Is ChatGPT HIPAA Compliant? 4-Part Answer for Therapists
Whether ChatGPT is HIPAA compliant depends on two things: which plan you’re using, and what you’re putting into it. The short answer is that standard ChatGPT (Free and Plus) is not HIPAA compliant — it cannot enter into a Business Associate Agreement, and by default OpenAI may use your conversation data for model improvement. ChatGPT Enterprise and the OpenAI API can be HIPAA compliant, with a signed BAA and appropriate configuration. But there’s a third option that works on any plan and eliminates the risk entirely: de-identification. This guide covers all three scenarios so you can make an informed decision about where ChatGPT fits in your clinical workflow.
Why This Question Matters More Than a Simple Yes or No
HIPAA’s requirements for software tools aren’t about the tool itself — they’re about whether the tool receives, processes, or transmits Protected Health Information (PHI) on behalf of a covered entity, and whether a Business Associate Agreement governs that relationship. HHS guidance on Business Associates makes clear that any vendor who creates, receives, maintains, or transmits PHI on behalf of a covered entity is a Business Associate and must sign a BAA. The question of HIPAA compliance for ChatGPT therefore isn’t philosophical — it’s a question of whether you’re sending PHI, and if so, whether OpenAI has agreed to protect it under a BAA.
Most therapists using ChatGPT for documentation are operating in a gray area not because the law is unclear, but because the risk is preventable with a simple workflow change. If you’re already using ChatGPT prompts for progress notes, understanding the HIPAA picture is the next step — because the right workflow depends entirely on which plan you have and what safeguards you’ve built in.
4-Part Framework: ChatGPT and HIPAA for Clinicians
Part 1 — What HIPAA Actually Requires of a Technology Tool
HIPAA’s Privacy and Security Rules don’t prohibit using AI tools in clinical practice — they require that any tool receiving PHI on your behalf operates under a Business Associate Agreement that legally binds the vendor to HIPAA’s data protection standards. A BAA isn’t a feature; it’s a contract. It specifies what the vendor can do with PHI, how they’ll protect it, and what happens in the event of a breach.
For a tool to be “HIPAA compliant” in practice, three things need to be true: (1) a BAA is signed between you (or your organization) and the vendor, (2) the tool is configured to limit PHI exposure to what’s necessary, and (3) you have administrative safeguards — policies and training — governing how staff use the tool. Software alone can’t make you HIPAA compliant; it’s one piece of a larger program.
Practical note: if your EHR vendor has signed a BAA with you, that doesn’t extend to ChatGPT. Each tool that touches PHI requires its own BAA assessment.
Part 2 — Free and Plus ChatGPT: Not HIPAA-Eligible
OpenAI’s Free and Plus tiers do not offer a Business Associate Agreement. This means these plans cannot be used with PHI — period. If you paste client names, dates of birth, diagnoses, session content, or any combination of information that could identify a patient, you’re transmitting PHI to a system with no legal obligation to protect it under HIPAA. By default, OpenAI’s data use policy for consumer plans allows conversation data to be used for model improvement, which further amplifies the risk.
This is the scenario most clinicians are actually in when they start using ChatGPT. The solution isn’t to avoid ChatGPT — it’s to de-identify your notes before they reach ChatGPT, which removes the PHI risk entirely. See Part 4 below.
Practical note: using your personal ChatGPT account for work with client data — even on a paid Plus plan — creates personal professional liability, not just organizational risk.
Part 3 — ChatGPT Enterprise and the OpenAI API: BAA Available
ChatGPT Enterprise and organizations using the OpenAI API with a HIPAA compliance configuration can enter into a Business Associate Agreement with OpenAI. Under these agreements, conversation data is not used for model training, and OpenAI commits to HIPAA’s administrative, physical, and technical safeguard requirements. This makes these plans legally viable for clinical workflows that involve PHI — provided your organization has completed the rest of the HIPAA compliance requirements on your end.
ChatGPT Enterprise is priced for organizations and requires a procurement process — it’s not a consumer product. Individual clinicians in private practice typically can’t sign a BAA directly; they’d need to access it through a health system or enterprise subscription. The OpenAI API is more accessible for tech-forward practices that can build custom internal tools, but also requires a BAA agreement and careful configuration.
Practical note: even with a BAA, you should document your AI use policy, train any staff who use the tool, and verify that the specific features you’re using are covered under the BAA’s scope. “We have a BAA” is not the end of the compliance story.
