Trustevo / AI compliance

Can you use ChatGPT or other AI tools with PHI under HIPAA?

Short answer

Under HIPAA, you may only use an AI tool with Protected Health Information (PHI) if the vendor will sign a Business Associate Agreement (BAA) and you apply the required safeguards. Most consumer AI tools will not sign a BAA, so pasting PHI into a personal ChatGPT or Claude account is a HIPAA violation and a reportable breach risk.

Who it applies to

Covered entities and business associates in US healthcare — providers, payers, and their vendors — handling Protected Health Information.

What it requires

  • A Business Associate Agreement (BAA) with any AI vendor that touches PHI.
  • Administrative, physical, and technical safeguards (45 CFR §164.308/.312).
  • Access controls and audit trails for systems handling PHI.
  • Breach-notification readiness if PHI is exposed.

How to comply

  1. Prohibit PHI in any AI tool that has not signed a BAA.
  2. Use only AI services that offer a BAA, or de-identify data first.
  3. Mask PHI on-device before it reaches the AI tool.
  4. Document safeguards and access controls for your evidence pack.
  5. Train clinical and ops staff on PHI + AI rules.

See exactly where you stand

Run a free 2-minute AI Exposure assessment — your risk scored and mapped to the EU AI Act, GDPR, and HIPAA, with a remediation plan and a starter policy.

Assess your AI risk — freeTalk to a Fractional CAIO →

This guide is general information, not legal advice. Confirm specifics with your counsel or compliance team.

More on AI compliance
EU AI Act compliance for companies using AIGDPR and AI: using AI tools compliantlyHow to build an AI usage policy and governance programAI compliance for healthcare organizationsAI compliance for financial services

We use privacy-respecting analytics to understand how visitors use this site. No data is shared with AI providers and you can decline at any time.