BAA Generator
HomeResourcesDoes OpenAI Sign a HIPAA BAA?
Vendor BAA Guide

Does OpenAI Sign a HIPAA Business Associate Agreement?

By BAA Generator Research Team  ·  Published Apr 19, 2026  ·  Last reviewed Apr 28, 2026  ·  3 min read

Need a BAA right now?

Generate my BAA → See pricing →

Key Takeaways

Direct answer: Yes — OpenAI signs a HIPAA Business Associate Agreement for API customers and ChatGPT Enterprise. The standard ChatGPT Plus consumer subscription is NOT HIPAA eligible and may not be used with PHI. Organizations building healthcare AI on the OpenAI API must execute a BAA before processing any protected health information. Verify current terms directly with OpenAI as their compliance posture has evolved rapidly.

Which OpenAI Products Support HIPAA BAAs?

OpenAI Product HIPAA BAA Available? Notes
OpenAI API Yes Privacy Addendum includes BAA provisions; accept in API settings
ChatGPT Enterprise Yes Contact OpenAI enterprise sales; BAA available
ChatGPT Free No Consumer product; not HIPAA eligible
ChatGPT Plus No Consumer subscription; not HIPAA eligible
ChatGPT Team No Not currently covered by BAA; verify with OpenAI

The OpenAI API and HIPAA Compliance

Healthcare organizations building AI-powered applications on the OpenAI API — such as clinical documentation tools, patient communication bots, or diagnostic support systems — can do so with HIPAA compliance by executing a BAA with OpenAI.

The OpenAI API Privacy Addendum covers Business Associate Agreement provisions for healthcare use cases. To activate:

Note that even with a BAA in place, HIPAA compliance is a shared responsibility. Your application must implement appropriate access controls, audit logging, and data handling procedures. OpenAI's BAA covers OpenAI's handling of the data — it does not make your application automatically HIPAA compliant.

Why ChatGPT Plus Is Not HIPAA Eligible

A common mistake in healthcare: a clinician or administrator subscribes to ChatGPT Plus and uses it to process patient notes or clinical information, believing that because it is a paid service, it is more secure.

This is incorrect. ChatGPT Plus is a consumer product. OpenAI's terms for consumer products do not include BAA provisions, and the data handling, model training, and retention policies for consumer ChatGPT are different from the API and Enterprise offerings.

If PHI enters ChatGPT Plus — even inadvertently — this constitutes a HIPAA violation. No amount of internal HIPAA policy at your organization changes this, because the violation lies in the absence of a BAA with OpenAI.

Building HIPAA-Compliant Healthcare AI with OpenAI

For healthcare technology companies and health systems building AI-powered products on OpenAI, the correct architecture involves:

Frequently Asked Questions

Does OpenAI sign a HIPAA BAA?

Yes — for API customers and ChatGPT Enterprise. Consumer ChatGPT (Free, Plus, Team) is not covered. Accept OpenAI's Privacy Addendum through API settings or contact enterprise sales for ChatGPT Enterprise BAA.

Can I use ChatGPT for healthcare if I have a BAA?

Only if you are using the OpenAI API or ChatGPT Enterprise with an executed BAA. Standard consumer ChatGPT — including Plus — cannot be used with PHI under any circumstances.

Is ChatGPT Plus HIPAA compliant?

No — ChatGPT Plus is a consumer product and OpenAI does not offer a BAA for it. Do not use ChatGPT Plus with patient data.

How do I get a HIPAA BAA from OpenAI?

For API access, accept the Privacy Addendum in your OpenAI platform settings. For ChatGPT Enterprise, contact OpenAI's enterprise sales team. Always verify current process at openai.com.

For a broader look at which vendors sign HIPAA BAAs, see our vendor BAA lookup guide.

Note: Vendor BAA policies change. OpenAI's compliance posture has evolved rapidly. Verify current terms directly with OpenAI before making compliance decisions.

More vendor BAA guides

Acuity Scheduling Amplitude Anthropic Athenahealth Aws Box Calendly Cerner Datadog Docusign Doxy ME Drchrono Dropbox Eclinicalworks Epic Fullstory Github Google Cloud Google Workspace Hotjar Hubspot Intercom Jotform Kareo Mailchimp Microsoft 365 Microsoft Azure Mixpanel Monday Com Notion Ringcentral Salesforce Segment Sendgrid Sentry Simplepractice Slack Square Stripe Therapynotes Twilio Typeform Zapier Zoom For Healthcare Zoom

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word

Generate my BAA → See pricing →

No subscription · PDF + Word · Free watermarked preview

Related: AI vendors

Anthropic All AI vendors GitHub Copilot Azure (OpenAI)

Frequently Asked Questions

Does OpenAI sign a HIPAA BAA?
Yes — OpenAI signs a HIPAA BAA for API customers (via the Privacy Addendum in API usage policies) and for ChatGPT Enterprise customers. ChatGPT Free, ChatGPT Plus, and ChatGPT Team plans do not qualify for BAA coverage and cannot be used with PHI.
Can I use ChatGPT for healthcare if I have a BAA?
If you are using the OpenAI API with an executed BAA, or ChatGPT Enterprise with a BAA, you may process PHI in your healthcare AI applications. Standard consumer ChatGPT — including Free, Plus, and Team plans — cannot be used with PHI even with your own organization's HIPAA policies in place.
Is ChatGPT Plus HIPAA compliant?
No — ChatGPT Plus is not HIPAA compliant. OpenAI does not offer a BAA for the Plus consumer subscription. Only the OpenAI API (with Privacy Addendum/BAA) and ChatGPT Enterprise support HIPAA-eligible use cases.
How do I get a HIPAA BAA from OpenAI?
For API access, you can accept OpenAI's Privacy Addendum (which includes BAA provisions) through the API usage settings. For ChatGPT Enterprise, contact OpenAI's enterprise sales team. OpenAI's compliance posture has evolved — always verify current terms at openai.com.