Does Anthropic Sign a HIPAA Business Associate Agreement?

By BAA Generator Research Team  ·  Published Apr 19, 2026  ·  Last reviewed Apr 28, 2026  ·  3 min read

Anthropic Product HIPAA Coverage at a Glance

Claude Enterprise BAA Eligibility

Claude Enterprise is Anthropic's offering specifically designed for organizations that need administrative controls, security guarantees, and compliance frameworks — including HIPAA. Unlike consumer Claude.ai plans, Claude Enterprise customers can execute a HIPAA BAA with Anthropic as part of the enterprise contract.

What's covered under the Claude Enterprise BAA:

• Conversation data with PHI — Claude Enterprise enforces zero-retention by default for chat content (Anthropic does not retain conversations for model training).
• Document uploads containing PHI — files attached to conversations are processed under BAA-covered handling.
• Workspace administration — admin controls for SSO, audit logs, user provisioning, and data export are HIPAA-aligned.
• Projects feature — when used with PHI, project context and Custom Instructions are covered.

Common Claude Enterprise healthcare use cases: clinical decision support drafting (with physician review), patient communication drafting, summarizing intake notes for quality review, building internal compliance reports. Always pair with appropriate clinical workflows — Claude is a tool, not a substitute for clinical judgment.

Claude Enterprise pricing is custom (not published) and starts at meaningful annual commitments. Contact Anthropic sales to scope a healthcare-focused deployment.

Anthropic API BAA for Healthcare Customers

The Anthropic API can be used in HIPAA-compliant healthcare applications when you execute a Data Processing Addendum (DPA) with Anthropic that includes HIPAA BAA provisions. This is the most common path for healthcare AI startups, EHR vendors integrating Claude, and digital health applications building Claude-powered features.

What the API BAA covers:

• Inference requests — your prompts and Claude's responses, when both may contain PHI
• Streaming responses — same coverage as completed responses
• Vision input — images containing PHI sent to multimodal Claude models
• Tool use / function calling — when tool definitions or arguments include PHI
• Batch API — bulk inference jobs are BAA-covered when the DPA is in place

Critical implementation guidance for healthcare API users:

• Use API keys tied to your BAA-covered organization, not personal accounts.
• Configure zero-retention mode if available for your use case — this disables Anthropic's logging of conversation content.
• Implement request-level audit logging on your side — your application is responsible for its own HIPAA audit trail.
• For Claude on AWS Bedrock or Claude on Google Vertex AI, BAA coverage runs through the cloud provider (AWS Artifact for Bedrock, Google Cloud BAA for Vertex AI), not directly through Anthropic.

How the Anthropic API BAA Process Works

For organizations building healthcare AI applications on the Anthropic API (using Claude models), the path to HIPAA compliance involves executing a Data Processing Addendum with Anthropic that includes HIPAA Business Associate Agreement provisions.

The typical process:

• Step 1: Contact Anthropic's enterprise sales team and identify your use case involves PHI
• Step 2: Anthropic will provide a DPA that includes BAA provisions covering their API services
• Step 3: Legal review and execution of the DPA/BAA
• Step 4: Implement appropriate technical safeguards in your application (access controls, audit logs, encryption)
• Step 5: Retain the executed agreement in your HIPAA compliance documentation

What Claude.ai Consumer Plans Cannot Do

Claude.ai's consumer tiers — Free, Pro, and Team — are not covered by any HIPAA BAA. This means:

• You cannot paste patient names, diagnoses, or treatment information into Claude.ai Pro, even for your own internal purposes
• You cannot use Claude.ai Free or Pro to summarize clinical notes
• You cannot use the Claude.ai Team plan for any PHI-containing workflow
• There is no organizational policy or internal HIPAA compliance program that changes this — the violation lies in the absence of a BAA with Anthropic

This is a meaningful risk for healthcare organizations where clinicians may personally subscribe to AI tools and begin using them with patient data. Governance policies and staff training are essential to prevent unauthorized PHI exposure through consumer AI tools.

Building HIPAA-Compliant Healthcare AI with Claude

Healthcare technology companies using Claude via the Anthropic API should build their HIPAA compliance framework to include:

• Executed DPA/BAA with Anthropic before any PHI enters the API
• PHI minimization or de-identification where clinically feasible before sending to the API
• Audit logging of all prompts and completions that involve PHI
• Role-based access controls on which users and systems can invoke PHI-containing API calls
• A HIPAA Security Risk Analysis that includes the AI system as a PHI touchpoint
• BAAs with your cloud infrastructure providers (AWS, GCP, Azure) where data is stored

Frequently Asked Questions

Does Anthropic sign a HIPAA BAA?

Yes — for Claude Enterprise and qualifying API customers who execute a DPA with HIPAA BAA provisions. Claude.ai Free, Pro, and Team cannot be used with PHI. Contact Anthropic's enterprise team to execute a BAA.

Can I use Claude for healthcare applications?

Yes — via the Anthropic API or Claude Enterprise with an executed BAA. Consumer Claude.ai plans cannot be used with PHI under any circumstances.

Is the Anthropic API HIPAA compliant with a BAA?

The Anthropic API can support HIPAA-compliant applications when you have an executed DPA/BAA. HIPAA compliance is shared — Anthropic covers their infrastructure; you must implement safeguards in your own application and systems.

For a broader look at which AI vendors sign HIPAA BAAs, see our vendor BAA lookup guide.