PsyFi
PsyFi Technologies
Compliance & Privacy

Is ChatGPT HIPAA Compliant? 2026 Guide for Behavioral Health Practices

Standard ChatGPT is not HIPAA-compliant for PHI. We explain what changed in 2026 (ChatGPT for Healthcare, ChatGPT for Clinicians), compare 10 BAA-backed alternatives, and give you a decision tree.

Is ChatGPT HIPAA Compliant? 2026 Guide for Behavioral Health Practices

Last reviewed: June 6, 2026 — updated to cover ChatGPT for Healthcare (January 2026) and ChatGPT for Clinicians (April 2026).


This post is part of our complete guide to HIPAA-Compliant AI for Behavioral Health Practices.

Quick Answer: Is ChatGPT HIPAA Compliant?

No. Standard ChatGPT is not HIPAA compliant for Protected Health Information (PHI). OpenAI does not offer a Business Associate Agreement (BAA) for its consumer ChatGPT product, meaning any PHI you enter — client names, diagnoses, session notes, dates of service — violates OpenAI's terms of use for that product and HIPAA itself. Mental health practices need purpose-built, BAA-backed AI tools designed specifically for clinical workflows.

OpenAI did release two healthcare-targeted products in 2026 — ChatGPT for Healthcare in January and ChatGPT for Clinicians in April — and we cover what each does (and doesn't) below. Neither replaces a purpose-built behavioral-health tool for most solo or group practices today.


What Changed in 2026

For the first 18 months after ChatGPT launched, OpenAI's HIPAA position was simple: none of the consumer products were BAA-eligible, and the API was your only option if you wanted to build something compliant. In 2026 that changed twice. Both releases narrow the gap between "ChatGPT" and "HIPAA," but neither closes it for the typical behavioral-health practice.

ChatGPT for Healthcare (January 2026)

In January 2026, OpenAI rolled "ChatGPT for Healthcare" out as part of a broader OpenAI for Healthcare initiative. It is an enterprise tier — your organization applies, signs an enterprise contract, and your administrators configure a "Regulated Workspace" where covered chats live. It is not something a solo clinician can sign up for in five minutes.

A BAA is available for eligible enterprise customers under the standard ChatGPT for Healthcare arrangement, as described in OpenAI's help-center article for the product. The BAA covers chats inside the Regulated Workspace — it does not retroactively cover anything your staff already pasted into a free or Plus account, and it does not extend to consumer ChatGPT sessions your team uses on the side.

For a hospital system, a large group practice, or a multi-location behavioral-health network with a procurement function, ChatGPT for Healthcare is now a real option worth evaluating. For most independent therapists, the procurement overhead alone makes it impractical.

ChatGPT for Clinicians (April 2026)

In April 2026, OpenAI released ChatGPT for Clinicians — a free tier aimed at individually verified U.S. clinicians, with optional BAA support. The pitch is documentation help, clinical reasoning support, and medical research at the point of care.

Eligibility is narrow. OpenAI's ChatGPT for Clinicians help page lists physicians (MD/DO), nurse practitioners (NP), physician assistants (PA), and pharmacists with a valid NPI, verified through a third-party check. As of June 2026, LCSWs, LMFTs, LPCs, and psychologists (PsyD/PhD) are not on OpenAI's published verification list. Most behavioral-health clinicians cannot get an account today even if they want one.

For those who can qualify, the BAA is opt-in: eligible clinicians review and sign the agreement inside ChatGPT under Settings → Agreements, per OpenAI's BAA help article. The BAA covers conversations inside the clinician workspace only. Anything in a consumer or Plus account on the same email is still out of scope.

What This Means for Behavioral Health Practices

For most solo therapists, counselors, and psychologists, neither 2026 product is turnkey. ChatGPT for Healthcare assumes an enterprise procurement function you likely don't run for a solo or small-group practice. ChatGPT for Clinicians excludes the license types most behavioral-health practitioners hold.

