HIPAA Compliance for Assistants, Threads, etc. Timeline

Hello,
I have a HIPAA compliant application where we use OpenAI. We currently have a signed BAA with OpenAI and use the zero-retention APIs (which is how we remain HIPAA compliant!).

We are very interested in using the newly released features like assistants, threads, etc. but they do not fall under the Zero-Retention API perview, per this article: https://platform.openai.com/docs/models/how-we-use-your-data (because they by the nature of the feature store data)

Can someone share if it is on the roadmap to make it so we can use these new APIs in a HIPAA compliant manner? And if so, is there a timeline for that?
Thank you!

HIPAA compliance is not about zero retention, it is about secure management of retained data at every stage in the data chain, the BAA you have covers that for API related actions.

So long as you have a breech protocol and register, and you have BAA’s with everyone in the data custody chain, you are being compliant.

HIPAA compliance is not about zero retention, it is about secure management of retained data at every stage in the data chain, the BAA you have covers that for API related actions.

While it is true that zero-retention is not a technical requirement for HIPAA, OpenAI’s approach to HIPAA compliance is to sign a BAA that covers only the API endpoints that work with zero-retention, and then turning that zero-retention on.

Anyone else have any visibility into if HIPAA compliance for non-zero-retention APIs is on the roadmap?

I’ll see if I can get a response on that next week.

2 Likes

Hi @Foxabilo , is there any public update regarding this?

Hi, last weeks meeting was postponed, I’ll make sure to ask it this week.

2 Likes

Hey @Foxabilo , any updates here?

Yes, I did ask and the reply was that it is on the road map, but not until the vision model comes out of beta, there is no timeline for when that will be done though. Realistically I think that means Q3 to Q4 of 2024 but it could potentially be in the next few months although I doubt it.

1 Like

Thanks for the update. Could I use all of the Assistants API and be HIPPA compliant if I am an enterprise customer?

I meant to tag you in the previous message
(@Foxabilo )

1 Like

No, the assistants API also in beta and most of the endpoints do not qualify for zero retention and hence not HIPAA compliant.

2 Likes