Skip to content
The world's No.1 AI note-taking brand.
Plaud Team : Unlock team intelligence
Meet the Plaud × PITAKA Special Edition
Healthcare professionals reviewing a private patient documentation workflow in a clinic office.

Is ChatGPT HIPAA compliant, or are you already violating it?

Explains which ChatGPT plans are HIPAA eligible, what a BAA covers and does not cover, and why the recording step before ChatGPT opens carries the same legal weight.

Standard ChatGPT is not HIPAA compliant. Free, Plus, and Team plans carry no Business Associate Agreement, making any use with patient data a violation. This article covers which plans qualify, what a BAA actually covers, and where most violations happen before ChatGPT is even opened.

The direct answer: is standard ChatGPT HIPAA compliant?

No. Free, Plus, and Team plans of ChatGPT are not HIPAA compliant, and using them with Protected Health Information is a violation.

Standard ChatGPT plans use conversation data for model training by default and do not offer a Business Associate Agreement. OpenAI’s own documentation confirms that only Enterprise and the Healthcare tier provide the data controls required for HIPAA eligibility (OpenAI Help Center, ChatGPT for Healthcare).

Under 45 CFR Part 164 (HHS HIPAA Privacy Rule), Protected Health Information includes any of 18 identifiers when linked to health information:

  • Patient name
  • Geographic data (address, zip code, city)
  • Dates (birth date, admission date, discharge date, date of death)
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers (MRN)
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate or license numbers
  • Vehicle identifiers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs
  • Any other unique identifying number or code

Any one of these, combined with health data, is PHI. A first name and a diagnosis together cross the threshold.

The scale of risk is not hypothetical. The HHS Office for Civil Rights Breach Portal reported 725 large healthcare data breaches in 2023 affecting over 133 million people, more than any other sector. AI tools that handle PHI without a BAA add a new vector to that exposure.

Which version of ChatGPT meets HIPAA requirements?

ChatGPT Enterprise and ChatGPT for Healthcare (launched January 2026) can be HIPAA eligible, but only after your organization signs a Business Associate Agreement with OpenAI.

Plan BAA available Data used for training Audit logs Data residency controls HIPAA eligible
ChatGPT Free No Yes No No No
ChatGPT Plus No Yes No No No
ChatGPT Team No Opt-out available Limited No No
ChatGPT Enterprise Yes No Yes Yes Yes (with BAA)
ChatGPT for Healthcare Yes No Yes Yes Yes (with BAA)

ChatGPT plan HIPAA eligibility comparison

The Healthcare tier, announced by OpenAI on January 8, 2026, adds clinical workflow integrations, ambient documentation features, and EHR connectivity on top of the Enterprise data protections (OpenAI, “Introducing OpenAI for Healthcare”).

Signing a BAA is necessary but not sufficient. HHS guidance on HIPAA and cloud computing makes clear that covered entities retain responsibility for HIPAA compliance even when using a BAA-covered service. Internal policies, staff training, and minimum necessary use standards still apply. A BAA with OpenAI does not protect against a staff member uploading more PHI than a task requires, or using the tool outside its approved scope.

HIPAA Journal confirms this two-part requirement: BAA plus organizational controls.

What a BAA covers, and what it does not

A Business Associate Agreement is a contract that obligates OpenAI to protect PHI. Signing one does not make every use of ChatGPT automatically compliant.

Under 45 CFR §164.308(b)(1) and §164.502(e), any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a Business Associate and must sign a BAA. The BAA itself must address:

What a BAA covers:

  • Restrictions on how the business associate may use or disclose PHI
  • Obligation to report breaches and security incidents
  • Requirement to apply safeguards consistent with the HIPAA Security Rule
  • Sub-contractor requirements (downstream vendors must also have BAAs)
  • Return or destruction of PHI at contract termination

What a BAA does not cover:

  • Staff behavior: employees who paste unnecessary PHI still create violations
  • Other tools in the workflow that have no BAA (e.g., the voice recorder used before ChatGPT)
  • Whether PHI should have been entered into the tool at all
  • Compliance at other organizations that receive the output

“Pasting patient information into ChatGPT without a signed BAA with OpenAI is a HIPAA violation. Standard ChatGPT does not offer a BAA.” — r/hipaa community

The HHS Model BAA Provisions provide the template most covered entities use as a starting point.