The compliance baseline itself has not changed. Any AI tool that touches PHI still needs a BAA, technical safeguards, and a no-training data clause. The 2026 products meet that baseline only inside their narrow eligibility windows.

If you're a behavioral-health practice that wants AI help with documentation, intake, or scheduling today, a purpose-built BAA-backed product remains the most realistic option. The matrix below compares ten of them side-by-side.


Side-by-Side: 10 AI Tools for Behavioral Health, BAA-Backed and Otherwise

Tool BAA available Architecture Best for Pricing tier
PsyFiGPT Yes — included on every plan Per-tenant processing; no PHI to third-party LLMs Solo + group behavioral-health practices, documentation + intake Solo / Pro / Team
Mentalyc Yes Cloud LLM with vendor BAA Solo therapists, SOAP notes Solo / Pro
Upheal Yes Cloud LLM with vendor BAA Group practices, EHR integrations Solo / Group
DeepCura Yes Cloud LLM with vendor BAA Solo therapists Solo / Pro
JotPsych Yes Cloud LLM with vendor BAA Group practices Solo / Group
Blueprint Health Yes Cloud LLM with vendor BAA Larger practices, measurement-based care Group / Enterprise
Heidi Health Yes Cloud LLM with vendor BAA General clinical documentation Solo / Pro
Freed Yes Cloud LLM with vendor BAA General clinical documentation Solo / Pro
ChatGPT for Clinicians Yes (verified physicians, NPs, PAs, pharmacists only) OpenAI cloud; verified-clinician workspace Solo clinicians whose license type is on OpenAI's verification list Free for verified clinicians
ChatGPT (consumer / Plus / Team) No OpenAI cloud, default training opt-in Not appropriate for PHI $20/mo (Plus)

Pricing tiers reflect each vendor's publicly listed plan structure as of June 2026. Always verify the current contract terms, included BAA scope, and per-seat or per-tenant pricing directly with the vendor before procurement.


Why This Matters for Your Mental Health Practice

AI has moved from buzzword to daily workflow tool for thousands of therapists, psychologists, and counselors. The appeal is real: faster SOAP notes, easier treatment plan drafts, quicker intake summaries. The problem is equally real: the most well-known AI tool on the market — ChatGPT — was not built to handle patient data.

For mental health professionals, the stakes are higher than in most other healthcare settings. Your clients share their most sensitive experiences. A HIPAA breach involving mental health records can expose you to Office for Civil Rights (OCR) enforcement, state licensing board complaints, and the kind of client trust destruction that no practice recovers from easily.

This guide explains exactly what makes ChatGPT non-compliant, what a safe alternative looks like, and how to evaluate any AI tool before it touches your clinical workflow.


What Makes an AI Tool HIPAA Compliant?

Before diagnosing ChatGPT's compliance status, it helps to understand the standard every AI tool must meet to legally handle PHI.

The Three Non-Negotiables

1. A signed Business Associate Agreement (BAA) Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on your behalf is a "Business Associate" — the definition lives in 45 CFR 160.103. You must have a signed BAA with them before PHI flows to their platform. Without it, every session note you paste into their system is a potential violation.

2. Technical safeguards for PHI The HIPAA Security Rule at 45 CFR 164.312 requires covered entities and their Business Associates to implement access controls, audit logs, encryption in transit and at rest, and automatic logoff for systems handling ePHI.

3. No secondary use of clinical data A compliant AI vendor cannot use your client's PHI to train their models, improve their products, or share data with third parties without your explicit authorization. This is the rule most general-purpose AI tools silently break.


Why Standard ChatGPT Fails All Three Tests

No BAA Available for Consumer ChatGPT

OpenAI's standard terms of service for ChatGPT do not include a BAA and do not position the product as a HIPAA-covered service. OpenAI does offer enterprise arrangements — ChatGPT Enterprise and the OpenAI API — with data processing agreements that may support BAA execution for specific use cases, but these require active procurement, legal review, and technical configuration that the average private practice has not completed.

If you are using ChatGPT through a browser at chat.openai.com, you do not have a BAA. Full stop.

