Notifications
Clear all
Topic starter
06/06/2026 11:09 am
TL;DR: ChatGPT Enterprise, the API Platform, and ChatGPT Health can support BAAs, but HIPAA risk still hinges on what employees type, which tiers they use, and whether minimum-necessary enforcement exists before PHI reaches the model, according to WitnessAI. A signed BAA covers the provider’s obligations, not the covered entity’s runtime controls or workforce behaviour.
NHIMG editorial — based on content published by WitnessAI: ChatGPT Enterprise and HIPAA compliance guidance
By the numbers:
- 54% of healthcare CIOs say AI could help solve clinical documentation burden.
- 79% of healthcare organizations now use ambient speech technology to support clinical documentation.
- 17% admitted to using unauthorized AI tools.
Questions worth separating out
Q: How should healthcare teams stop PHI from reaching AI tools in the first place?
A: Healthcare teams should enforce minimum necessary controls at the prompt layer, not only through policy and training.
Q: Why is a signed BAA not enough for HIPAA-compliant AI use?
A: A BAA governs the vendor’s handling of PHI after receipt, but HIPAA compliance also depends on the covered entity’s own controls.
Q: What do healthcare organisations get wrong about AI and minimum necessary?
A: They often treat minimum necessary as a policy statement instead of a runtime control.
Practitioner guidance
- Block consumer AI tiers for PHI use Remove Free, Plus, Pro, and Team from approved clinical workflows, and publish a clear product-tier policy so staff know which services are outside the BAA scope.
- Enforce minimum necessary at the prompt layer Deploy controls that inspect prompts before they leave the organisation and prevent full charts, diagnosis details, and other PHI from being submitted without review.
- Link AI access to enterprise identity controls Require SSO, MFA, role-based access, and periodic access reviews for every approved AI tool so usage can be tied back to accountable users and roles.
What's in the full article
WitnessAI's full article covers the operational detail this post intentionally leaves for the source:
- A product-tier breakdown showing which OpenAI offerings are BAA-eligible and which are not for PHI use.
- A step-by-step HIPAA checklist for configuring SSO, MFA, role-based access, and audit trails in AI deployments.
- Examples of where PHI leaks occur across shadow AI, approved tools, and conversational workflows.
- A practical view of how runtime controls can enforce policy before data reaches an external model.
👉 Read WitnessAI's analysis of ChatGPT Enterprise and HIPAA compliance →
ChatGPT Enterprise and HIPAA compliance: what teams still miss?
Explore further
06/06/2026 11:47 am
The BAA creates vendor obligations, not enterprise compliance. HIPAA-covered organisations often treat a signed BAA as the endpoint, but it only governs the business associate’s handling of PHI after receipt. The covered entity still owns risk analysis, workforce behaviour, minimum necessary enforcement, and oversight of approved tiers. Practitioner conclusion: compliance fails if contractual assurance is mistaken for operational control.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who is accountable when PHI is exposed through ChatGPT Enterprise use?
A: The covered entity remains accountable for how its workforce uses AI, even when the provider signs a BAA. That includes product-tier selection, identity configuration, training, monitoring, and response to misuse. The vendor has obligations under the BAA, but the organisation owns the controls that prevent disclosure in the first place.
👉 Read our full editorial: ChatGPT Enterprise and HIPAA: why the BAA is not enough
