Standard ChatGPT is not HIPAA compliant. Free, Plus, and Team plans carry no Business Associate Agreement, making any use with patient data a violation. This article covers which plans qualify, what a BAA actually covers, and where most violations happen before ChatGPT is even opened.
The direct answer: is standard ChatGPT HIPAA compliant?
No. Free, Plus, and Team plans of ChatGPT are not HIPAA compliant, and using them with Protected Health Information is a violation.
Standard ChatGPT plans use conversation data for model training by default and do not offer a Business Associate Agreement. OpenAI’s own documentation confirms that only Enterprise and the Healthcare tier provide the data controls required for HIPAA eligibility (OpenAI Help Center, ChatGPT for Healthcare).
Under 45 CFR Part 164 (HHS HIPAA Privacy Rule), Protected Health Information includes any of 18 identifiers when linked to health information:
- Patient name
- Geographic data (address, zip code, city)
- Dates (birth date, admission date, discharge date, date of death)
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers (MRN)
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs
- Any other unique identifying number or code
Any one of these, combined with health data, is PHI. A first name and a diagnosis together cross the threshold.
The scale of risk is not hypothetical. The HHS Office for Civil Rights Breach Portal reported 725 large healthcare data breaches in 2023 affecting over 133 million people, more than any other sector. AI tools that handle PHI without a BAA add a new vector to that exposure.
Which version of ChatGPT meets HIPAA requirements?
ChatGPT Enterprise and ChatGPT for Healthcare (launched January 2026) can be HIPAA eligible, but only after your organization signs a Business Associate Agreement with OpenAI.
| Plan | BAA available | Data used for training | Audit logs | Data residency controls | HIPAA eligible |
|---|---|---|---|---|---|
| ChatGPT Free | No | Yes | No | No | No |
| ChatGPT Plus | No | Yes | No | No | No |
| ChatGPT Team | No | Opt-out available | Limited | No | No |
| ChatGPT Enterprise | Yes | No | Yes | Yes | Yes (with BAA) |
| ChatGPT for Healthcare | Yes | No | Yes | Yes | Yes (with BAA) |
ChatGPT plan HIPAA eligibility comparison
The Healthcare tier, announced by OpenAI on January 8, 2026, adds clinical workflow integrations, ambient documentation features, and EHR connectivity on top of the Enterprise data protections (OpenAI, “Introducing OpenAI for Healthcare”).
Signing a BAA is necessary but not sufficient. HHS guidance on HIPAA and cloud computing makes clear that covered entities retain responsibility for HIPAA compliance even when using a BAA-covered service. Internal policies, staff training, and minimum necessary use standards still apply. A BAA with OpenAI does not protect against a staff member uploading more PHI than a task requires, or using the tool outside its approved scope.
HIPAA Journal confirms this two-part requirement: BAA plus organizational controls.
What a BAA covers, and what it does not
A Business Associate Agreement is a contract that obligates OpenAI to protect PHI. Signing one does not make every use of ChatGPT automatically compliant.
Under 45 CFR §164.308(b)(1) and §164.502(e), any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a Business Associate and must sign a BAA. The BAA itself must address:
What a BAA covers:
- Restrictions on how the business associate may use or disclose PHI
- Obligation to report breaches and security incidents
- Requirement to apply safeguards consistent with the HIPAA Security Rule
- Sub-contractor requirements (downstream vendors must also have BAAs)
- Return or destruction of PHI at contract termination
What a BAA does not cover:
- Staff behavior: employees who paste unnecessary PHI still create violations
- Other tools in the workflow that have no BAA (e.g., the voice recorder used before ChatGPT)
- Whether PHI should have been entered into the tool at all
- Compliance at other organizations that receive the output
“Pasting patient information into ChatGPT without a signed BAA with OpenAI is a HIPAA violation. Standard ChatGPT does not offer a BAA.” — r/hipaa community
The HHS Model BAA Provisions provide the template most covered entities use as a starting point.

The step most clinicians overlook: how PHI enters before ChatGPT opens
Most HIPAA risk analysis focuses on the AI tool used, but the recording and capture step that happens before ChatGPT is opened carries the same legal weight.
Under 45 CFR §160.103, any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity qualifies as a Business Associate. That definition includes the recording device or app used to capture a patient consultation.
A clinician who records a patient encounter with iPhone Voice Memos and then transcribes it into ChatGPT has put PHI into two systems without a BAA: the voice recording app and the standard AI tool. The USC Price School of Public Policy documented this specific blind spot: most clinicians who unknowingly violate HIPAA do so not in the AI step, but in the capture step that precedes it.
The market is moving quickly. Ambient AI notetakers including Suki, Avo, and Sunoh are already deployed in hospital settings. The compliance question is identical for all of them: does the capture tool carry its own BAA and security certifications, or is it operating without one?
The question to ask before any clinical AI workflow: is the device or app used to capture the patient conversation covered under a BAA?
For more detail on the AI note taker for doctors: software vs hardware — how the two methods compare on compliance, that article covers the comparison in depth.

HIPAA-compliant AI tools for clinical documentation
For clinicians who need compliant AI across the full documentation workflow, from recording to transcript to note. The capture tool must carry its own security certifications, not rely solely on the downstream AI’s BAA.
Plaud Note Pro is a physical AI note taker that meets SOC 2 Type 2, HIPAA, ISO 27001, and GDPR technical safeguard requirements for audio capture and transcription.
- Capture: records the patient consultation without storing audio on an unsecured cloud
- Transcript: auto-generated in the Plaud App, available for review before export
- Export: transcript goes to your EHR or documentation tool. Plaud does not use transcript data for model training.
- Certifications apply at the capture layer, independently of the downstream AI used for note refinement
Plaud Note Pro handles the recording and transcription step. ChatGPT Enterprise or Healthcare tier (with a signed BAA) handles note refinement. Both layers must be covered. One BAA does not extend to the other tool.

For further reading, best AI note takers for medical documentation compares the current options across certification level and clinical workflow fit.
This article provides general information about HIPAA and AI tools. It is not legal or compliance advice. Consult your organization’s compliance officer before deploying any AI tool in a clinical workflow.