Data Is Used for Model Training by Default

OpenAI's data usage policies have evolved, but the default position for consumer accounts has historically permitted using conversation data to improve their models. Even under current policies where you can opt out, the burden falls on you to take action — and most clinicians using ChatGPT informally have never reviewed those settings.

General Architecture Was Not Designed for PHI

ChatGPT was built for broad, general-purpose use. It does not have the role-based access controls, audit logging, or data residency guarantees that clinical environments require. When you paste a session note into ChatGPT, you have no visibility into where that text goes, how long it is retained, or who at OpenAI could theoretically access it.


Real-World Risks for Mental Health Clinicians

Understanding the abstract legal risk is one thing. Here is what HIPAA non-compliance with AI actually looks like in practice for therapists and counselors.

  • OCR enforcement action. The HHS Office for Civil Rights actively investigates HIPAA complaints and publishes annual enforcement data showing the volume and outcomes of those investigations. Fines range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category. A pattern of pasting session notes into ChatGPT could be characterized as multiple violations.
  • State licensing board complaints. Most state licensing boards for counselors, psychologists, and social workers have ethics codes that require reasonable safeguards for client data. Routine ChatGPT use with PHI could trigger a complaint.
  • Client discovery. If a client asks how their data is handled and learns their session notes were processed through a non-HIPAA-compliant AI, that becomes a trust and legal liability issue simultaneously.
  • Breach notification obligations. If a non-compliant AI vendor experiences a data breach, you may be on the hook for notifying affected clients and the OCR — even though you had no direct visibility into the breach.

What You Can Use ChatGPT For (Safely)

ChatGPT is not without legitimate value in your practice. It just cannot touch PHI. Here are the tasks where it is safe to use, because no identifying client information is involved.

Safe, non-PHI uses for ChatGPT in mental health practices:

  • Drafting newsletter content and general psychoeducation articles
  • Creating website copy, bio updates, and marketing materials
  • Brainstorming office policy language (before personalizing with practice-specific details)
  • Researching clinical topics, summarizing research papers, or exploring therapeutic frameworks
  • Writing general intake form templates (not pre-filled with any client data)
  • Generating social media post ideas around mental health awareness topics

The governing principle is simple: if the task could be completed by a contractor who knows nothing about any of your clients, it is likely safe for ChatGPT.


HIPAA-Compliant AI Alternatives Built for Mental Health

The good news is that purpose-built, HIPAA-compliant AI tools for mental health are no longer niche products. They exist, they work, and they are designed around the specific workflows that consume therapists' administrative time.

PsyFiGPT: Clinical Documentation Without PHI Risk

PsyFiGPT is an AI-powered clinical documentation assistant built specifically for mental health professionals. It generates SOAP notes, intake summaries, and treatment plan drafts without sending PHI to third-party AI services. The AI processing happens in a HIPAA-compliant environment, and the product is designed for the BAA relationship your practice needs.

For therapists spending 30-60 minutes per session on documentation, PsyFiGPT addresses the exact problem that drives clinicians toward ChatGPT in the first place — but without the compliance exposure.

Best for: Therapists, psychologists, and counselors who want faster clinical notes and treatment documentation.

PsyFi Assist: HIPAA-Safe Intake and Scheduling Automation

Administrative burden is not limited to documentation. Intake coordination, scheduling, client matching, and FAQ responses eat significant time in any growing practice. PsyFi Assist handles these workflows with AI intake forms, calendar integration, and automated therapist matching — all within a HIPAA-compliant framework.

Unlike using a general chatbot on your website (another common compliance gap), PsyFi Assist is designed from the ground up for behavioral health practices, with the data handling standards your clients' information requires.

Best for: Practice owners and group practices managing intake volume, scheduling complexity, and client-facing communications.

PsyFi Reports (psychological evaluation and assessment reports): Compliant Analytics and Clinical Reporting

Practice analytics and formal clinical report generation carry their own compliance requirements. PsyFi Reports provides clinical report generation and behavioral health analytics in a compliant environment, giving practice owners visibility into outcomes and operational performance without moving client data through unsecured systems.