Part 4 — De-Identification: The Workaround That Works on Any Plan
De-identification is the practical solution for clinicians who can’t access Enterprise or the API. Under HIPAA, de-identified information is not PHI — it’s not subject to the Privacy Rule and can be used with any tool, including standard ChatGPT. HIPAA defines de-identification through two methods: the Safe Harbor method (remove 18 specific categories of identifiers) and the Expert Determination method (statistical verification that re-identification risk is very small).
For everyday clinical documentation, Safe Harbor de-identification is achievable in under a minute per session: replace the client’s name with “client” or a pronoun, remove specific dates (use relative references like “this session,” “last week”), replace locations with generic terms, and avoid the full diagnosis combined with any other identifier. The result is a set of notes that describes a real session but cannot be linked back to a specific individual — no PHI, no BAA required.
This workflow — de-identify first, then paste into ChatGPT with a format-specific prompt — is what the ChatGPT for therapists without PHI guide covers in detail. It works on Free, Plus, and Enterprise plans equally, and it’s the starting point for any clinician’s AI workflow regardless of which plan they’re on.
Practical note: de-identification protects you from the HIPAA risk of using free ChatGPT, but it doesn’t guarantee quality output. The more clinical context you can preserve in de-identified form, the better the note ChatGPT produces.
Copy-Paste: The HIPAA-Safe Session Prompt
This prompt is designed to work on any ChatGPT plan — it explicitly signals to the model that the input is already de-identified and instructs it to produce clinical output without seeking additional identifying information.
Before and After: Free ChatGPT vs. Enterprise BAA
The difference between using ChatGPT with and without a BAA isn’t about the output — it’s about what you’re legally allowed to put in.
The key insight from the comparison: even with a BAA, de-identification is still recommended as the safest practice. A BAA reduces legal exposure — it doesn’t eliminate the risk of a data incident. Clinicians who de-identify regardless of their plan have built the most defensible workflow regardless of what their AI provider’s compliance posture looks like in 2027. Understanding whether ChatGPT is HIPAA compliant for your practice isn’t a one-time question — it’s a standing policy decision that needs to be revisited as OpenAI’s terms and your organization’s tools evolve.
FAQ: Is ChatGPT HIPAA Compliant?
Can therapists use ChatGPT to write clinical notes legally?
Yes — with the right approach. Using de-identified notes on any ChatGPT plan is legally permissible because de-identified information is not PHI under HIPAA. Using PHI on ChatGPT Free or Plus is not permissible because there’s no BAA. Using PHI on ChatGPT Enterprise with a signed BAA and appropriate safeguards is permissible. Most private-practice therapists should default to the de-identification approach.
Does OpenAI offer a Business Associate Agreement?
Yes — OpenAI offers a BAA for ChatGPT Enterprise customers and for organizations using the OpenAI API with a HIPAA compliance configuration. The BAA covers specific products and uses; review it carefully with your compliance officer or healthcare attorney before assuming all ChatGPT features are covered. The consumer Free and Plus plans do not include a BAA option.
What counts as PHI when using ChatGPT for therapy notes?
PHI is any information that could identify a specific individual and relates to their health condition, treatment, or payment. In clinical documentation, the most common identifiers are: full name, specific dates (session dates, dates of birth), geographic information smaller than a state, and the combination of diagnosis + other identifiers. A client’s first name alone is borderline; a first name plus a diagnosis, session date, and presenting problem is clearly PHI. When in doubt, replace it.
Is using ChatGPT for therapy notes an ethics violation?
Not inherently — but ethics codes around confidentiality, informed consent, and data security apply. The APA’s ethics code requires taking reasonable precautions to protect confidential information. Using de-identified notes and disclosing your AI-assisted documentation workflow to clients in your informed consent is the ethically sound approach. Check your licensing board’s current guidance; some state boards have issued specific AI documentation guidance as of 2025-2026.
The Shortcut
Once you have a HIPAA-safe workflow in place, the next step is having the right prompts for every documentation task — not just progress notes. Our Therapist AI Toolkit includes 200+ ready-to-use prompts for progress notes, treatment plans, intake paperwork, psychoeducation scripts, and private practice marketing — all structured for de-identified use so you can paste and go on any plan.
Also available on Gumroad.
