OpenAI

HIPAA Eligible Products and Functionality

Understanding the HIPAA eligible OpenAI products and functionality.

Updated: 6 minutes ago

This page provides an overview of OpenAI HIPAA eligible products and functionality. For details on the use and configuration of these products see the HIPAA Guide referenced in your BAA.

HIPAA Eligible Products

OpenAI makes the following HIPAA eligible products available with a Business Associates Agreement (BAA): 

  • ChatGPT for Healthcare

  • ChatGPT for Enterprise with Regulated Workspace

  • ChatGPT FedRAMP

  • ChatGPT for Clinicians

  • API with Modified Retention

  • API FedRAMP with Modified Retention

ChatGPT functionality covered under BAA

HIPAA Eligible ChatGPT products  include the following functionality that support HIPAA compliance and are covered by the OpenAI Business Associate and Healthcare Addendum (the “BAA”):

  • Admin features

  • SSO

  • Compliance API

  • RBAC

  • Chat with files

  • Chat Sharing

  • Voice (Speech to text/Advanced voice mode)

  • Python Tool & File Download

  • Web Search & Deep Research (See below for details) 

  • Canvas & Canvas Code Execution

  • ImageGen

  • Memory

  • Projects

  • Notifications

  • Apps / Connectors

  • GPTs

  • Desktop Clients: MacOS and Windows

  • Mobile App

  • Record

  • Work with Apps

  • ChatGPT for Excel and Sheets

  • Workspace Agents

  • Library

  • Codex Local (See below for details)

  • Study Mode (Available in ChatGPT for Edu only)

  • Trusted Clinical Search (Available ChatGPT for Healthcare only)

Codex Local (Sign-in with ChatGPT)

Codex Local involves the installation of Codex Local Client on a local workstation. The HIPAA eligible local clients include CLI, IDE and Desktop App when signed in with a HIPAA eligible ChatGPT account. When the Codex Local Client transmits PHI to OpenAI for processing, OpenAI will protect the Customer PHI consistent with the BAA. 

The OpenAI BAA does not apply to the execution of the Codex Local Client on Customer’s client machines or to any Third-Party Services accessed by the Codex Local Client due to Customer’s use or instructions. Customer is responsible for evaluating the Codex Local Client installation, its operating environment, and establishing a managed configuration that meets their requirements for use with PHI. 

For more information on deploying Codex in your organization see https://developers.openai.com/codex/enterprise/admin-setup. 

For Codex Local configuration options see https://developers.openai.com/codex/enterprise/managed-configuration and the Codex HIPAA Implementation Guide.

Web Search & Deep Research

OpenAI configures HIPAA eligible ChatGPT workspaces to use OpenAI's search index. When users enable the Web Search or Deep Research tool or when the model retrieves information from the web, it uses information in OpenAI's index. OpenAI does not send queries to third-party search providers (e.g., Bing) when using a HIPAA eligible workspace.

Access to ChatGPT Functionality not covered under BAA

A customer may, in its sole discretion, enable access to additional ChatGPT functionality that is not covered under BAA. These additional features are disabled by default. Workplace administrators can enable access to these features through RBAC groups; see this article for more information on how to configure RBAC roles and groups. This access is intended only for uses that do not involve transmission, storage, or processing of PHI.

API Functionality covered under BAA

HIPAA eligibility for the OpenAI API is contingent on Customer’s account being provisioned with Modified Retention, unless otherwise specified by OpenAI. Once your org ID is provisioned with Modified Retention, the endpoints listed below can be used for processing PHI, even if data is retained, upon execution of the OpenAI BAA.

HIPAA-Eligible Endpoints 

/v1/chat/completions 

/v1/responses 

/v1/assistants 

/v1/threads 

/v1/threads/messages 

/v1/threads/runs 

/v1/vector_stores 

/v1/threads/runs/steps

 /v1/images/generations 

/v1/images/edits 

/v1/images/variations 

/v1/embeddings 

/v1/audio/transcriptions 

/v1/audio/translations 

/v1/audio/speech 

/v1/files 

/v1/fine_tuning/jobs

/v1/batches

 /v1/moderations 

/v1/completions 

/v1/realtime

Codex Local (API Key)

Use of Codex Local with a Customer-provided OpenAI API key for the OpenAI API Services will be covered by the BAA for data processed by OpenAI only if Customer has entered into a BAA with OpenAI that includes the API Services with Modified Retention as an Eligible Service. See the Codex Local (Sign-In with ChatGPT) section above for more information on BAA coverage and Customer Responsibilities. 

Was this article helpful?