Best for: Practice owners tracking clinical outcomes, generating formal reports, and making data-informed operational decisions.


How to Evaluate Any AI Tool Before Using It in Your Practice

Whether you are evaluating PsyFi products, a competitor, or any general AI tool a vendor claims is "HIPAA compliant," ask these specific questions before any PHI touches the system.

Evaluation Criterion What to Ask What a Good Answer Looks Like
BAA availability "Will you sign a BAA with my practice?" Yes, provided as a standard part of onboarding
Data training use "Is my data used to train your models?" No — client data is never used for model training
Encryption "Is data encrypted in transit and at rest?" Yes, with specific standards cited (e.g., AES-256, TLS 1.2+)
Data residency "Where is my data stored?" US-based servers, or a specific jurisdiction your compliance requires
Access controls "Who at your company can access my data?" Strict role-based access with audit logging
Deletion rights "Can I request deletion of my data?" Yes, with a documented process and timeline
Breach notification "What is your breach notification process?" Written policy aligning with HIPAA's 60-day requirement

Any vendor that cannot clearly answer all seven questions is not ready to handle PHI from your practice.


Building a Practice-Wide AI Policy

Individual compliance knowledge is not enough. If you have staff, contractors, or trainees, your entire team needs clear guidance on AI tool use.

Minimum Elements of a Practice AI Policy

1. Approved tool list. Name the specific AI tools your practice has approved for clinical use, administrative use, and personal productivity — separately. Be explicit about which tools are cleared for PHI.

2. PHI prohibition for unapproved tools. State clearly that entering any PHI into a non-approved AI tool (including ChatGPT, Google Gemini, Claude, and similar general-purpose tools) is prohibited and constitutes a potential HIPAA violation.

3. Incident reporting. Define what staff should do if they realize they have accidentally entered PHI into a non-compliant tool. Having a reporting process reduces the time between the incident and your required breach response.

4. Training cadence. Commit to annual or semi-annual AI compliance training that keeps pace with how quickly these tools are evolving.

5. Vendor review process. Establish that any new AI tool must be reviewed and approved before use, not after a staff member has already been using it for weeks.

For deeper guidance on protecting client data in AI-assisted workflows, see our related post on Private AI for Mental Health: What "Encrypted Memory" Should Mean.


Performing a Risk Assessment for AI Integration

HIPAA's Security Rule requires covered entities to conduct periodic risk assessments. When you add AI tools to your clinical or administrative workflow, that is a material change to your information environment and warrants a specific review.

Your AI risk assessment should document:

  • Which tools are in use, including free, informal tools staff may be using without formal approval
  • What data each tool touches, distinguishing between PHI, administrative data, and purely internal content
  • What safeguards are in place for each tool, including whether a BAA exists
  • What the residual risk is after safeguards, and whether it is acceptable
  • What your mitigation plan is for tools or gaps that represent unacceptable risk

This process does not need to be elaborate for a solo or small-group practice. A documented two-page review updated annually is far better than nothing, and it demonstrates the "good faith" posture that regulators consider in enforcement decisions.


The Bottom Line

ChatGPT is a powerful tool. It is not a HIPAA-compliant tool for clinical use without significant enterprise procurement and legal due diligence that most private practices have not completed. The default position — using ChatGPT through a standard account to draft session notes or summarize client information — is a HIPAA violation, regardless of whether any actual harm results.

The solution is not to avoid AI. AI tools built specifically for mental health practice can save therapists hours per week on documentation, intake, scheduling, and reporting. The solution is to use the right tools.

Your clients trust you with their most sensitive experiences. The technology infrastructure supporting that relationship should reflect the same level of care.


This post is for informational purposes only and does not constitute legal advice. Consult a healthcare attorney for guidance specific to your practice's compliance obligations.

