What’s the Deal with HIPAA and Generative AI?

You’ve just reviewed a long, complex patient message. Instead of writing your reply from scratch, you open ChatGPT, paste a few notes, and ask it to draft a response. After editing the output, you send the message through your EHR. 

It’s efficient, but is it HIPAA-compliant?

As generative AI tools like ChatGPT become more accessible, many physicians are using them to save time. But if you’re handling patient information, it’s essential to understand what’s allowed under HIPAA.

Is ChatGPT HIPAA Compliant?

No. ChatGPT is not HIPAA compliant. OpenAI—the company behind ChatGPT—does not sign Business Associate Agreements (BAAs), which HIPAA requires for any service that handles protected health information (PHI) on behalf of a covered entity.

That means if you input identifiable patient data into ChatGPT, you’re likely violating HIPAA.

Can Doctors Use Generative AI?

Yes, you can still use generative AI—just be thoughtful about how. Here are a few safe ways physicians are using ChatGPT and similar tools:

• Patient education: Generate explanations of conditions or treatments in plain language.
• Templates and documentation: Draft letters, instructions, or forms without including PHI.
• Brainstorming: Use AI to outline content or summarize topics before personalizing.
  

Here’s a good rule of thumb: don’t include any PHI unless the tool explicitly claims HIPAA compliance and signs a BAA. For more ideas, see How to Use ChatGPT as a Doctor.

What About AI Tools Built for Healthcare?

Some software vendors offer tools designed for clinical workflows with HIPAA compliance in mind. These platforms may sign BAAs, encrypt data, and meet the security standards required for handling PHI. For example, Mobius Conveyor offers AI-powered medical dictation that is fully HIPAA-compliant and works across any computer or EHR.

At the same time, regulators are still catching up with AI in the healthcare industry. There’s growing pressure on developers and healthcare organizations to create clear guidelines around AI use. If your health system has an AI policy, follow it. If it doesn’t, now is a good time to ask leadership for direction.

5 Things Every Doctor Should Know

Always consult your organization’s policies and seek legal guidance if you’re unsure whether your use of AI tools complies with HIPAA. That said, here's the bottom line summarized as five simple tips:

1. Don’t put PHI into ChatGPT or similar tools. Sharing identifiable patient information is unsafe unless an AI vendor signs a BAA and confirms HIPAA compliance.
2. Use AI for general, de-identified content. Tasks like summarizing clinical topics, drafting patient education materials, or outlining documentation templates are all fair game—as long as no PHI is involved.
3. Check if your AI software signs a BAA. This is the key requirement under HIPAA. If a vendor doesn’t sign a BAA, you should assume the tool isn’t compliant for clinical use.
4. Follow your organization’s policies. Many hospitals and health systems are drafting policies for AI use. If yours has one, follow it. If not, it’s worth asking for guidance before introducing new tools into your workflow.
5. Always review AI output before using it. Even when used appropriately, AI is not infallible. Always check for tone, accuracy, and clinical appropriateness before sending or saving any AI-generated content.

AI has enormous potential to improve efficiency in medicine, but it comes with new responsibilities. With a few simple precautions, you can stay on the right side of HIPAA and still benefit from innovative medical workflow tools.