An AI tool is HIPAA compliant when it handles protected health information (PHI) under a signed Business Associate Agreement (BAA), protects that data with required technical safeguards like encryption and access controls, and restricts how the vendor can use the data, including a commitment that PHI is never used to train AI models. Compliance is a property of the whole arrangement (the contract, the security, and how your team actually uses the tool), not a feature of the AI model itself.
That is the short answer. The rest of this guide explains each requirement, shows you how to evaluate any AI vendor, and covers the mistakes that turn a helpful tool into a reportable breach.
Why this question matters right now
AI has moved from experiment to everyday practice. According to the American Medical Association's 2026 Physician Survey on Augmented Intelligence, 81% of physicians now use AI in a professional context, up from 38% in 2023. The same survey found that data privacy assurances rank among the top requirements physicians cite for adopting AI further.
The stakes of getting privacy wrong are just as concrete:
- 2025 was the worst year on record for large healthcare data breaches by count. The HIPAA Journal reports 772 breaches affecting 500 or more individuals were reported to the HHS Office for Civil Rights (OCR) for 2025, exposing the PHI of roughly 139.7 million people.
- Healthcare breaches are the most expensive of any industry. IBM's Cost of a Data Breach Report 2025 puts the average healthcare breach at $7.42 million per incident.
- Penalties scale fast. Under the HHS penalty schedule updated in January 2026, civil monetary penalties for HIPAA violations range from $145 to $73,011 per violation in the lower tiers, and up to $2,190,294 per violation for willful neglect that goes uncorrected. OCR is also continuing its risk analysis enforcement initiative, with the agency confirming an expansion into risk management in 2026.
Every clinician pasting text into a chatbot, and every practice evaluating an AI scribe, is making a compliance decision. This guide gives you the framework to make it well.
A quick refresher: PHI, covered entities, and business associates
Three HIPAA concepts do most of the work in any AI compliance question:
Protected health information (PHI). Health information that identifies a patient or could reasonably be used to identify one. HIPAA's Privacy Rule lists 18 categories of identifiers, from the obvious (names, Social Security numbers, medical record numbers) to the easy to miss (dates of service, geographic detail smaller than a state, device identifiers, full-face photos).
Covered entities. Healthcare providers, health plans, and clearinghouses. If you treat patients or bill insurance, this is you.
Business associates. Any vendor that creates, receives, maintains, or transmits PHI on your behalf. An AI service that processes your patient notes fits this definition. Under 45 CFR 164.502(e), you may only share PHI with a business associate after obtaining satisfactory assurances in the form of a signed BAA.
That last point is where most consumer AI tools fail immediately. Sending PHI to a vendor without a BAA is an impermissible disclosure, which means the violation occurs the moment the data leaves your control, even if nothing ever leaks.
The four requirements of a HIPAA compliant AI tool
1. A signed Business Associate Agreement
The BAA is the legal foundation. It binds the vendor to HIPAA's rules: safeguarding PHI, reporting breaches to you within defined timeframes, using the data only to provide the contracted service, and returning or destroying PHI when the relationship ends.
Two practical notes healthcare buyers often miss:
- A BAA covers specific products and features, not the company. OpenAI, for example, offers BAAs for its Zero Data Retention API endpoints and for sales-managed ChatGPT Enterprise accounts, but consumer ChatGPT plans (Free, Plus, Pro, Team) are not eligible. The tier your staff actually uses determines whether PHI is covered.
- The BAA governs the vendor's side, not yours. You remain responsible for risk analysis, workforce training, minimum-necessary use, and access configuration. A signed BAA with a vendor whose tool your staff misuse is not a defense.
A useful rule of thumb from compliance teams: no BAA, no PHI.
2. Technical safeguards that meet the Security Rule
HIPAA's Security Rule requires administrative, physical, and technical safeguards for electronic PHI. For an AI platform, look for specifics, not adjectives:
- Encryption in transit and at rest. The current baseline is TLS for data in transit and AES-256 for data at rest.
- Access controls. Unique user accounts, role-based permissions, and multi-factor authentication so only authorized staff reach PHI.
- Audit logging. A record of who accessed what and when, available to you for review.
- Data isolation. Your organization's data segregated from other customers' data.
A vendor that cannot name its encryption standard or produce an audit report has not done the work.
3. Restrictions on how your data is used
Under HIPAA, a business associate may only use PHI to deliver the contracted service. Many general-purpose AI companies built their business models on the opposite assumption: user inputs improve the product. Consumer AI tools commonly retain conversations and may use them for model training unless the user opts out.
For healthcare use, the vendor's terms and BAA should state plainly that:
- Your prompts, documents, and audio are never used to train AI models
- Your data is not shared with third-party AI providers beyond what the BAA covers
- Data is retained only as long as needed, with defined deletion timelines you control
If a vendor's terms mention using your inputs to "improve our services" without clear carve-outs for PHI, treat that as disqualifying.
