Vendor BAA Guide

Does OpenAI Sign a HIPAA Business Associate Agreement?

Q: Does OpenAI sign a HIPAA BAA?

Yes — OpenAI signs a HIPAA BAA for API customers (via the Privacy Addendum in API usage policies) and for ChatGPT Enterprise customers. ChatGPT Free, ChatGPT Plus, and ChatGPT Team plans do not qualify for BAA coverage and cannot be used with PHI.

Q: Can I use ChatGPT for healthcare if I have a BAA?

If you are using the OpenAI API with an executed BAA, or ChatGPT Enterprise with a BAA, you may process PHI in your healthcare AI applications. Standard consumer ChatGPT — including Free, Plus, and Team plans — cannot be used with PHI even with your own organization's HIPAA policies in place.

Q: Is ChatGPT Plus HIPAA compliant?

No — ChatGPT Plus is not HIPAA compliant. OpenAI does not offer a BAA for the Plus consumer subscription. Only the OpenAI API (with Privacy Addendum/BAA) and ChatGPT Enterprise support HIPAA-eligible use cases.

Q: How do I get a HIPAA BAA from OpenAI?

For API access, you can accept OpenAI's Privacy Addendum (which includes BAA provisions) through the API usage settings. For ChatGPT Enterprise, contact OpenAI's enterprise sales team. OpenAI's compliance posture has evolved — always verify current terms at openai.com.

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read

Key Takeaways

✓ Yes — OpenAI signs a HIPAA BAA for API customers and ChatGPT Enterprise
✗ ChatGPT Free, Plus, and Team plans are NOT HIPAA eligible
✓ API customers can accept the Privacy Addendum (which includes BAA terms) through API settings
✓ OpenAI's compliance posture has evolved rapidly — always verify current terms before processing PHI

Direct answer: Yes — OpenAI signs a HIPAA Business Associate Agreement for API customers and ChatGPT Enterprise. The standard ChatGPT Plus consumer subscription is NOT HIPAA eligible and may not be used with PHI. Organizations building healthcare AI on the OpenAI API must execute a BAA before processing any protected health information. Verify current terms directly with OpenAI as their compliance posture has evolved rapidly.

Which OpenAI Products Support HIPAA BAAs?

OpenAI Product	HIPAA BAA Available?	Notes
OpenAI API	Yes	Privacy Addendum includes BAA provisions; accept in API settings
ChatGPT Enterprise	Yes	Contact OpenAI enterprise sales; BAA available
ChatGPT Free	No	Consumer product; not HIPAA eligible
ChatGPT Plus	No	Consumer subscription; not HIPAA eligible
ChatGPT Team	No	Not currently covered by BAA; verify with OpenAI

The OpenAI API and HIPAA Compliance

Healthcare organizations building AI-powered applications on the OpenAI API — such as clinical documentation tools, patient communication bots, or diagnostic support systems — can do so with HIPAA compliance by executing a BAA with OpenAI.

The OpenAI API Privacy Addendum covers Business Associate Agreement provisions for healthcare use cases. To activate:

Navigate to your OpenAI platform account settings
Locate the Privacy Addendum or BAA section in your organization's legal agreements
Review and accept the addendum
Retain documentation of acceptance for your HIPAA compliance records

Note that even with a BAA in place, HIPAA compliance is a shared responsibility. Your application must implement appropriate access controls, audit logging, and data handling procedures. OpenAI's BAA covers OpenAI's handling of the data — it does not make your application automatically HIPAA compliant.

Why ChatGPT Plus Is Not HIPAA Eligible

A common mistake in healthcare: a clinician or administrator subscribes to ChatGPT Plus and uses it to process patient notes or clinical information, believing that because it is a paid service, it is more secure.

This is incorrect. ChatGPT Plus is a consumer product. OpenAI's terms for consumer products do not include BAA provisions, and the data handling, model training, and retention policies for consumer ChatGPT are different from the API and Enterprise offerings.

If PHI enters ChatGPT Plus — even inadvertently — this constitutes a HIPAA violation. No amount of internal HIPAA policy at your organization changes this, because the violation lies in the absence of a BAA with OpenAI.

Building HIPAA-Compliant Healthcare AI with OpenAI

For healthcare technology companies and health systems building AI-powered products on OpenAI, the correct architecture involves:

Using the OpenAI API (not consumer ChatGPT) as the AI layer
Executing OpenAI's Privacy Addendum/BAA before processing any PHI
Implementing PHI de-identification where possible before sending data to the API
Building audit logging for all PHI interactions with the AI system
Executing BAAs with your infrastructure vendors (cloud hosting, databases) as well
Conducting a full HIPAA Security Risk Analysis for the application

Frequently Asked Questions

Does OpenAI sign a HIPAA BAA?

Yes — for API customers and ChatGPT Enterprise. Consumer ChatGPT (Free, Plus, Team) is not covered. Accept OpenAI's Privacy Addendum through API settings or contact enterprise sales for ChatGPT Enterprise BAA.

Can I use ChatGPT for healthcare if I have a BAA?

Only if you are using the OpenAI API or ChatGPT Enterprise with an executed BAA. Standard consumer ChatGPT — including Plus — cannot be used with PHI under any circumstances.

Is ChatGPT Plus HIPAA compliant?

No — ChatGPT Plus is a consumer product and OpenAI does not offer a BAA for it. Do not use ChatGPT Plus with patient data.

How do I get a HIPAA BAA from OpenAI?

For API access, accept the Privacy Addendum in your OpenAI platform settings. For ChatGPT Enterprise, contact OpenAI's enterprise sales team. Always verify current process at openai.com.

For a broader look at which vendors sign HIPAA BAAs, see our vendor BAA lookup guide.

Note: Vendor BAA policies change. OpenAI's compliance posture has evolved rapidly. Verify current terms directly with OpenAI before making compliance decisions.

Need your side of the BAA?

OpenAI provides their BAA — but you still need to execute BAAs with all your other vendors. Generate one in minutes.

Generate BAA for Free →