Vendor compliance profile

Is ChatGPT HIPAA compliant?

ChatGPT should only be used with PHI under eligible OpenAI products and agreements. OpenAI states API BAA coverage is limited to eligible zero-retention endpoints, and ChatGPT BAA availability is limited to certain Enterprise or Edu sales-managed accounts; standard consumer use is not PHI-ready.

Visit vendor site

HIPAA status signal

Conditional

BAA public signal

Eligible products only

SOC 2 evidence signal

Public evidence

PHI warning: Prompts, uploaded files, transcripts, and connected tools can contain PHI even when users intend to de-identify data.

Search query answers

Is ChatGPT SOC 2 Type II?

OpenAI provides enterprise security and privacy documentation, and buyers should request the current SOC 2 evidence through OpenAI's trust or procurement process. SOC 2 evidence does not by itself authorize HIPAA PHI use.

What should buyers verify for ChatGPT Enterprise SOC 2 Type II?

For ChatGPT Enterprise SOC 2 Type II review, verify the current report period, service scope, trust services criteria, exceptions, subprocessors, support access, data retention, connector coverage, and whether the specific Enterprise workspace features are included.

Does ChatGPT Enterprise SOC 2 Type II mean HIPAA is covered?

No. SOC 2 Type II evidence can support security review, but HIPAA PHI use still depends on eligible product scope, BAA terms, retention settings, connectors, workspace configuration, and legal or compliance approval.

Can ChatGPT be used with PHI?

ChatGPT should only be used with PHI under eligible OpenAI products, an appropriate BAA, reviewed retention settings, covered endpoints or accounts, and an approved workflow. Consumer ChatGPT and unsupported plans should not receive PHI.

Does ChatGPT Enterprise make HIPAA use automatic?

No. Enterprise security controls and SOC evidence do not automatically approve PHI use. Buyers still need eligible product scope, BAA terms, retention controls, covered account type, configuration, and legal or compliance review.

Is ChatGPT Business covered by an OpenAI BAA?

OpenAI public healthcare materials reviewed by ComplySaaS say ChatGPT BAA eligibility is limited to certain Enterprise or Edu sales-managed accounts, not ChatGPT Business. Verify directly with OpenAI before any PHI workflow.

HIPAA, BAA, and SOC 2 summary

HIPAAOpenAI documents BAA paths for API services and limited ChatGPT Enterprise/Edu situations. Eligibility, endpoints, retention controls, and account type matter.
BAAFor API services, OpenAI says customers need a BAA before using PHI and that only endpoints eligible for zero retention are covered. For ChatGPT, OpenAI says BAA eligibility is for certain Enterprise or Edu sales-managed accounts, not ChatGPT Business.
SOC 2OpenAI publishes enterprise privacy and security commitments. Request current SOC 2 evidence through OpenAI's trust or procurement process.
PHI riskPrompts, uploaded files, transcripts, and connected tools can contain PHI even when users intend to de-identify data.
CategoryHIPAA-Compliant AI Chatbots and Assistants
Last checked2026-06-01
ConfidenceHigh

Public evidence and open questions

What public sources say

  • OpenAI documents BAA paths for API services and limited ChatGPT Enterprise or Edu situations.
  • OpenAI states API BAA coverage is limited to eligible zero-retention endpoints.
  • OpenAI says ChatGPT BAA eligibility is limited to certain Enterprise or Edu sales-managed accounts, not ChatGPT Business.

What remains unconfirmed

  • Whether the buyer's exact OpenAI product, endpoint, retention setting, workspace, connector, and support path are covered.
  • Whether prompts, uploads, transcripts, outputs, and connected tools can be governed for the intended PHI workflow.

What it may be used for

  • Non-PHI drafting, policy research, summarization, and operational support where regulated data is excluded.
  • PHI workflows only under eligible OpenAI products, appropriate BAA terms, retention controls, and approved configuration.
  • Vendor security review where SOC 2 evidence, data retention, connector scope, and support access are evaluated together.

What not to use it for

  • Entering PHI into consumer ChatGPT, unsupported plans, unsupported connectors, or accounts without verified BAA coverage.
  • Uploading patient files, transcripts, images, exports, or notes before retention, logging, and covered-product scope are verified.
  • Treating ChatGPT Enterprise, SOC 2 evidence, or privacy controls as automatic HIPAA authorization.

