Note: AI platform availability, HIPAA eligibility, and BAA offerings change frequently. This article reflects vendor documentation available at time of publication. Always verify current BAA eligibility directly with the vendor before transmitting PHI.


The short answer: Free ChatGPT is not HIPAA compliant — and neither is ChatGPT Plus. OpenAI currently offers HIPAA-supporting deployments for qualifying enterprise healthcare customers — specifically through ChatGPT Enterprise — where data isolation and BAA availability are confirmed, where OpenAI provides data isolation, does not train on your inputs, and can execute a Business Associate Agreement (BAA). Even then, HIPAA compliance is not automatic — it requires proper configuration, staff training, and internal policies.

The same rule applies across all major AI tools: free versions of Claude, Gemini, and ChatGPT are not HIPAA compliant and should never be used with patient data.


Quick Comparison: AI Chatbots and HIPAA Compliance

🔄 Rotate your phone for a better view of the comparison table.
Platform Plan HIPAA Compliant? Verdict
ChatGPT Free No Do not use for PHI
ChatGPT Plus Paid ($20/mo) No Do not use for PHI
ChatGPT Business (formerly Team) Business No No BAA available per OpenAI
ChatGPT Enterprise Sales-managed Possible With BAA + configuration
ChatGPT for Healthcare Healthcare offering Possible Purpose-built for HIPAA
ChatGPT Edu Education Possible With BAA + configuration
OpenAI API Qualifying customers Possible With BAA + configuration
Claude (free) Free No Do not use for PHI
Claude API (enterprise) Paid/API Possible With BAA + configuration
Gemini (free) Free No Do not use for PHI
Gemini in Chrome Any No Explicitly blocked for BAA users
Gemini (Google Workspace) Business Plus+ Possible With BAA + configuration
Microsoft Copilot (free) Free No Do not use for PHI
Microsoft Copilot (M365) Enterprise Possible With BAA + configuration

Accelerate Innovation with Managed Google Cloud AI

Build custom models using TensorFlow and Document AI. We handle the security and BAA, giving you total control over your results.

Learn More

Can ChatGPT Be HIPAA Compliant? Quick Summary

VersionHIPAA Eligible?
Free ChatGPT❌ No
ChatGPT Plus❌ No
ChatGPT Business (formerly Team)❌ No — no BAA per OpenAI
ChatGPT Enterprise (sales-managed, with BAA)✅ Yes, when properly configured
ChatGPT for Healthcare (with BAA)✅ Yes, purpose-built for clinical use
Staff training required✅ Yes
Access controls required✅ Yes
Audit logging required✅ Yes

Don't wait until it's too late. Download our free HIPAA Compliance Checklist and make sure your organization is protected.

Why Free ChatGPT Is Not HIPAA Compliant

The HIPAA Insider Show team tested this directly — asking ChatGPT, Claude, and Gemini the same question: “Is the free version HIPAA compliant?” All three gave the same answer: no.

As documented in HIPAA Vault’s Episode 96 review:

Free ChatGPT has two fundamental HIPAA problems:

1. No Business Associate Agreement OpenAI does not sign BAAs for free ChatGPT or ChatGPT Plus. Without a BAA, any platform that handles PHI on behalf of a covered entity is operating outside HIPAA’s legal framework under 45 CFR Part 164 — regardless of how secure the technology may be.

2. Data used for model training Messages entered into free and Plus versions of ChatGPT may be used to improve OpenAI’s models. Under HIPAA, this means any PHI entered into free ChatGPT may be retained or used according to OpenAI’s applicable service terms — a clear violation of the Privacy Rule.


What Is the HIPAA Compliant Version of ChatGPT?

According to OpenAI’s Help Center, only ChatGPT Enterprise and ChatGPT Edu customers with sales-managed accounts are currently eligible for a BAA. OpenAI explicitly states it does not offer a BAA for ChatGPT Business (formerly Team).

OpenAI also offers ChatGPT for Healthcare — a purpose-built workspace designed to support HIPAA compliance for qualifying healthcare organizations. Organizations evaluating ChatGPT for clinical use should compare this offering with ChatGPT Enterprise and the API before making deployment decisions — and only when a BAA is executed and the environment is properly configured. OpenAI’s privacy documentation confirms that Enterprise plans offer data isolation and BAA availability.

ChatGPT Enterprise and ChatGPT for Healthcare offer:

  • Data isolation — your inputs are not used to train OpenAI’s models
  • Enhanced security and privacy controls
  • BAA availability — available for sales-managed Enterprise and Healthcare accounts
  • Admin controls — role-based access management, audit logging, and usage monitoring

Important: privacy commitments (no training on business data, encryption, SOC 2) are not the same as HIPAA eligibility. OpenAI’s Enterprise Privacy page describes privacy features for ChatGPT Business — but explicitly does not offer a BAA for that plan. A BAA is what determines HIPAA eligibility, not privacy features alone. As the HIPAA Insider Show documented, the platform itself must be paired with proper internal policies, staff training, and access controls.


