Published on

Is ChatGPT HIPAA Compliant? A deep dive.

  • Name
    Mani Batra

chatgpt hipaa compliance

Is ChatGPT HIPAA compliant?


In the realm of artificial intelligence, ChatGPT has emerged as a revolutionary tool. It's an AI model developed by OpenAI that generates human-like text. However, a question that often arises in the healthcare sector is, "Is ChatGPT HIPAA compliant?" This blog post aims to dissect this question, delving into the workings of ChatGPT, its HIPAA compliance status, and contrasting it with Everbility, a HIPAA compliant alternative.

How ChatGPT Works?

ChatGPT, developed by OpenAI, uses machine learning to generate human-like text. It's a variant of the GPT (Generative Pretrained Transformer) model, which is trained on a diverse range of internet text. However, unlike its predecessor, ChatGPT is fine-tuned with human supervision.

The model takes a string of text as input and predicts the next word based on the context provided by the previous words. This process is repeated to generate a full sentence or paragraph. The result is an AI tool that can write coherent and contextually relevant text, making it an invaluable asset for allied health assistants and other healthcare professionals.

Why ChatGPT is Not HIPAA Compliant

HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company dealing with protected health information (PHI) must ensure that all required physical, network, and process security measures are in place and followed.

While ChatGPT is a powerful tool, it falls short of being HIPAA compliant due to several reasons.

  • Data used for training AI models : By default any data you enter into ChatGPT is used for training it's AI models. This is a major concern for healthcare providers as it can lead to potential data breaches. This feature can be turned off and we talk about this next.

  • Turning off data use for training and chat history : When the history feature of ChatGPT is turned off, the data is not used for training anymore but the data is still saved for 30 days, for abuse and misuse prevention. This retention period, even if temporary, is a point of contention when it comes to HIPAA compliance. The same applies to the use of the API, where data is stored for 30 days.

  • No Business Associate Agreement (BAA) in place with OpenAI : A BAA is a written contract between a Covered Entity and a Business Associate and is required under HIPAA. The BAA ensures that Business Associates will appropriately safeguard PHI. The absence of a BAA with OpenAI further emphasizes the non-compliance of ChatGPT with HIPAA.

Even though OpenAI has some of the strictest data privacy and security policies in the industry, the lack of a BAA, using data for training and storing data on their systems makes ChatGPT non-compliant with HIPAA.

Everbility - A HIPAA Compliant Alternative


In contrast to ChatGPT, Everbility stands as a HIPAA compliant alternative.

  • Everbility does not use any data for training its AI models ensuring that sensitive health information is not compromised. This approach aligns with HIPAA’s stringent data privacy and security provisions.

  • Everbility has a special contract with OpenAI that ensures zero data retention : This provision eliminates the risk associated with data storage and potential breaches, making it a safe alternative in terms of HIPAA compliance.

  • Everbility also has BAAs with all its vendors, including AI providers. These agreements ensure that all parties involved in handling PHI understand and commit to maintaining the necessary safeguards. This commitment to HIPAA compliance makes Everbility a reliable choice for healthcare providers seeking AI solutions.


While ChatGPT is a powerful AI tool, its current data handling practices and lack of a BAA make it non-compliant with HIPAA. For healthcare providers and other entities dealing with PHI, it's crucial to consider these factors when choosing an AI solution. Everbility, with its commitment to zero data retention and HIPAA compliance, emerges as a more suitable option in such scenarios.

As AI continues to evolve, the conversation around data privacy and security becomes increasingly important. Ensuring that these tools comply with regulations like HIPAA is not just a legal necessity but also a commitment to maintaining trust and integrity in the healthcare sector.