Is ChatGPT HIPAA Compliant for Therapy? What Compliance Actually Requires
AI for Inner Explorers.
No — standard ChatGPT is not HIPAA compliant for therapy. OpenAI does not sign a Business Associate Agreement for consumer plans (Free, Plus, Pro, Team, self-serve Business), and a BAA is legally required before any vendor handles Protected Health Information. Entering client data may itself be a violation.
That's the answer most therapists are searching for. It's also where most articles stop — which leaves the more useful question unanswered: what does a compliant AI system actually have to implement?
Why standard ChatGPT fails the test
The failure isn't about model quality. It's about the legal and technical envelope around the model.
No BAA means no lawful PHI handling. Under HIPAA, a Business Associate Agreement is the instrument that binds a vendor to protect Protected Health Information. Without one signed, a therapist entering client details is acting outside the framework — regardless of how careful the prompt is.
Consumer data handling runs opposite to clinical needs. Data entered into a standard consumer interface may be retained on vendor servers and used to improve models. A therapy transcript is among the most sensitive categories of personal data that exists; it is precisely the wrong thing to place in a system with those defaults.
"I'll just anonymize it" rarely holds. Clinical narratives are re-identifiable. A date, a city, an occupation, and a family structure are often enough. Stripping the name is not de-identification.
The two paths that can work
To be fair to OpenAI, compliant paths do exist as of 2026:
- ChatGPT for Healthcare — an enterprise workspace launched in early 2026 for regulated clinical settings. Content is not used to train OpenAI's models, and OpenAI will sign a BAA with qualifying organizations.
- The OpenAI API under a BAA — available on endpoints eligible for zero data retention. This is the path most HIPAA-ready therapy tools are actually built on; the vendor signs a BAA with OpenAI, and a second BAA with your practice.
The pattern worth noticing: in both cases, compliance comes from the envelope — the agreement, the retention policy, the access controls — not from the chatbot.
The seven controls compliance actually requires
Whatever tool a practice adopts, these are the questions worth asking. They map to the controls Hamo AI implemented for its PHIPA 6.1 technical audit, and they generalize across health-privacy regimes.
- Encryption in transit — TLS 1.2+ on every connection, with HTTPS enforced rather than optional.
- Encryption at rest with customer-managed keys — AES-256 under keys the vendor controls and can rotate, not shared cloud-provider defaults.
- Role-based access control — separate roles for administrators, clinicians, and clients, enforced at every API endpoint rather than at the account level.
- Mandatory multi-factor authentication — required on every login entry point, not offered as an optional setting.
- Immutable audit logging — every access to or modification of health information recorded with user, action, resource, IP, and timestamp.
- Strong password hashing — bcrypt at a meaningful cost factor, not a bare SHA-256 digest.
- Enforced session idle timeout — an unattended device must not leave a clinical conversation open indefinitely.
A consumer chatbot subscription provides essentially none of these. That's not a criticism of the product; it's a statement about what it was built for.
Where Hamo AI stands — stated precisely
We'd rather be exact than impressive.
Hamo AI completed a full technical PHIPA 6.1 compliance audit in April 2026, covering all four platform components, with all seven controls above implemented and verified. PHIPA is Ontario's health-privacy framework — the Canadian analog to HIPAA, not the same statute. Practices operating under US HIPAA jurisdiction should contact us directly so we can speak to their specific regulatory position rather than imply a coverage we haven't claimed.
That distinction matters more than a marketing badge would. A vendor willing to blur PHIPA and HIPAA in a headline is a vendor whose other compliance claims deserve a second look.
The deeper point
The reason a therapist can't use ChatGPT with clients isn't that the model is bad at conversation — it's quite good at it. It's that a general-purpose chatbot has no clinical envelope: no BAA, no audit trail, no role separation, no crisis protocol, and no licensed human accountable for what it says.
Hamo AI's position is that the envelope is the product. The model is a component inside it — and in Therapist Mode, the model doesn't even decide what's clinically permitted. Deterministic code does.
“Compliance isn't a badge you add at the end — it's a constraint you design from. Any vendor can put "secure" on a landing page. The honest test is whether they'll tell you exactly which framework they're audited against, and which one they aren't.”
— Chris Cheng, Founder and CEO of Hamo AI
Grounded in code, not slideware.
Hamo AI — making minds aware, and awake.
About Hamo AI
Hamo AI Technology Ltd. is a Canada-based artificial intelligence company building next-generation AI-Powered Therapist Avatar System. We are developing a comprehensive AI therapy platform called “Hamo” that connects mental health professionals with clients through AI-powered therapy avatars. The ecosystem consists of three interconnected applications: Hamo Pro (therapist dashboard for creating and managing AI avatars), Hamo Client (client interface for interacting with therapy avatars), and Hamo-UME (Unified Mind Engine, backend API). The platform aims to make mental health support more accessible while maintaining professional oversight through professional therapists who create and manage the AI avatars.
Media Contact
Hamo AI Technology Ltd.
Email: socialmedia@hamo.ai
Website: www.hamo.ai
Address: 108 College St, Schwartz Reisman Campus, SUITE W640, Toronto ON M5G 0C6, Canada
Frequently Asked Questions
Is ChatGPT HIPAA compliant?
No. Standard ChatGPT plans — Free, Plus, Pro, Team, and self-serve Business — are not HIPAA compliant, because OpenAI does not sign a Business Associate Agreement (BAA) for them. A BAA is legally required before any vendor may handle Protected Health Information.
Can a therapist put client information into ChatGPT?
Not into standard ChatGPT. Entering names, dates of birth, diagnoses tied to a person, or session content into a consumer plan may itself constitute a HIPAA violation, since that data can be retained on OpenAI servers and used to improve models.
Is there any HIPAA-compliant way to use OpenAI models?
Two paths exist. ChatGPT for Healthcare, launched in early 2026, is an enterprise workspace where OpenAI will sign a BAA with qualifying organizations. Separately, the OpenAI API can be BAA-covered on endpoints eligible for zero data retention.
Why do compliant AI therapy tools cost more than ChatGPT?
Because compliance is engineering, not a checkbox. It requires customer-managed encryption keys, role-based access control, mandatory MFA, immutable audit logging, enforced session timeouts, and a signed BAA — none of which exist in a consumer chatbot subscription.
Is Hamo AI HIPAA compliant?
Hamo AI completed a full technical PHIPA 6.1 audit — Ontario's health-privacy framework, the Canadian analog to HIPAA — in April 2026. Therapists practising under US HIPAA jurisdiction should contact Hamo AI directly to discuss their specific regulatory requirements.
What is the difference between PHIPA and HIPAA?
HIPAA is the US federal framework governing Protected Health Information; PHIPA is Ontario's provincial equivalent governing Personal Health Information. Both require encryption, access control, audit trails, and vendor agreements, but they are separate legal regimes with separate obligations.
What should a therapist look for in a compliant AI tool?
Seven controls: TLS 1.2+ in transit, encryption at rest with customer-managed keys, role-based access control, mandatory multi-factor authentication, full audit logging of every PHI access, strong password hashing, and enforced session idle timeouts.