What AI is HIPAA compliant?

No AI model is HIPAA compliant on its own; compliance depends on the deployment. The compliant paths are a cloud AI service such as Azure OpenAI or Google Cloud under a signed business associate agreement, certain vertical clinical tools with a BAA, or a private deployment inside infrastructure you control. The consumer version of ChatGPT is not compliant and should never touch protected health information.

Can hospitals use ChatGPT?

Not the consumer version with protected health information, because there is no business associate agreement behind it. A hospital can use AI safely through an enterprise cloud service under a BAA or, more cleanly, through a private deployment where PHI never leaves the hospital's own environment.

What is the safest AI for patient data?

The safest approach is one where protected health information never leaves infrastructure you control. A private deployment achieves that by running the model and the data inside your own cloud tenant, VPC, or on-premise environment, so there is no question of PHI traveling to a vendor and no BAA needed to cover data egress.

Do I need a BAA to use AI in healthcare?

If a vendor will handle protected health information on your behalf, yes, a business associate agreement is a baseline HIPAA requirement. The exception is a private deployment that keeps PHI inside your own environment, where there is no third party handling the data to sign a BAA with in the first place.

All comparisons

Roundup Updated June 2026

Best AI options for healthcare organizations in 2026

The real options for PHI are a cloud service under a BAA, a vertical clinical tool, or a private deployment; the deciding question is whether PHI leaves your perimeter.

The short answer

For healthcare, the realistic HIPAA-conscious options are a major cloud AI service under a signed business associate agreement (Azure OpenAI or Google Cloud), a vertical clinical tool such as an ambient documentation assistant, or a private deployment inside your own environment. Consumer ChatGPT is not an option for protected health information. The single deciding question is whether PHI has to leave your perimeter to use the tool. When the answer must be no, a private deployment is the cleanest path, and that is where Soren fits.

Soren is an AI consulting and deployment firm that builds custom, context-aware AI workflows around the way a team actually works, specialized to its practice areas and trained to get more accurate over time, for banks, law firms, hospitals, and government agencies, deployed inside infrastructure the client controls.

The field at a glance

Option	BAA available?	Where PHI lives	Customization	Best for
Azure OpenAI	Yes, under Microsoft's BAA	Microsoft cloud (your tenant config)	Strong, with your data and controls	Systems already standardized on Azure
Google Cloud / Vertex AI	Yes, under Google's BAA	Google cloud (your project)	Strong, grounded in your data	Systems already on Google Cloud
Vertical clinical tools	Varies by vendor	Vendor environment	Narrow, purpose-built (e.g. ambient scribe)	A specific clinical task done well out of the box
Soren (private deployment)	Not needed: PHI never leaves your perimeter	Your cloud tenant, VPC, or on-premise	Built around your clinical and operational workflows; improves over time	Teams wanting a workflow fit to how they work that keeps PHI in their control
Consumer ChatGPT	No	OpenAI consumer environment	None for your data	Not for PHI under any circumstances

HIPAA-conscious AI options for healthcare, compared fairly.

Why consumer ChatGPT is out

The consumer version of ChatGPT is not HIPAA compliant and should never touch protected health information. There is no business associate agreement behind it, and a BAA with any vendor handling PHI is a baseline HIPAA requirement (HHS). This is the first thing to get right, and the rest of the comparison assumes it.

Azure OpenAI and Google Cloud, under a BAA

Both Microsoft and Google offer enterprise AI services that can be covered by a business associate agreement, which is what makes them legitimate options for PHI when configured correctly. If your organization is already standardized on one of these clouds, that service is often the path of least resistance. The work that remains is configuring access, logging, and data handling to your standard, and confirming that the agreement actually covers the way you intend to use the service.

Vertical clinical tools

Purpose-built tools, such as ambient documentation assistants that draft notes from a clinical conversation, can be excellent at the one job they are designed for. The trade-off is breadth and control: you get a narrow capability in the vendor's environment, governed by the vendor's terms. They are a strong complement to, not a replacement for, a broader strategy.

Soren: a workflow built around how your teams work

Soren builds the documentation or operational workflow around how your teams actually work, specialized to your service lines and grounded in your own sources, and it grows more accurate at your clinical and operational language the longer it runs. It runs inside your own environment with access scoped and logged, so there is no BAA to negotiate over data egress: the protected data does not leave your perimeter in the first place.

HIPAA compliance is a property of the deployment, not the model.

How to choose

Rule out consumer tools for anything touching PHI, immediately and permanently.
Confirm a business associate agreement is in place for any vendor that will handle PHI.
Decide whether PHI can leave your perimeter at all. If it cannot, prefer a private deployment.
Weigh the cost of a mistake. IBM has reported healthcare as the most expensive sector for data breaches for over a decade (IBM Cost of a Data Breach), which raises the value of keeping data in your control.
Require an audit trail that records inputs, outputs, sources, and model version, designed in from the start.

Frequently asked questions

What AI is HIPAA compliant?: No AI model is HIPAA compliant on its own; compliance depends on the deployment. The compliant paths are a cloud AI service such as Azure OpenAI or Google Cloud under a signed business associate agreement, certain vertical clinical tools with a BAA, or a private deployment inside infrastructure you control. The consumer version of ChatGPT is not compliant and should never touch protected health information.
Can hospitals use ChatGPT?: Not the consumer version with protected health information, because there is no business associate agreement behind it. A hospital can use AI safely through an enterprise cloud service under a BAA or, more cleanly, through a private deployment where PHI never leaves the hospital's own environment.
What is the safest AI for patient data?: The safest approach is one where protected health information never leaves infrastructure you control. A private deployment achieves that by running the model and the data inside your own cloud tenant, VPC, or on-premise environment, so there is no question of PHI traveling to a vendor and no BAA needed to cover data egress.
Do I need a BAA to use AI in healthcare?: If a vendor will handle protected health information on your behalf, yes, a business associate agreement is a baseline HIPAA requirement. The exception is a private deployment that keeps PHI inside your own environment, where there is no third party handling the data to sign a BAA with in the first place.

Trying to work out which path fits your data and your regulator? We can walk through it with you.

Book a demo

Sources