, with conditions | An admin accepts the amendment. Covers included functionality only. |
| Microsoft Azure OpenAI | Yes | Covered under Microsoft's standard product terms, with no separate contract. |
| Google Gemini API (AI Studio) | No | Use Vertex AI instead when PHI is involved. |
The pattern worth noticing: the consumer and mid-tier plans are usually the ones left out. ChatGPT Business looks like a paid, work-ready plan, yet it cannot handle PHI, while ChatGPT Enterprise can. The standalone Gemini API through AI Studio has no BAA at all, so that model is off-limits in one place and available through Vertex AI in another.
How to request the BAA
The mechanics differ by provider, and most are self-serve:
- Anthropic: the account's primary owner signs the BAA, then asks Anthropic to enable PHI handling on the account. Keep PHI out of the features Anthropic lists as out of scope.
- OpenAI: request a BAA from OpenAI for the API platform. You do not need an enterprise agreement.
- Amazon Bedrock: accept the business associate addendum in AWS Artifact. It is free and applies to any account, and Bedrock sits on the HIPAA-eligible services list.
- Google Cloud: accept the Google Cloud BAA, then keep your work on generally available services, since pre-release services are excluded.
- Microsoft Azure OpenAI: the BAA comes through Microsoft's standard product terms and data protection addendum, so there is no separate document to chase.
Whichever provider you use, save the signed agreement and note the exact plan and configuration it covers. An auditor will ask, and the answer needs to match what you actually deployed.
The gap a provider BAA leaves open
A BAA with your model provider covers the model, not what your application does with the output.
So the moment your app or agent emails a patient a result, a reminder, or a visit summary, PHI leaves your system through a channel the model's BAA never mentioned, and that email becomes its own compliance question.
Most transactional email tools leave a gap, in one of two ways. Some will not sign a BAA at all. Postmark states it cannot sign one, and Twilio SendGrid says it is not a HIPAA eligible service and offers no encryption for PHI; we broke that case down in Is Twilio SendGrid HIPAA compliant?.
Others will sign a BAA but still leave the encryption to you. Amazon SES is HIPAA eligible under the AWS agreement, yet it does not enforce encryption by default, so a misconfiguration can put PHI on the wire in plain text. Go deeper: SES can send PHI in plaintext even with Require TLS.
This is where Paubox fits. Paubox signs a BAA with every customer and enforces TLS 1.2+ encryption by default across all of its products, and that includes the Paubox Email API. So the transactional messages your app sends are compliant out of the box.
For agents specifically, the Paubox Model Context Protocol (MCP) server lets Claude and other AI agents send that email directly through a tool called send_secure_email. The API key stays with the server process and is never shared with the model, so it never appears in a tool call or in the model's context. An agent can send a compliant message without ever holding the credential that sends it.
A short pre-launch checklist
- Confirm the provider signs a BAA for the exact plan and configuration you deployed, not a different tier.
- Turn on the provider's PHI or HIPAA setting, and keep PHI out of any feature listed as out of scope.
- Add your own audit logging, access controls, and minimum necessary limits on top of the provider's controls.
- Route any email your app or agent sends through a BAA-backed channel that encrypts by default.
- Keep the signed agreements and a record of what each one covers.
Frequently asked questions
Does signing a BAA make my application HIPAA compliant?
No. A BAA is a required contract, but compliance also depends on how you configure the service, control access, log activity, and protect PHI everywhere it moves.
Can I use ChatGPT with PHI?
Only on ChatGPT Enterprise or Edu, or through the OpenAI API with a BAA in place. ChatGPT Business and the free tier are not eligible.
My AI provider signed a BAA. Is the email my app sends covered too?
No. The provider's BAA covers its own service. Any email your application sends needs its own BAA-backed, encrypted path.
Getting the BAA in place is the permission slip. Building the rest of the workflow so PHI stays encrypted and logged at every step is the real work, and it pays to get it right before the first patient record moves through an AI system. For the full picture, see our guide to building with AI in healthcare, or start with the foundations in HIPAA compliant email: the definitive guide.
Related: Watch our on-demand webinar on the HIPAA Security Rule changes.
