OpenAI states it will sign a HIPAA Business Associate Agreement with qualifying healthcare customers, making it possible to process certain protected health information through eligible OpenAI services.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
A BAA is a legal requirement under HIPAA before a covered entity or business associate can share protected health information with a service provider. The document states this is available for qualifying customers but does not specify which services are HIPAA-eligible, requiring separate confirmation.
Interpretive note: The document does not specify which specific API endpoints or services are HIPAA-eligible, and the scope of the BAA is not disclosed on this page, requiring separate review of the executed instrument.
Healthcare organizations and other HIPAA-covered entities can request a BAA with OpenAI to enable HIPAA-compliant use of eligible services, but must confirm which specific API endpoints or products are covered before submitting protected health information.
Cross-platform context
See how other platforms handle HIPAA Business Associate Agreement Availability and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"For customers with HIPAA obligations, we offer a Business Associate Agreement (BAA). We support HIPAA-eligible services for qualifying customers.— Excerpt from OpenAI's OpenAI Enterprise Privacy
REGULATORY LANDSCAPE: This provision directly engages HIPAA (45 CFR Parts 160 and 164), specifically the requirement for a written BAA between a covered entity and its business associates under 45 CFR 164.504(e). The HHS Office for Civil Rights (OCR) is the primary enforcement authority. Submitting protected health information to a service provider without a valid BAA constitutes a HIPAA violation regardless of the provider's security posture. GOVERNANCE EXPOSURE: High for healthcare sector customers. The document states a BAA is available but does not enumerate which specific services or API endpoints are HIPAA-eligible, creating a scope ambiguity that must be resolved before any PHI is submitted. JURISDICTION FLAGS: HIPAA applicability is US-specific and applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. State health privacy laws (such as California's CMIA or New York's health data regulations) may impose additional obligations beyond HIPAA that a BAA alone does not address. CONTRACT AND VENDOR IMPLICATIONS: The BAA must be executed before PHI is processed, not after. Procurement teams should obtain the full BAA text for legal review, confirm the list of covered services, and assess whether OpenAI's sub-processors are also covered by equivalent BAAs. The document does not disclose sub-processor BAA arrangements. COMPLIANCE CONSIDERATIONS: Healthcare organizations should obtain and review the BAA before any PHI is submitted, document the executed BAA in their vendor management system, and confirm that their specific use case falls within the scope of HIPAA-eligible services listed in the BAA. Annual review of the BAA should be incorporated into compliance program schedules.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
A BAA is a legal requirement under HIPAA before a covered entity or business associate can share protected health information with a service provider. The document states this is available for qualifying customers but does not specify which services are HIPAA-eligible, requiring separate confirmation.
Healthcare organizations and other HIPAA-covered entities can request a BAA with OpenAI to enable HIPAA-compliant use of eligible services, but must confirm which specific API endpoints or products are covered before submitting protected health information.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.