What to verify with the vendor

  • Whether the exact OpenAI product, account type, endpoint, connector, and workspace are eligible for BAA coverage.
  • Whether retention, training, abuse monitoring, logging, support access, and data export settings match the intended PHI workflow.
  • Whether prompts, uploads, outputs, transcripts, custom GPTs, files, connectors, and audit logs stay inside covered scope.
  • Whether the current SOC 2 report scope covers the services used by the buyer.

Safer alternatives and related profiles

Safer alternatives to consider

  • A healthcare-focused AI or transcription vendor with explicit BAA coverage for the exact PHI workflow.
  • OpenAI API endpoints only where BAA eligibility, zero-retention requirements, and covered endpoints are verified.
  • Manual de-identification or non-PHI workflows when BAA scope cannot be confirmed.

HubSpot

HIPAA: Conditional | SOC 2: Public evidence

Klaviyo

HIPAA: Unable to confirm | SOC 2: Verify with vendor

Wix

HIPAA: Conditional | SOC 2: Verify with vendor

Shopify

HIPAA: Not supported for PHI | SOC 2: Public evidence

QuickBooks

HIPAA: Not HIPAA compliant | SOC 2: Verify with vendor

FAQ

Is ChatGPT SOC 2 Type II?

OpenAI provides enterprise security and privacy documentation, and buyers should request the current SOC 2 evidence through OpenAI's trust or procurement process. SOC 2 evidence does not by itself authorize HIPAA PHI use.

What should buyers verify for ChatGPT Enterprise SOC 2 Type II?

For ChatGPT Enterprise SOC 2 Type II review, verify the current report period, service scope, trust services criteria, exceptions, subprocessors, support access, data retention, connector coverage, and whether the specific Enterprise workspace features are included.

Does ChatGPT Enterprise SOC 2 Type II mean HIPAA is covered?

No. SOC 2 Type II evidence can support security review, but HIPAA PHI use still depends on eligible product scope, BAA terms, retention settings, connectors, workspace configuration, and legal or compliance approval.

Can ChatGPT be used with PHI?

ChatGPT should only be used with PHI under eligible OpenAI products, an appropriate BAA, reviewed retention settings, covered endpoints or accounts, and an approved workflow. Consumer ChatGPT and unsupported plans should not receive PHI.

Does ChatGPT Enterprise make HIPAA use automatic?

No. Enterprise security controls and SOC evidence do not automatically approve PHI use. Buyers still need eligible product scope, BAA terms, retention controls, covered account type, configuration, and legal or compliance review.

Is ChatGPT Business covered by an OpenAI BAA?

OpenAI public healthcare materials reviewed by ComplySaaS say ChatGPT BAA eligibility is limited to certain Enterprise or Edu sales-managed accounts, not ChatGPT Business. Verify directly with OpenAI before any PHI workflow.

Is ChatGPT HIPAA compliant?

ChatGPT should only be used with PHI under eligible OpenAI products and agreements. OpenAI states API BAA coverage is limited to eligible zero-retention endpoints, and ChatGPT BAA availability is limited to certain Enterprise or Edu sales-managed accounts; standard consumer use is not PHI-ready.

Will ChatGPT sign a BAA?

For API services, OpenAI says customers need a BAA before using PHI and that only endpoints eligible for zero retention are covered. For ChatGPT, OpenAI says BAA eligibility is for certain Enterprise or Edu sales-managed accounts, not ChatGPT Business.

Does SOC 2 mean ChatGPT is HIPAA compliant?

No. SOC 2 evidence can support security diligence, but it does not prove HIPAA compliance, confirm BAA coverage, or approve PHI use. Review HIPAA terms, BAA scope, covered services, configuration, and intended workflow separately.

What should buyers verify before using ChatGPT with PHI?

Whether the exact OpenAI product, account type, endpoint, connector, and workspace are eligible for BAA coverage. Whether retention, training, abuse monitoring, logging, support access, and data export settings match the intended PHI workflow. Whether prompts, uploads, outputs, transcripts, custom GPTs, files, connectors, and audit logs stay inside covered scope. Whether the current SOC 2 report scope covers the services used by the buyer.

Last checked and source notes

Last checked
2026-06-01
Confidence
High
Dataset rows
268 vendors
  • Reviewed OpenAI public BAA and healthcare materials for API and ChatGPT Enterprise/Edu eligibility signals on 2026-06-01.
  • OpenAI product eligibility, retention settings, endpoint scope, connectors, and workspace configuration can materially change risk.
  • ComplySaaS did not verify a private OpenAI contract or customer-specific BAA.
  • OpenAI Help: BAA for API services
  • OpenAI enterprise privacy
  • OpenAI for healthcare