The document states that OpenAI can execute Business Associate Agreements with HIPAA-covered entities and business associates requiring contractual HIPAA protections for their use of OpenAI services.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that OpenAI offers BAA execution as a contractual mechanism for healthcare sector customers subject to HIPAA, which is a prerequisite for lawful processing of protected health information through OpenAI services.
Interpretive note: The scope of covered services under the BAA and the specific PHI categories addressed are not disclosed on this page; full compliance assessment requires review of the BAA instrument.
This new provision enables healthcare and covered entity customers to achieve HIPAA compliance through BAA availability, significantly expanding enterprise use cases.
View full change record →Organizations subject to HIPAA that process protected health information through OpenAI's services can request a Business Associate Agreement, which the document states is available; without such an agreement, processing PHI through OpenAI services would not have the required contractual HIPAA protections in place.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We support HIPAA compliance. OpenAI can enter into a Business Associate Agreement (BAA) with covered entities and business associates that require one for their use of our services.— Excerpt from OpenAI's OpenAI API Data Usage Policies
1) REGULATORY LANDSCAPE: This provision engages HIPAA's Privacy and Security Rules, which require covered entities and their business associates to execute BAAs before disclosing protected health information to service providers. HHS Office for Civil Rights is the primary enforcement authority. The provision asserts BAA availability but does not specify the scope of covered services or PHI categories. 2) GOVERNANCE EXPOSURE: High for healthcare sector customers. Organizations must execute a BAA before processing any PHI through OpenAI services, and should review the BAA to confirm the scope of permitted uses, breach notification obligations, and subcontractor BAA requirements under the HIPAA Omnibus Rule. 3) JURISDICTION FLAGS: US healthcare organizations and their business associates face HIPAA obligations regardless of state. State health privacy laws (such as California's CMIA) may impose additional requirements beyond HIPAA that the BAA may not address. 4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should not process PHI through OpenAI services until a BAA is executed and reviewed. The BAA should be assessed for alignment with the organization's HIPAA policies, including permitted uses and disclosures, minimum necessary standards, and incident response obligations. Sub-contractor BAA requirements should be confirmed. 5) COMPLIANCE CONSIDERATIONS: Healthcare organizations should conduct a HIPAA Security Risk Analysis before deploying OpenAI services for PHI processing, execute the BAA, and document the vendor relationship in their business associate tracking systems. The BAA scope should be reconciled with the specific OpenAI services being used.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that OpenAI offers BAA execution as a contractual mechanism for healthcare sector customers subject to HIPAA, which is a prerequisite for lawful processing of protected health information through OpenAI services.
Organizations subject to HIPAA that process protected health information through OpenAI's services can request a Business Associate Agreement, which the document states is available; without such an agreement, processing PHI through OpenAI services would not have the required contractual HIPAA protections in place.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.