Is Claude HIPAA Compliant?

Free Claude.ai is not HIPAA compliant. Conversations on the free interface may be reviewed by Anthropic for safety and improvement purposes. No BAA is available for free users.

The HIPAA-compliant path for Claude is through Anthropic’s API with an enterprise agreement that includes a signed BAA. Organizations building HIPAA-compliant applications using Claude’s API can implement their own compliant infrastructure — with proper encryption, access controls, and data handling — and execute a BAA with Anthropic.


Is Gemini HIPAA Compliant?

Free Gemini is not HIPAA compliant. The free consumer version of Gemini is not covered by Google’s BAA under any circumstances.

Gemini in Chrome is also not HIPAA compliant — and notably, Google explicitly blocks the Gemini Chrome browser integration for any user who has signed a HIPAA BAA with Google. This is an important nuance: even if your organization has a BAA with Google through Workspace, using the Gemini assistant built into Chrome is still non-compliant.

The HIPAA-compliant path for Gemini is through Google Workspace Business Plus or higher, with a BAA executed through the Google Workspace Admin console. On this plan, Gemini can be configured for compliant use — but configuration steps are required.


What Does It Take to Use AI Tools Compliantly?

Choosing the right paid plan is only the first step. The HIPAA Insider Show’s Episode 96 outlined a four-part compliance checklist that applies to any AI tool used in a healthcare setting:

1. Administrative Access Management

  • Implement role-based access control (RBAC) — configure access roles through the vendor’s admin console so staff only have access to what their role requires
  • Enforce minimum necessary access — only grant AI licenses to staff with legitimate, defined needs to use PHI with AI
  • Mandate multi-factor authentication (MFA) for all accounts

2. Audit Logging and Review

  • Enable available audit logging features — where supported, logs should capture sufficient detail to support investigations and compliance monitoring
  • Establish a formal review policy — regularly review audit logs for compliance and potential breach detection

3. Training and Policy Enforcement

  • Develop AI-specific HIPAA training — staff need clear policies on what types of PHI are and are not appropriate to input into AI tools
  • Prohibit consumer tool use — explicitly train and enforce that free, non-BAA versions of AI tools must never be used with patient data, even at home

4. Data Minimization and Prompt Design

  • Enforce minimum necessary rules — users should input only the least amount of PHI necessary for the task
  • Promote de-identification — train staff to remove HIPAA identifiers before submitting data to AI tools

A practical example: if a staff member needs an AI tool to find the top 10 patients by appointment volume from a spreadsheet, they should scrub patient names and replace them with Record A, B, C before inputting the data — because the AI doesn’t need to know patient names to answer the question.


The Risk of Using Free AI Tools With Patient Data

The consequences of using free AI tools with PHI are not theoretical. Under HIPAA:

  • Entering PHI into a non-BAA platform may create a reportable HIPAA compliance incident and should be treated as a serious compliance matter requiring investigation
  • The covered entity — not the AI vendor — is responsible for that breach
  • Civil penalties vary by culpability and are adjusted periodically by HHS for inflation, with annual caps reaching into the millions for willful neglect
  • Staff who violate organizational AI policies may expose their employer to HIPAA enforcement and may also face internal disciplinary action

The most common scenario: a staff member uses free ChatGPT at home to summarize patient notes or draft a referral letter. They believe they’re being efficient. In reality, they’ve created a reportable breach.


Using AI tools in your healthcare organization? Your AI platform is only one piece of the compliance puzzle — your hosting environment, email, and data infrastructure also need to be HIPAA compliant.

Talk to a HIPAA Vault specialist →


What About Microsoft Copilot?

Microsoft Copilot is available in two forms:

  • Free/consumer Copilot — not HIPAA compliant, no BAA
  • Microsoft 365 Copilot (Enterprise) — can be HIPAA compliant through Microsoft’s Online Services Terms BAA, on qualifying M365 plans (Business Premium, E3, E5)

The same configuration requirements apply: audit logging, access controls, MFA, and staff training on appropriate use.


Need help setting up HIPAA-compliant AI workflows for your organization? HIPAA Vault helps healthcare organizations build compliant infrastructure — hosting, email, storage, and AI integration — with signed BAAs and 24/7 support.

Schedule a free consultation →  |  View hosting plans →


Frequently Asked Questions


HIPAA Vault provides managed HIPAA-compliant hosting, email, and cloud services for healthcare organizations. This content is educational and does not constitute legal advice. Consult a qualified HIPAA compliance attorney for guidance specific to your organization.