A clinician and compliance manager review a privacy-safe AI documentation workflow on a clinic computer.

The step most clinicians overlook: how PHI enters before ChatGPT opens

Most HIPAA risk analysis focuses on the AI tool used, but the recording and capture step that happens before ChatGPT is opened carries the same legal weight.

Under 45 CFR §160.103, any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity qualifies as a Business Associate. That definition includes the recording device or app used to capture a patient consultation.

A clinician who records a patient encounter with iPhone Voice Memos and then transcribes it into ChatGPT has put PHI into two systems without a BAA: the voice recording app and the standard AI tool. The USC Price School of Public Policy documented this specific blind spot: most clinicians who unknowingly violate HIPAA do so not in the AI step, but in the capture step that precedes it.

The market is moving quickly. Ambient AI notetakers including Suki, Avo, and Sunoh are already deployed in hospital settings. The compliance question is identical for all of them: does the capture tool carry its own BAA and security certifications, or is it operating without one?

The question to ask before any clinical AI workflow: is the device or app used to capture the patient conversation covered under a BAA?

For more detail on the AI note taker for doctors: software vs hardware — how the two methods compare on compliance, that article covers the comparison in depth.

Plaud Note Pro records an in-person conversation on a meeting table for clinical or professional documentation.

HIPAA-compliant AI tools for clinical documentation

For clinicians who need compliant AI across the full documentation workflow, from recording to transcript to note. The capture tool must carry its own security certifications, not rely solely on the downstream AI’s BAA.

Plaud Note Pro is a physical AI note taker that meets SOC 2 Type 2, HIPAA, ISO 27001, and GDPR technical safeguard requirements for audio capture and transcription.

  • Capture: records the patient consultation without storing audio on an unsecured cloud
  • Transcript: auto-generated in the Plaud App, available for review before export
  • Export: transcript goes to your EHR or documentation tool. Plaud does not use transcript data for model training.
  • Certifications apply at the capture layer, independently of the downstream AI used for note refinement

Plaud Note Pro handles the recording and transcription step. ChatGPT Enterprise or Healthcare tier (with a signed BAA) handles note refinement. Both layers must be covered. One BAA does not extend to the other tool.

Plaud App generating a transcript from a recorded conversation

For further reading, best AI note takers for medical documentation compares the current options across certification level and clinical workflow fit.

Plaud Note Pro

This article provides general information about HIPAA and AI tools. It is not legal or compliance advice. Consult your organization’s compliance officer before deploying any AI tool in a clinical workflow.

FAQ

Are doctors allowed to use ChatGPT for clinical notes?

Is there a free AI tool that is HIPAA compliant?

What happens if a clinician uses standard ChatGPT with patient data?

Does ChatGPT Enterprise automatically make a practice HIPAA compliant?

Is Claude HIPAA compliant?

How much does HIPAA-compliant ChatGPT cost?

Featured blog posts & updates

A professional reviewing scattered notes and a phone on a desk, representing a second brain system that needs better capture.

Your second brain isn’t working, and it’s probably not the app

Diagnoses why second brain systems fail at the Capture step, shows what spoken information never makes it in, and explains how voice capture closes the gap.

Read more
A creator checks an audio transcription workflow on a laptop with a microphone and headphones nearby.

Can ChatGPT transcribe audio without breaking every other week?

Covers the three ways ChatGPT transcribes audio in 2026, their plan and device requirements, their limits, and why DIY Whisper pipelines keep breaking.

Read more
A hiring team reviews structured interview notes and candidate scorecards after an interview.

Interview notes: a practical guide for hiring teams

A guide for HR managers and hiring teams on taking interview notes that hold up: why they matter, what the law requires you to keep, how to capture them in real time, ready-to-use templates, and how to pick an AI note-taking tool if you want help.

Read more
Skip to content