The question is everywhere right now. Is Microsoft Copilot HIPAA compliant? Can I paste a patient summary into ChatGPT? What about Claude? Gemini?
The honest answer is “it depends, and most of the time the default version is not.” Here is the practical breakdown.
The rule that matters
If an AI tool processes Protected Health Information (PHI), the vendor providing that tool is a Business Associate under HIPAA. To handle PHI legally, that vendor must sign a Business Associate Agreement (BAA) with you. No BAA, no PHI.
The complication: every major AI provider sells the same model two ways — a consumer tier (no BAA, often used for model training) and an enterprise tier (BAA available, training disabled). Whether your AI is HIPAA-compliant depends almost entirely on which tier you are paying for and how you are using it.
Tool-by-tool, the 2026 picture
ChatGPT (default, free or Plus). Not HIPAA-compliant. Inputs may be used for model training. No BAA available on consumer plans. Do not paste PHI.
ChatGPT Enterprise / Team / API with Zero Data Retention. BAA available from OpenAI for Enterprise and API customers who qualify. With ZDR enabled and the BAA executed, you can process PHI. The setup is non-trivial; the BAA is not automatic.
Microsoft Copilot (consumer Bing Copilot, free). Not HIPAA-compliant. This is the source of the popular “is Microsoft Copilot HIPAA compliant” search — the answer for the free version is no.
Microsoft 365 Copilot (paid, in a tenant covered by Microsoft’s BAA). Yes — Microsoft signs a BAA covering Microsoft 365 services, and Microsoft 365 Copilot inherits that BAA when used within a properly licensed tenant with the standard data boundary settings. Important: this is the enterprise product, not the consumer one with the similar name.
Claude (Anthropic, default API or Claude.ai consumer). Default consumer Claude is not HIPAA-compliant. Anthropic offers a BAA for enterprise customers using the API with appropriate data handling agreements. Like OpenAI, the path exists but is not the default.
Google Gemini (consumer). Not HIPAA-compliant on consumer Bard/Gemini. Google Cloud offers Vertex AI with BAA coverage for enterprise customers — different product.
Vertical healthcare AI tools. Many vendors (including PatientCopilot) embed enterprise AI under their own BAA. From the practice’s perspective, the BAA is with the vendor, who is responsible for the upstream model provider’s terms.
What actually creates risk
Most AI-related HIPAA incidents are not the model itself — they are the human pasting PHI into the wrong window. A few patterns to ban:
- “Help me write a response to this negative review” — pasting the patient’s name and treatment details into ChatGPT.
- “Summarize this intake form” — pasting an entire intake PDF into a consumer AI.
- “Draft a SOAP note from these bullet points” — bullet points that include name + DOB + diagnosis.
- “What dose of X is appropriate for this patient” — the patient details should be in the EHR, not the prompt.
The fix is not “ban all AI.” The fix is “use enterprise AI under a BAA, and train staff on what they can and cannot paste.”
The practical setup for a small practice
- Pick one approved AI for clinical-adjacent work. Microsoft 365 Copilot in a licensed tenant, or ChatGPT Enterprise with BAA, or a vertical tool like PatientCopilot that handles the BAA for you.
- Block consumer AI on practice devices. Or at minimum, train staff that consumer AI = no PHI, no exceptions.
- Audit your existing tool stack. Anywhere AI features have been added recently (your scheduler, your marketing platform, your phone system) — confirm BAA coverage.
- Update your acceptable use policy. Explicitly call out AI tools and which are approved.
How PatientCopilot handles this
PatientCopilot signs a BAA with every paid practice. Our AI patient communication uses enterprise model APIs (Claude, GPT-4 class models) under BAA-covered enterprise agreements with training and retention disabled. PHI sent to PatientCopilot does not enter any third-party model training loop. We are transparent about which upstream providers we use — ask and we will tell you.
The bottom line
The AI is HIPAA-compliant when (a) the vendor signs a BAA, (b) the data handling agreement disables training and retention, and (c) the staff using it understand the boundaries. Without those three, no enterprise badge or marketing claim makes it compliant.