4. Features scoped for healthcare, with admin control
Even a BAA-covered platform can leak PHI through side doors. Integrated features often route data to services outside the BAA's scope. Microsoft 365 Copilot illustrates the risk: it can be covered under Microsoft's enterprise BAA, but Copilot experiences that route queries through consumer Bing services fall outside that coverage, and a prompt containing PHI that triggers a web lookup can leave the protected environment.
A healthcare-ready AI platform limits or disables risky capabilities by default: no social sharing, no uncontrolled third-party plugins, no silent hand-offs to non-covered endpoints. It also gives administrators the controls to enforce that posture across the organization.
Why de-identification alone is not enough
A common workaround is to strip the patient's name before pasting a note into a consumer chatbot. This rarely holds up.
HIPAA's Safe Harbor method (45 CFR 164.514(b)) requires removing all 18 identifier categories, including dates, locations smaller than a state, and any other unique identifying detail. Clinical notes are dense with exactly this material: a visit date, a rare diagnosis, a hometown mentioned in passing. Any one of them can make the record identifiable again, and regulators treat data as PHI whenever a reasonable basis exists to believe it can identify a patient. The alternative path, expert determination, requires a qualified statistician to formally certify that re-identification risk is very small. Ad-hoc redaction by a busy clinician is neither.
The practical takeaway: assume patient data is PHI unless it has been de-identified through a formal, documented process. Manual redaction before pasting into a non-covered AI tool does not change the compliance analysis. For a deeper look at why tokenization and anonymization strategies fall short with generative AI, see HIPAA risks with tokenization and anonymization.
Are the popular AI tools HIPAA compliant?
The honest answer for most consumer AI products is no, with narrow enterprise exceptions. As of early 2026:
ChatGPT. Consumer plans (Free, Plus, Pro, Team) are not eligible for a BAA, so any PHI entered into them is an impermissible disclosure. OpenAI does offer BAAs for its Zero Data Retention API and for sales-managed ChatGPT Enterprise, Edu, and healthcare-specific offerings, which require enterprise procurement and careful configuration. The version most individual clinicians use is the version that is not covered. Full guide: Is ChatGPT HIPAA Compliant?
Microsoft Copilot. Can be covered under Microsoft's enterprise agreements for commercial tenants, but coverage does not extend to personal Microsoft accounts, and some Copilot surfaces fall outside the BAA. Configuration and account hygiene decide the outcome. Full guide: Is Microsoft Copilot HIPAA Compliant? For a plan-by-plan comparison, see BastionGPT vs Microsoft Copilot.
Google Gemini. Google's BAA can cover Gemini within paid Workspace tiers; consumer Gemini accounts are not covered. Full guide: Is Google Gemini HIPAA Compliant?
Claude. Anthropic's BAA does not cover Claude Free, Pro, Max, or Team plans; HIPAA-ready use is available only through its sales-assisted Enterprise tier, and some features remain outside BAA coverage even there. Full guide: Is Claude HIPAA Compliant? Healthcare teams weighing the enterprise route can also see BastionGPT vs Claude Team & Enterprise.
The pattern across all four: compliance is possible only on enterprise tiers, under a signed BAA, with features configured correctly, and it never extends to the free or personal versions staff reach for by default. That gap between what the organization licenses and what individuals actually use is where violations happen. A December 2025 Wolters Kluwer survey of more than 500 healthcare workers found that 17% admitted to using unauthorized AI tools at work.
Policy alone will not protect you
Many organizations respond to AI risk with a memo: do not enter patient information into chatbots. A policy is necessary, and it is not sufficient. A rushed clinician saving twenty minutes on a discharge summary can violate it with one paste, often without realizing the note still contains identifiers.
Effective programs pair policy with environment:
Network and access controls. Some health systems block unapproved AI tools on work networks entirely, or interpose a warning screen before access.
Data loss prevention (DLP). DLP tooling can detect PHI patterns (names, MRNs, SSNs) being entered into web forms and warn or block before submission.
Training that names the risk. Annual HIPAA training should cover AI specifically: what counts as PHI in a prompt, why "I removed the name" is not de-identification, and which tools are approved.
An approved alternative. This is the control that makes the others workable. Staff turn to unapproved AI because it solves a real problem: documentation burden. Blocking tools without replacing them pushes usage into the shadows. Providing a compliant platform that is as capable as the consumer tools channels demand somewhere safe.
Red flags: how to spot a non-compliant AI tool
When evaluating any AI product for healthcare use, treat these as disqualifying until proven otherwise:
- No BAA offered, or a BAA available only on request for a premium tier your team will not buy
- No mention of HIPAA or healthcare anywhere in the vendor's documentation
- Terms that permit training on your data or sharing inputs for product improvement
- No named security specifics: encryption standards, audit logging, access controls, or third-party attestations
- Consumer-oriented features enabled by default: social sharing, open web search, public link sharing, third-party plugin marketplaces
- No healthcare footprint: zero healthcare customers, case studies, or compliance documentation
When in doubt, involve your compliance or legal team before any PHI is involved. Assume a tool is not compliant until documentation and a signed agreement prove otherwise.
