HIPAA ยท 45 CFR Parts 160 & 164 ยท AI Deployment

Is Your AI Deployment
Actually HIPAA Compliant?

15 structured questions covering every HIPAA safeguard requirement. Get a per-question status with citations and remediation steps. Print a compliance memo in 4 minutes.

๐Ÿฅ
Real Regulatory Logic
Encodes actual HIPAA Privacy Rule, Security Rule, and Breach Notification Rule sections โ€” not generic checklists.
๐Ÿ“‹
Printable Compliance Memo
Export a formatted PDF memo for your Privacy Officer, Security Officer, or legal counsel review.
๐Ÿ”’
Client-Side Only
All logic runs in your browser. Zero PHI or data transmitted anywhere. No account required.

Is ChatGPT / Claude HIPAA Compliant?

Short answer: only with an Enterprise plan + signed BAA, and only when PHI is handled correctly. The model itself is never the compliance unit โ€” your deployment is.

BAA Available Azure OpenAI (Microsoft)
Microsoft offers a BAA covering Azure OpenAI Service under its HIPAA-eligible services. Requires Enterprise Agreement. Data processed in compliant Azure regions. Recommended for health system deployments.
BAA Available AWS Bedrock (Claude, Titan, etc.)
Amazon covers AWS Bedrock in its standard BAA for HIPAA-eligible services. Anthropic's Claude models accessed via Bedrock inherit AWS's HIPAA coverage. Must enable HIPAA configuration in your AWS account.
BAA Available Google Vertex AI
Google Cloud offers a BAA covering Vertex AI (Gemini, Med-PaLM 2). Healthcare customers must sign the Google Cloud BAA and use HIPAA-configured projects only.
Conditional Anthropic Enterprise (Direct)
Anthropic offers BAAs directly for Enterprise customers with dedicated deployments. The standard consumer api.anthropic.com is NOT HIPAA-covered. Contact Anthropic sales for enterprise BAA terms.
BAA Available John Snow Labs (Healthcare NLP)
Healthcare-specialized NLP platform. Offers BAA with on-premise and private cloud deployment options. Purpose-built for clinical text processing with pre-built HIPAA guardrails.
No BAA ChatGPT (Consumer / Team)
OpenAI's consumer ChatGPT, ChatGPT Team, and standard API plans do NOT offer a BAA and are not HIPAA-eligible. ChatGPT Enterprise includes a BAA โ€” verify with OpenAI legal before any PHI use.
Important: A signed BAA is necessary but not sufficient for HIPAA compliance. You still need access controls, audit logging, encryption, breach notification procedures, and workforce training in place. This checklist assesses all of those.
HHS Security Rule Guidance HHS Privacy Rule Breach Notification Rule
Disclaimer: This tool is a planning aid, not legal advice. HIPAA compliance determinations require qualified legal counsel and a certified healthcare compliance professional. Consult your Privacy Officer, Security Officer, and legal team before deploying AI systems that process PHI.
HIPAA AI Compliance Assessment Question 1 of 15
โ€”
Requirements Met
โ€”
Gaps to Address
โ€”
Critical Gaps

Assessment Results โ€” All 15 Requirements

Learn HIPAA-Compliant AI in Healthcare

Our federal AI bootcamp covers HIPAA, HITECH, and responsible AI deployment for healthcare and government organizations.

View Bootcamp Dates

AI Vendors That Offer HIPAA BAAs

A signed Business Associate Agreement (BAA) is the minimum legal prerequisite for using any AI vendor to process PHI. Verify current status directly with each vendor before deployment.

Vendor / Service BAA Status Plan Required Notes
Microsoft Azure OpenAI Available Enterprise Agreement Covered under Microsoft Online Services BAA. US data residency available.
AWS Bedrock (Claude, Titan, Llama, etc.) Available AWS HIPAA-eligible services Enable HIPAA configuration in AWS console. Claude via Bedrock inherits AWS BAA coverage.
Google Vertex AI (Gemini, Med-PaLM 2) Available Google Cloud BAA Must use HIPAA-configured GCP projects. Med-PaLM 2 purpose-built for clinical data.
Anthropic Claude (Direct / Enterprise) Conditional Enterprise contract required Direct BAA available for Enterprise. Consumer API and Claude.ai consumer plans are NOT covered.
John Snow Labs Available All tiers (private deployment) On-premise / VPC deployment. Healthcare NLP specialist with built-in PHI de-identification.
OpenAI ChatGPT Enterprise Conditional Enterprise plan only ChatGPT Enterprise includes a BAA. ChatGPT Team, Plus, and API plans do NOT offer BAAs.
OpenAI API (standard) Not Available N/A Standard API has no BAA. Do not use for PHI processing under any circumstances.
ChatGPT Consumer / Team Not Available N/A No BAA. Not HIPAA-eligible. Never enter PHI into consumer ChatGPT.