HIPAA Compliance

Does the ChatGPT API follow HIPAA compliance? If not, how can I make it to do so when I customize the API? OpenAI company should not get access to the user data.


I have the same question. Is OpenAI GPT-3 HIPAA compliant ?

Welcome to the community… both of you!

While I’m not sure about being HIPAA compliant, OpenAI does remove phone numbers and other personally identifying information, so I’m sure they are HIPAA compliant.

Did you read somewhere that OpenAI has access to your medical information? Not sure how they would get it.

Hope this helps.

1 Like

Removing personally identifiable information is a small part of HIPAA compliance.

At this time OpenAI seems to not be ready to sign a BAA.

If you can create a firewall for data you might be able to convince auditors that you have no risk of PHI or ePHI being leaked to OpenAI.

Another option would be to go through the IRB process to set up the training

(5) Public Interest and Benefit Activities. The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes.28 These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information.

Considering HIPAA includes jail time as potential penalty I would work with my legal team to figure out how to do this. I expect that OpenAI will be willing to sign a BAA in the future, but it might result in a substantial increase in costs charged by OpenAI


Great question and topic! We are building cognitive processing solutions for underserved patient populations so this is a big concern. I previously volunteered on a CMS advisory committee related to consumer engagement and HIPPA but this was a decade ago. I am looking to engage with others interested in this topic, as well as connect with the appropriate folks at OpenAI. I am open to discuss at any time. (I am in the Washington DC area FYI.)


I’m wondering if there has been any improvements or suggestions in this HIPAA arena.

We’re interested in integrating GPT-4 into an electronic health record system. As I understand it, OpenAI still has not applied for a BAA. However, as someone mentioned above, if we have a firewall, is it possible to only send out minimal information protect the HPI from going to the cloud/servers?

I’m new to all this, so a little confused in terms of how much information would actually leave our firewall in order to be processed appropriately.

Any advice/literature on what’s possible would be greatly appreciated!

We are able to sign Business Associate Agreements (BAA) in support of customers’ compliance with the Health Insurance Portability and Accountability Act (HIPAA). Please reach read more in our BAA FAQ: How can I get a Business Associate Agreement (BAA) with OpenAI? | OpenAI Help Center