AI Compliance · HIPAA · 2025 Guide

Which AI tools are HIPAA compliant?

The answer depends on which version your team is using. For most organizations, the tools their staff use every day are not covered under a Business Associate Agreement.

What HIPAA requires

Every vendor that handles PHI must sign a BAA.

HIPAA requires any vendor that handles Protected Health Information on behalf of a covered entity to sign a Business Associate Agreement. A BAA is a legally binding contract that establishes how the vendor will protect that data, what they can do with it, and what happens in the event of a breach.

Without a signed BAA, using a vendor to process, transmit, or store PHI is a HIPAA violation regardless of whether a breach occurs.

Every AI tool your team uses to draft communications, summarize client information, or process intake data involving a covered client is a potential BAA requirement. Most organizations have not assessed which of their tools are covered.

Where the major AI tools stand

Five tools. Same pattern. Different price points.

Here is what the publicly available vendor documentation says about each major AI tool as of May 2026. This is not legal advice. Always verify directly with vendors and consult qualified legal counsel regarding your specific situation.

ChatGPT — OpenAI
NO BAA Free, Plus, and Team plans. No BAA available. Not suitable for PHI under any circumstances.
BAA AVAILABLE ChatGPT for Healthcare, launched January 2026. BAA available for qualifying organizations through direct engagement with OpenAI sales.
Source: OpenAI Help Center · HIPAA Journal 2026
Google Gemini
NO BAA Consumer Gemini and standard Workspace accounts. No BAA available. Not suitable for PHI.
BAA AVAILABLE Google Workspace with Gemini, under a signed Business Associate Amendment accepted through the Google Admin Console. Can support HIPAA workloads with proper configuration and ongoing governance.
Source: Google Workspace Admin Help · Google Support Documentation
Grok — xAI
CASE BY CASE No standard BAA available on published plans. xAI indicates it can support HIPAA compliance obligations on a case by case basis for enterprise customers. Organizations should contact xAI directly to assess availability for their specific use case.
Source: xAI Enterprise FAQ · xAI API Security Documentation
Microsoft Copilot
NO BAA Consumer Copilot and Copilot Pro running on personal Microsoft accounts. No BAA coverage. Not suitable for PHI.
BAA AVAILABLE Microsoft 365 Copilot for Enterprise, under a signed Microsoft Business Associate Agreement with proper tenant configuration. Can support HIPAA workloads. Configuration is not automatic and requires deliberate implementation.
Source: Microsoft Learn · Accountable HQ 2025
Claude — Anthropic
NO BAA Free, Pro, Max, Team, and self-serve Enterprise plans. No BAA coverage. Not suitable for PHI regardless of how carefully the tool is used.
BAA AVAILABLE Sales-assisted Claude Enterprise plans can be configured for HIPAA-ready use under a signed BAA. Requires direct engagement with Anthropic sales.
Source: Anthropic Privacy Center · Claude Help Center
The pattern worth understanding

Every tool follows the same structure.

There is a consumer version that is fast, free, and widely adopted. And there is an enterprise version that can be covered under a BAA with proper configuration, significant cost, and deliberate setup.

The consumer version is almost certainly what your staff is using.

The gap between those two versions is where most organizations currently sit. It is not a technology problem. It is a documentation and governance problem that most organizations have not yet addressed.

OCR has been explicit that AI tools processing PHI must be covered under a BAA. The absence of a breach does not mean the absence of a violation.

What changed in 2025

The regulatory environment is tightening.

In January 2025 OCR proposed the first significant update to the HIPAA Security Rule in over two decades. Among the proposed changes, organizations would be required to formally include AI tools that interact with protected health information in their risk analysis documentation.

Most organizations have never completed a formal risk analysis. Almost none have one that addresses AI tools specifically.

The proposed rule has not been finalized. Organizations should monitor HHS Office for Civil Rights communications and consult qualified legal counsel regarding applicability to their specific situation.

Source: HHS Notice of Proposed Rulemaking, January 2025

What to do next

The first step is understanding where you stand.

Most organizations are surprised by the scope of current AI tool usage when they actually look at it.

MMC Signal works with organizations to assess their current AI tool usage against applicable compliance frameworks and help address identified gaps using infrastructure they already have. We help organizations understand where they stand and what addressing it looks like in practice.

We do not provide legal advice or compliance certification. Organizations should consult qualified HIPAA legal counsel regarding their specific obligations.

Find out where your organization stands.

Start with a free exposure call.

20 minutes. A clearer picture of where your organization stands on AI compliance.

Book your free exposure call
This page is for general informational purposes only and does not constitute legal advice. BAA availability, plan terms, and HIPAA compliance requirements are subject to change. Information reflects publicly available vendor documentation as of May 2026. Always verify directly with vendors and consult qualified legal counsel regarding your organization's specific compliance obligations. MMC Signal is not affiliated with OpenAI, Google, xAI, Microsoft, or Anthropic.