Vendor BAA Guide

Does Anthropic Sign a HIPAA Business Associate Agreement?

Q: Does Anthropic sign a HIPAA BAA?

Yes — Anthropic signs a HIPAA BAA for Claude for Enterprise and qualifying API customers who execute a Data Processing Addendum (DPA) that includes HIPAA BAA provisions. Claude.ai Free, Pro, and Team plans are not covered by a BAA and cannot be used with PHI.

Q: Can I use Claude for healthcare applications?

Yes — if you are using the Anthropic API or Claude Enterprise with an executed BAA/DPA, you may build healthcare AI applications that process PHI. The standard consumer Claude.ai plans (Free, Pro, Team) cannot be used with PHI under any plan.

Q: Is the Anthropic API HIPAA compliant with a BAA?

The Anthropic API can be used in HIPAA-compliant healthcare applications when you have executed a Data Processing Addendum (DPA) with HIPAA BAA provisions with Anthropic's enterprise team. Contact Anthropic's sales team to initiate this process.

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read

Key Takeaways

✓ Yes — Anthropic signs a HIPAA BAA for Claude Enterprise and qualifying API customers
✗ Claude.ai Free, Pro, and Team plans are NOT covered by a BAA
✓ Enterprise API customers execute a DPA that includes HIPAA BAA provisions
✓ Contact Anthropic's enterprise team before processing any PHI via the API

Direct answer: Yes — Anthropic signs a HIPAA Business Associate Agreement for Claude for Enterprise and qualifying API customers who execute a Data Processing Addendum (DPA) including HIPAA BAA provisions. Claude.ai Free, Pro, and Team plans cannot be used with PHI. Contact Anthropic's enterprise team to initiate the BAA process before processing any protected health information.

Anthropic Product HIPAA Coverage at a Glance

Anthropic Product	HIPAA BAA Available?	Notes
Anthropic API (enterprise)	Yes	DPA with HIPAA BAA provisions; contact enterprise sales
Claude for Enterprise	Yes	BAA available through enterprise agreement
Claude.ai Free	No	Consumer product; not HIPAA eligible
Claude.ai Pro	No	Consumer subscription; not HIPAA eligible
Claude.ai Team	No	Not covered by BAA; verify current status with Anthropic

How the Anthropic API BAA Process Works

For organizations building healthcare AI applications on the Anthropic API (using Claude models), the path to HIPAA compliance involves executing a Data Processing Addendum with Anthropic that includes HIPAA Business Associate Agreement provisions.

The typical process:

Step 1: Contact Anthropic's enterprise sales team and identify your use case involves PHI
Step 2: Anthropic will provide a DPA that includes BAA provisions covering their API services
Step 3: Legal review and execution of the DPA/BAA
Step 4: Implement appropriate technical safeguards in your application (access controls, audit logs, encryption)
Step 5: Retain the executed agreement in your HIPAA compliance documentation

What Claude.ai Consumer Plans Cannot Do

Claude.ai's consumer tiers — Free, Pro, and Team — are not covered by any HIPAA BAA. This means:

You cannot paste patient names, diagnoses, or treatment information into Claude.ai Pro, even for your own internal purposes
You cannot use Claude.ai Free or Pro to summarize clinical notes
You cannot use the Claude.ai Team plan for any PHI-containing workflow
There is no organizational policy or internal HIPAA compliance program that changes this — the violation lies in the absence of a BAA with Anthropic

This is a meaningful risk for healthcare organizations where clinicians may personally subscribe to AI tools and begin using them with patient data. Governance policies and staff training are essential to prevent unauthorized PHI exposure through consumer AI tools.

Building HIPAA-Compliant Healthcare AI with Claude

Healthcare technology companies using Claude via the Anthropic API should build their HIPAA compliance framework to include:

Executed DPA/BAA with Anthropic before any PHI enters the API
PHI minimization or de-identification where clinically feasible before sending to the API
Audit logging of all prompts and completions that involve PHI
Role-based access controls on which users and systems can invoke PHI-containing API calls
A HIPAA Security Risk Analysis that includes the AI system as a PHI touchpoint
BAAs with your cloud infrastructure providers (AWS, GCP, Azure) where data is stored

Frequently Asked Questions

Does Anthropic sign a HIPAA BAA?

Yes — for Claude Enterprise and qualifying API customers who execute a DPA with HIPAA BAA provisions. Claude.ai Free, Pro, and Team cannot be used with PHI. Contact Anthropic's enterprise team to execute a BAA.

Can I use Claude for healthcare applications?

Yes — via the Anthropic API or Claude Enterprise with an executed BAA. Consumer Claude.ai plans cannot be used with PHI under any circumstances.

Is the Anthropic API HIPAA compliant with a BAA?

The Anthropic API can support HIPAA-compliant applications when you have an executed DPA/BAA. HIPAA compliance is shared — Anthropic covers their infrastructure; you must implement safeguards in your own application and systems.

For a broader look at which AI vendors sign HIPAA BAAs, see our vendor BAA lookup guide.

Note: Vendor BAA policies change. Verify current terms directly with Anthropic before making compliance decisions.

Need your side of the BAA?

Anthropic provides their BAA — but you still need to execute BAAs with all your other vendors. Generate one in minutes.

Generate BAA for Free →