BBAA Atlas

Is OpenAI HIPAA compliant?

AI / LLM API · vendor site ↗

BAA on select plansPHI with conditionsSOC 2 Type II
Will OpenAI sign a HIPAA BAA?
Sometimes — OpenAI signs a HIPAA BAA only on specific plans or add-ons.
OpenAI signs a BAA via its Healthcare Addendum, but coverage is limited to defined Eligible Services: the Zero Retention API (an Org ID with Zero Retention activated) and ChatGPT Enterprise. BAAs are requested via baa@openai.com and reviewed case-by-case.
PHI eligibility
PHI may only be transmitted through OpenAI's Zero Retention API (via an Approved Org ID hitting a zero-retention endpoint) or ChatGPT Enterprise, with a signed Healthcare Addendum/BAA. Consumer ChatGPT, standard non-zero-retention endpoints, and third-party services (Plugins, GPTs) are not eligible.
SOC 2
SOC 2 Type II
Trust center
openai.com
Sub-processors
openai.com
Notes
Consumer ChatGPT (Free, Plus, Pro, Team) and ChatGPT Business are NOT BAA-eligible; only the Zero Retention API and ChatGPT Enterprise are. BAA stance grounded in OpenAI's Healthcare Addendum + BAA PDF (v.111124).
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with OpenAI before storing PHI.

Get notified when this changes

We track OpenAI's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with OpenAI

Sometimes — OpenAI signs a HIPAA BAA only on specific plans or add-ons.

Request routeSelf-serve — enable it in your account
  1. 1
    Get on a qualifying plan
    OpenAI signs a BAA via its Healthcare Addendum, but coverage is limited to defined Eligible Services: the Zero Retention API (an Org ID with Zero Retention activated) and ChatGPT Enterprise. BAAs are requested via baa@openai.com and reviewed case-by-case.
  2. 2
    Request the Business Associate Agreement
    OpenAI lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI may only be transmitted through OpenAI's Zero Retention API (via an Approved Org ID hitting a zero-retention endpoint) or ChatGPT Enterprise, with a signed Healthcare Addendum/BAA. Consumer ChatGPT, standard non-zero-retention endpoints, and third-party services (Plugins, GPTs) are not eligible. Match your configuration to this scope before putting protected health information into OpenAI.
Before you sign — watch for
  • No BAA on the free / consumer tier — you must be on a qualifying paid plan first.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with OpenAI before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does OpenAI sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — OpenAI signs a HIPAA BAA only on specific plans or add-ons. OpenAI signs a BAA via its Healthcare Addendum, but coverage is limited to defined Eligible Services: the Zero Retention API (an Org ID with Zero Retention activated) and ChatGPT Enterprise. BAAs are requested via baa@openai.com and reviewed case-by-case.
Is OpenAI HIPAA compliant?
OpenAI can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). PHI may only be transmitted through OpenAI's Zero Retention API (via an Approved Org ID hitting a zero-retention endpoint) or ChatGPT Enterprise, with a signed Healthcare Addendum/BAA. Consumer ChatGPT, standard non-zero-retention endpoints, and third-party services (Plugins, GPTs) are not eligible.
Can you store PHI (protected health information) in OpenAI?
PHI may only be transmitted through OpenAI's Zero Retention API (via an Approved Org ID hitting a zero-retention endpoint) or ChatGPT Enterprise, with a signed Healthcare Addendum/BAA. Consumer ChatGPT, standard non-zero-retention endpoints, and third-party services (Plugins, GPTs) are not eligible.
Is OpenAI SOC 2 certified?
OpenAI reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from OpenAI?
OpenAI lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account. Confirm current terms directly with OpenAI before storing PHI.
What plan do I need to sign a BAA with OpenAI?
OpenAI signs a BAA via its Healthcare Addendum, but coverage is limited to defined Eligible Services: the Zero Retention API (an Org ID with Zero Retention activated) and ChatGPT Enterprise. BAAs are requested via baa@openai.com and reviewed case-by-case.

Sources

OpenAI Healthcare Addendum and BAA (v.111124)
https://cdn.openai.com/osa/healthcare-addendum.pdf
Supports: OpenAI signs a BAA; Eligible Services = Zero Retention API + ChatGPT Enterprise; PHI prohibited on third-party services and non-zero-retention API usedated: 2024-11-11
Enterprise privacy — OpenAI
https://openai.com/enterprise-privacy/
Supports: OpenAI maintains SOC 2 Type II and offers a BAA for eligible API/Enterprise usagedated: undated
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with OpenAI before processing protected health information.

Check another vendor

Anthropic (Claude)BAA on select plansAssemblyAISigns a BAADeepgramSigns a BAAActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plans

See all HIPAA compliant AI & LLM APIs
Browse all 105 vendors by category →