Frequently asked questions

Can I use ChatGPT if I never include the client's name?
Removing a client's name is not sufficient de-identification under HIPAA. The Safe Harbor method requires removing 18 specific identifiers, including dates of service, geographic information, and unique descriptions that could reasonably be used to identify an individual. A session note describing 'a 34-year-old female architect in Portland dealing with a custody dispute' contains several identifiers even without a name. When in doubt, do not use a non-compliant tool.
Does ChatGPT Enterprise make ChatGPT HIPAA compliant?
ChatGPT Enterprise offers stronger data protection than the consumer product, including a commitment that data will not be used for model training. OpenAI has indicated willingness to sign BAAs under certain enterprise arrangements. However, this requires active procurement, legal review specific to your use case, and proper configuration. It is not automatic. If you are considering this route, involve your healthcare attorney before proceeding.
Is Google Gemini HIPAA compliant for therapists?
Google offers HIPAA-eligible services through Google Workspace for healthcare under a BAA, and Gemini for Workspace may be included in that arrangement — but the conditions, configurations, and exclusions are specific and require careful review. Standard, consumer-facing Gemini (gemini.google.com) is in the same position as consumer ChatGPT: no BAA, not appropriate for PHI.
What is the penalty for accidentally using ChatGPT with PHI once?
A single, isolated incident involving limited PHI, where the practice self-reports promptly and can demonstrate it was unintentional and has since implemented corrective measures, is far less likely to result in significant financial penalties than a pattern of non-compliant behavior. OCR's penalty tier structure distinguishes between unknowing violations and willful neglect. That said, breach notification obligations may still apply. Document the incident, assess whether notification is required, and consult your attorney.
Are there HIPAA-compliant AI tools for writing therapy notes specifically?
Yes. PsyFiGPT (https://psyfigpt.com) is purpose-built for mental health clinical documentation, including SOAP notes, intake summaries, and treatment plans, within a HIPAA-compliant framework. It is designed specifically for the workflows where therapists are most tempted to use general AI tools.
How do I handle AI chatbots on my practice website for client inquiries?
A chatbot that collects information from prospective or current clients — scheduling requests, symptom descriptions, insurance questions — can quickly touch PHI. You need a HIPAA-compliant chatbot solution backed by a BAA. PsyFi Assist (https://psyfiassist.com) is designed for exactly this use case, providing AI-powered client intake and FAQ handling for behavioral health practices with appropriate compliance infrastructure.
Where can I learn more about privacy-first AI for mental health?
Our post on AI Therapy Journaling and Privacy-First Reflection (/blog/ai-therapy-journaling-privacy-first/) covers the privacy principles that should govern any AI tool touching sensitive mental health data. For a deeper look at what vendor security claims actually mean, see Private AI for Mental Health: What 'Encrypted Memory' Should Mean (/blog/private-ai-mental-health-encrypted-memory/).
What's the difference between ChatGPT for Healthcare and ChatGPT for Clinicians?
ChatGPT for Healthcare (January 2026) is OpenAI's enterprise-tier product aimed at healthcare systems and large practices — it requires enterprise procurement and a customized BAA. ChatGPT for Clinicians (April 2026) is aimed at individually verified clinicians and provides a more accessible BAA path, but verification requirements and data scope limits apply. Neither replaces a purpose-built behavioral-health tool for most solo or group practices.
Can I use the ChatGPT API with my own HIPAA-compliant infrastructure?
Yes — OpenAI's API tier supports BAA arrangements separate from consumer ChatGPT. Practices that route API calls through a HIPAA-aligned application stack (PsyFiGPT works this way, as do several competitors) can use OpenAI-or-other-LLM-backed AI tools compliantly. The compliance burden is at the application layer, not the API layer.
If I'm a solo therapist, what's the minimum HIPAA-compliant AI setup?
At minimum: (1) a BAA with every AI vendor that touches PHI, (2) an AI tool with on-tenant or de-identified processing — not raw consumer LLMs, (3) a written practice AI policy you review annually, and (4) audit-log review on every tool. PsyFiGPT, Mentalyc, Upheal, and DeepCura all clear this bar on a solo plan; consumer ChatGPT does not.

All articles