A buyer's checklist for HIPAA compliant AI
Use these questions in any vendor evaluation:
- Will you sign a BAA, and does it cover every plan and feature we intend to use?
- Is our data ever used to train AI models or shared with third-party AI providers?
- What encryption do you use in transit and at rest, and can you provide current security attestations?
- How long is our data retained, who controls deletion, and where is it stored geographically?
- Which features are excluded from BAA coverage, and can administrators disable them?
- How do you support our own obligations: audit logs we can review, access controls we can configure, breach notification timelines in writing?
A credible healthcare AI vendor answers all six in writing without hesitation.
How BastionGPT approaches HIPAA compliance
BastionGPT was built for exactly this problem: giving clinicians the capability of advanced AI inside a platform designed for healthcare's rules.
BAA included on every plan. Every BastionGPT plan includes a Business Associate Agreement by default, including individual plans, so a solo therapist gets the same contractual protection as a hospital system.
Zero data exposure. Your prompts, documents, and audio are never shared with OpenAI or other third-party AI providers for training. You retain full ownership of your data, and chats and transcripts are wiped after 30 days by default, with user control to retain longer or delete sooner.
Security you can verify. Data is encrypted with AES-256 at rest and HTTPS/TLS in transit, hosted in HITRUST and ISO 27001-certified data centers, with regional hosting in the USA, Canada, and Australia. BastionGPT also supports PIPEDA, PIPA, and PHIPA (Canada) and the APP (Australia) for teams outside the US.
Scoped for healthcare work. BastionGPT combines a clinical AI assistant for drafting SOAP, DAP, BIRP, and progress notes with unlimited secure AI Scribe transcription and document analysis, working alongside EMRs like Epic, Cerner, and TherapyNotes. BastionGPT assists with documentation; it does not replace professional judgment, and clinicians review all AI-generated output.
If your team is weighing AI tools against the checklist above, see how BastionGPT compares or start a trial with a BAA in place from day one.
Frequently asked questions
What does "HIPAA compliant AI" actually mean?
It means the AI service handles PHI under a signed BAA, meets the Security Rule's safeguards (encryption, access controls, audit logging), and restricts data use to providing the service. No AI model is compliant on its own; compliance describes the contractual and technical arrangement around the tool and how your organization uses it.
Is ChatGPT HIPAA compliant?
The consumer versions of ChatGPT (Free, Plus, Pro, and Team) are not HIPAA compliant because OpenAI does not offer a BAA for them. OpenAI does offer BAAs for its Zero Data Retention API and sales-managed enterprise offerings, which require enterprise contracts and configuration. Entering PHI into consumer ChatGPT is an impermissible disclosure under HIPAA. Full guide: Is ChatGPT HIPAA Compliant?
Does a BAA alone make an AI tool HIPAA compliant?
No. The BAA is necessary but covers only the vendor's obligations. Your organization still must conduct risk analysis, train staff, configure access controls, and ensure the covered product tier and features are the ones actually in use.
Can I use AI with de-identified patient data?
Only if the data is de-identified under HIPAA's standards: the Safe Harbor method (removing all 18 identifier categories) or expert determination. Manually deleting a patient's name before pasting a note into a chatbot does not meet either standard, because remaining details like dates, locations, and unique clinical facts can still identify the patient.
Is it a HIPAA violation if the AI company never leaks the data?
Yes, it can be. Disclosing PHI to a vendor without a BAA is itself an impermissible disclosure. The violation occurs when the data leaves your control, regardless of whether any downstream harm follows.
What penalties apply to HIPAA violations involving AI tools?
The same tiered civil penalties as any HIPAA violation. Under the schedule HHS updated in January 2026, penalties range from $145 to $73,011 per violation in the lower culpability tiers and reach $2,190,294 per violation for uncorrected willful neglect, alongside potential state attorney general actions and breach notification costs.
The bottom line
What makes an AI HIPAA compliant is not the model's name or its capabilities. It is the safeguards around it: a BAA that covers the product you actually use, security controls you can verify, contractual limits on data use, and an organization that backs its policies with technical enforcement and a compliant alternative staff want to use.
Verify those four things before any patient data touches an AI tool, and you can bring modern AI into patient care with confidence.
Sources
- American Medical Association, 2026 Physician Survey on Augmented Intelligence (March 2026)
- The HIPAA Journal, Largest Healthcare Data Breaches of 2025
- The HIPAA Journal, Healthcare Data Breach Statistics
- The HIPAA Journal, HIPAA Violation Fines (penalty schedule updated January 28, 2026)
- IBM, Cost of a Data Breach Report 2025 (healthcare industry average)
- OpenAI Help Center, How can I get a Business Associate Agreement (BAA) with OpenAI
- OpenAI, Enterprise Privacy
- HHS Office for Civil Rights, Guidance on De-identification of PHI (Safe Harbor, 45 CFR 164.514(b))
- HHS, Business Associate Contracts (45 CFR 164.502(e), 164.504(e))
- Wolters Kluwer, Survey Finds Broad Presence of Unsanctioned AI Tools in Hospitals and Health Systems (January 2026)


