Vendor compliance profile
ChatGPT SOC 2, HIPAA, BAA, and PHI notes
ChatGPT should only be used with PHI under eligible OpenAI products and agreements. OpenAI states API BAA coverage is limited to eligible zero-retention endpoints, and ChatGPT BAA availability is limited to certain Enterprise or Edu sales-managed accounts; standard consumer use is not PHI-ready.
HIPAA status signal
Conditional
BAA public signal
Eligible products only
SOC 2 evidence signal
Public evidence
PHI warning: Prompts, uploaded files, transcripts, and connected tools can contain PHI even when users intend to de-identify data.
HIPAA, BAA, and SOC 2 summary
| HIPAA | OpenAI documents BAA paths for API services and limited ChatGPT Enterprise/Edu situations. Eligibility, endpoints, retention controls, and account type matter. |
|---|---|
| BAA | For API services, OpenAI says customers need a BAA before using PHI and that only endpoints eligible for zero retention are covered. For ChatGPT, OpenAI says BAA eligibility is for certain Enterprise or Edu sales-managed accounts, not ChatGPT Business. |
| SOC 2 | OpenAI publishes enterprise privacy and security commitments. Request current SOC 2 evidence through OpenAI's trust or procurement process. |
| Category | HIPAA-Compliant AI Chatbots and Assistants |
What it may be used for
- General business workflows that do not include PHI.
- Healthcare-adjacent operations after BAA scope and configuration have been verified.
- Vendor risk review, procurement research, and compliance planning.
What not to use it for
- Storing diagnosis, treatment, patient notes, or identifiers without verified BAA coverage.
- Sending PHI through unsupported forms, messages, automations, or integrations.
- Replacing legal, compliance, security, or vendor contract review.
What to verify with the vendor
- Whether the vendor will sign a BAA for your exact product, plan, and use case.
- Which services, add-ons, regions, and support channels are covered by the agreement.
- Whether your intended workflow stores, transmits, or processes PHI.
- Which admin, access control, retention, audit log, and encryption settings must be enabled.
Safer alternatives and related profiles
FAQ
Is ChatGPT HIPAA compliant?
ChatGPT should only be used with PHI under eligible OpenAI products and agreements. OpenAI states API BAA coverage is limited to eligible zero-retention endpoints, and ChatGPT BAA availability is limited to certain Enterprise or Edu sales-managed accounts; standard consumer use is not PHI-ready.
Will ChatGPT sign a BAA?
For API services, OpenAI says customers need a BAA before using PHI and that only endpoints eligible for zero retention are covered. For ChatGPT, OpenAI says BAA eligibility is for certain Enterprise or Edu sales-managed accounts, not ChatGPT Business.
Can ChatGPT be used with PHI?
Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.
Last checked and source notes
- Last checked
- 2026-04-30
- Confidence
- High
- Dataset rows
- 267 vendors
- ComplySaaS public vendor dataset entry.
- Vendor trust center, legal terms, BAA documentation, and covered services should be re-checked before use.
- OpenAI Help: BAA for API services
- OpenAI enterprise privacy
- OpenAI for healthcare