Is ChatGPT HIPAA-compliant? (And what to use instead)

Short answer: no. The consumer and standard business versions of ChatGPT are not HIPAA-compliant, and using them with protected health information (PHI) puts your practice at risk. The same is true of most general-purpose AI assistants, including Perplexity, and open agents like Hermes or a stock OpenClaw deployment.

What HIPAA actually requires of an AI tool

Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate — and you must have a signed Business Associate Agreement (BAA) in place before any PHI is shared. A tool can only be "HIPAA-compliant" for your use if:

• The vendor will sign a BAA with your practice.
• PHI is encrypted in transit and at rest.
• Access is controlled and every touch of PHI is logged for audit.
• Data isn't used to train shared models or leaked into other tenants.

Why ChatGPT (and friends) fall short

Standard ChatGPT does not come with a BAA for typical accounts, and its terms don't contemplate PHI handling the way HIPAA requires. Perplexity is built for search, not regulated health data. Open agents are powerful but ship with no compliance posture at all — you'd be assembling safeguards yourself and still couldn't get a BAA from "the internet."

Pasting a patient's chart into a general chatbot to "draft a note" is exactly the kind of casual disclosure that leads to breaches.

What a HIPAA-compliant AI for doctors looks like

A compliant AI assistant is built for healthcare from line one. That means a signed BAA up front, PHI minimization (stripping or de-identifying data the task doesn't need — including before any model sees it), audit logging, and the ability to connect to your EHR and CRM safely.

That's the gap Phiclaw fills: a HIPAA-compliant AI agent that signs a BAA, runs your website and social, and connects to every EHR and CRM — with its own EHR and CRM built in.