Is OpenAI HIPAA-compliant?

OpenAI offers HIPAA-eligible enterprise tiers with BAA available. The standard ChatGPT product (consumer tier) is NOT HIPAA-compliant. Vendors building on OpenAI must use the enterprise tier and have a BAA in place to handle PHI.

Can I just use ChatGPT to draft notes?

No — sending PHI to consumer ChatGPT (the free or Plus tier) is a HIPAA violation. Use HIPAA-eligible enterprise tiers, or use a healthcare-specific AI scribe vendor with BAA.

What's the penalty for a HIPAA breach?

Tiered structure: $100-$50,000 per violation, with annual maximum of $1.5M per violation type. Willful neglect (knew the rules and ignored them) carries higher penalties than reasonable cause.

Do I need cyber insurance specifically for AI tools?

Most cyber liability policies cover AI-related breaches the same as any other technology breach. Verify with your broker and ensure your policy covers third-party processors.

What if my AI scribe vendor has a breach?

Per HIPAA, business associates must notify the covered entity (you) within 60 days. You then have responsibilities to notify affected patients. Strong vendor BAAs include indemnification language for the practice.

HIPAA-Compliant AI for Clinical Notes

Not all AI clinical scribes are actually HIPAA-compliant. Here's the 9-point checklist to verify before you sign anything.

Try AI Doctor Notes free â

Healthcare AI has exploded in 2024-2026, and many vendors claim "HIPAA-compliant" without meaningfully meeting the standard. The penalties for choosing wrong are real: HIPAA breach fines start at $100/record and can reach $1.5M per violation type per year. Here's the diligence checklist.

The 9 things to verify before signing

BAA (Business Associate Agreement) signed and on file. Without a BAA, the vendor is technically not allowed to handle PHI on your behalf. Should be standard, free, and signed before any PHI is sent.
Encryption in transit (TLS 1.2+). All audio uploads and note downloads should be encrypted end-to-end. Verify in vendor security documentation.
Encryption at rest (AES-256). Stored audio and notes should be encrypted on disk. Standard for any HIPAA-eligible cloud service.
Access controls and audit logging. Who can see your PHI? When was it accessed? You should have access to audit logs.
Data residency (US-based). PHI should be stored on US servers (or your country's sovereign infrastructure). Vendors using overseas processing are higher-risk.
Data retention policy. How long does the vendor keep your audio/notes? Default should be configurable, not "forever."
Sub-processor list. Many AI tools use third-party LLMs (OpenAI, Anthropic, etc.). Each sub-processor must also have a BAA. Vendor should disclose their stack.
Breach notification within 60 days. Required by HIPAA. Verify the vendor's policy commits to this.
SOC 2 Type II report or equivalent. Independent audit of security practices. Optional but strongly preferred.

Patient consent considerations

HIPAA covers the data side. Patient consent for recording is a separate (state-law) issue:

One-party consent states (most US states): provider-only consent is sufficient. You can record without explicit patient permission, though this is poor practice.
All-party consent states (CA, FL, IL, MD, MA, MT, NV, NH, PA, WA): all parties must consent. Get verbal consent at the start of every visit.
Best practice across all states: verbal consent script at the start of every visit. "Today I'm going to use an AI assistant to help me take notes during your visit. It listens to our conversation and helps me create the chart. Is that okay with you?" Documented in chart.

Red flags in AI scribe vendors

"HIPAA-compliant" claim without BAA available â actual non-compliance risk
Vague answers about which sub-processors handle PHI
Free or cheap tier without BAA â never send PHI
Vendor based in country without GDPR-equivalent privacy framework
Marketing materials that describe collecting PHI for "training" their AI without explicit opt-in and de-identification
No audit log access for customer

Questions to ask in vendor evaluation

"Can you sign a BAA before I send any PHI?"
"Where physically are my audio recordings and notes stored?"
"Who has access to my PHI within your organization, and is that logged?"
"What's your data retention default for audio recordings?"
"What sub-processors handle PHI on my behalf?"
"What's your breach notification timeline and process?"
"Do you have a SOC 2 Type II report or equivalent?"
"In the event of contract termination, how is my data returned or destroyed?"
"Is my PHI used for training your AI models?"

Stop typing notes. Start seeing patients.

AI listens to the visit, generates a structured SOAP note, posts to your EHR. Save 60+ minutes per provider per day.

Try free for 14 days â

Frequently Asked Questions

Is OpenAI HIPAA-compliant?: OpenAI offers HIPAA-eligible enterprise tiers with BAA available. The standard ChatGPT product (consumer tier) is NOT HIPAA-compliant. Vendors building on OpenAI must use the enterprise tier and have a BAA in place to handle PHI.
Can I just use ChatGPT to draft notes?: No â sending PHI to consumer ChatGPT (the free or Plus tier) is a HIPAA violation. Use HIPAA-eligible enterprise tiers, or use a healthcare-specific AI scribe vendor with BAA.
What's the penalty for a HIPAA breach?: Tiered structure: $100-$50,000 per violation, with annual maximum of $1.5M per violation type. Willful neglect (knew the rules and ignored them) carries higher penalties than reasonable cause.
Do I need cyber insurance specifically for AI tools?: Most cyber liability policies cover AI-related breaches the same as any other technology breach. Verify with your broker and ensure your policy covers third-party processors.
What if my AI scribe vendor has a breach?: Per HIPAA, business associates must notify the covered entity (you) within 60 days. You then have responsibilities to notify affected patients. Strong vendor BAAs include indemnification language for the practice.

Related guides

Educational content. AI Doctor Notes is HIPAA-compliant and BAA-eligible; for compliance specifics consult our security page or your privacy officer.