Is ChatGPT HIPAA Compliant? What Dental & Medical Practices Must Know
By Alex Carlson
Short answer: the version of ChatGPT most people use is not HIPAA compliant, and you should not paste patient information into it. The longer answer — which matters if you run a dental office, clinic, or any practice that touches protected health information — is that AI can be used compliantly, but only under specific conditions that the free and Plus versions of ChatGPT don't meet.
This guide explains what HIPAA actually requires of an AI tool, why consumer ChatGPT falls short, what changes the picture, and how to use AI in a practice without creating a compliance problem. It is not legal advice — your situation may have wrinkles a compliance attorney should review — but it will tell you where the lines are.
Why consumer ChatGPT isn't HIPAA compliant
HIPAA doesn't ban AI. It requires that anyone who handles protected health information (PHI) on your behalf meets the Security Rule's safeguards and signs a Business Associate Agreement (BAA) — a contract making them legally responsible for protecting that data.
The standard, consumer-facing ChatGPT fails on the first requirement: OpenAI does not sign a BAA for the free or Plus consumer product, and its standard terms don't guarantee the protections HIPAA requires. Without a signed BAA, any PHI you enter is, in HIPAA terms, an impermissible disclosure — regardless of how careful you are with the wording.
That's the core trap. The tool is so easy to use that staff treat it like a private notepad. The moment someone types "draft a follow-up for John Smith about his root canal on the 14th," identifiable health information has left your control and gone to a vendor with no obligation to protect it.
What HIPAA actually requires of an AI tool
For an AI system to touch PHI compliantly, you generally need all of the following in place:
- A signed Business Associate Agreement with the AI vendor. This is non-negotiable — it's the legal foundation.
- The Security Rule safeguards: administrative, physical, and technical. In practice that means encryption of data both in transit and at rest, audit logging of every request that touches PHI, and access controls so only authorized staff can use it.
- A documented AI inventory and a named compliance owner. Regulators increasingly treat these two items as the baseline "reasonable care" standard. If you can't say which AI tools your practice uses and who's responsible for them, that's a gap.
Many practices anchor this to the NIST AI Risk Management Framework (its four functions — Govern, Map, Measure, Manage), which state regulators increasingly cite as the standard of care for reasonable AI governance.
State laws add another layer
HIPAA is the federal floor, not the ceiling. Several states layer on additional rules — for example, California and Illinois require specific disclosures when AI assists with medical scheduling, billing, or patient communications. So even a HIPAA-compliant setup can fall short of a state transparency requirement.
This is exactly why "is this tool compliant?" rarely has a one-word answer — it depends on your industry and your state. A dental practice in California and an accounting firm in Texas using the same AI tool face different obligations. (Sorting that out per tool, per state, is what a compliance check is built to do.)
So how can a practice use AI?
You have three realistic options, in rough order of how most small practices approach it:
1. Use AI only for non-PHI tasks. This is the safest starting point and covers a surprising amount of value. Drafting general patient-education content, writing social posts, summarizing a public article, brainstorming a marketing campaign — none of that involves PHI, so consumer tools are fine. The rule is simple: never enter a name, date of birth, appointment detail, diagnosis, or anything that could identify a patient.
2. Use AI tools that will sign a BAA. Some enterprise and API-tier AI products will execute a BAA and provide the required safeguards. OpenAI, for instance, offers BAAs for certain business and API arrangements — not the consumer app. Microsoft, Google, and various healthcare-specific vendors do as well. If you want AI involved in PHI workflows (clinical notes, billing, patient messaging), this is the path — but verify the BAA is actually signed and in force before any PHI flows, and confirm the specific product tier is covered.
3. Use purpose-built, HIPAA-ready vertical tools. For clinical and operational work there are tools designed for healthcare from the ground up — dental imaging analysis, AI-assisted billing, HIPAA-compliant patient communication platforms — that come with BAAs and safeguards as standard. These cost more than a $20 ChatGPT subscription, but they're built for the use case. Matching the right one to your practice size and volume is its own exercise (a priced vendor match is meant for exactly this).
A practical checklist for your practice
Before anyone on your team uses AI, get these in place:
- Write a one-line AI policy: "No patient-identifiable information goes into any AI tool that hasn't signed a BAA with us." Tell every staff member.
- Inventory the AI tools already in use. You likely have more than you think — staff adopt these quietly.
- Name a compliance owner. One person responsible for the inventory and the rules.
- For any PHI use case, confirm a signed BAA exists for that specific product tier before going live.
- Check your state's disclosure rules if AI touches scheduling, billing, or patient communication.
None of this requires a law degree to start — but step 4 and 5 are where a quick check with a compliance attorney pays for itself.
Where Rémis fits
Figuring out which AI tools are safe for your practice — in your state, under your industry's rules — is slow and easy to get wrong by hand. Rémis runs a per-tool compliance brief for your industry and state, so you can see which tools carry the right protections before you adopt them, alongside a priced vendor comparison and an AI readiness audit that flags data and process gaps first. You can see the plans or start with the free audit.
Frequently asked questions
Is ChatGPT HIPAA compliant? The free and Plus consumer versions are not — OpenAI doesn't sign a Business Associate Agreement for them, and their standard terms don't provide the protections HIPAA requires. You should not enter any patient-identifiable information into consumer ChatGPT. Certain enterprise/API tiers can be covered by a BAA, but only if one is actually signed for that product.
Can I use ChatGPT for my dental or medical practice at all? Yes, for tasks that don't involve protected health information — general patient-education content, marketing copy, summarizing public material. Never include names, dates of birth, appointment details, or any detail that could identify a patient.
What makes an AI tool HIPAA compliant? A signed Business Associate Agreement with the vendor, plus the HIPAA Security Rule safeguards: encryption in transit and at rest, audit logging of PHI-touching requests, and access controls. Practices should also keep an AI inventory and name a compliance owner.
Do state laws affect AI use in healthcare? Yes. HIPAA is the federal baseline, but states add requirements — California and Illinois, for example, mandate disclosures when AI assists with scheduling, billing, or patient communications. Compliance depends on both your industry and your state.
Is entering patient information into ChatGPT a HIPAA violation? Without a signed BAA with the vendor, disclosing PHI to it is an impermissible disclosure under HIPAA. Treat any patient-identifiable information entered into consumer AI tools as a reportable risk.
Written by Alex Carlson, founder of Rémis (University of Miami, BBA Finance + BBA Business Technology). This article is general information, not legal advice — consult a qualified compliance attorney for your specific situation. Figures and rules reflect published 2026 HIPAA and state AI guidance.