About the Author: Ashaya Sharma is the founder and CEO of IntelliSession AI, a HIPAA-compliant AI therapy note-taking product. As an experienced software engineer, he has extensive expertise in building HIPAA-compliant systems. He collaborates with a compliance automation company specializing in HIPAA requirements and has personally studied the relevant federal laws to ensure IntelliSession's software meets rigorous security standards.
Introduction
ChatGPT in its standard form is not HIPAA compliant and cannot be used by therapists to discuss client cases for clinical insights. While various workarounds exist, each comes with significant limitations and caveats. Below is a summary of the different approaches available to therapists.
| Method | HIPAA Compliance | Cost | Difficulty | Who It's For |
|---|---|---|---|---|
| Regular ChatGPT | ❌ No BAA | Free–$20 | Easy | Not for clinical use |
| De-identified use | ⚠️ Risky | Free | Hard | Only for generic queries |
| ChatGPT Enterprise | ✅ BAA | High ($$) | Slow onboarding | Hospitals / large orgs |
| 3rd Party Wrappers | ✅ HIPAA compliant | Low–medium | Easy | Private practices |
Review: Therapists Must Sign a Business Associate Agreement to Use ChatGPT
Before adopting any software tool, therapists must first determine whether that tool will store or transmit Protected Health Information (PHI). The HHS website defines "Protected Health Information" as:
"Individually identifiable health information" is information, including demographic data, that relates to:
- the individual's past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
Importantly, health information that has been "de-identified" does not count as PHI:
De-identified health information neither identifies nor provides a reasonable basis to identify an individual.
If the software you plan to use will store or transmit Protected Health Information, then the company providing that software is considered a Business Associate:
A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
As a therapist, you must sign a Business Associate Agreement (BAA) with your Business Associates to remain HIPAA compliant:
If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract (...)
As a therapist and healthcare provider, you are considered a Covered Entity under HIPAA. For instance, "Psychologists" are explicitly listed as covered entities.
Therefore, if you wish to use ChatGPT to discuss clients in a way that discloses Protected Health Information - meaning any health information that can be connected to an identifiable individual - you must first sign a Business Associate Agreement with OpenAI, the company behind ChatGPT.
Regular ChatGPT Plans Do Not Offer a Way to Sign a BAA
If you search for ways to sign a BAA with OpenAI, you'll find their Help Page on the subject. The section titled "Can I get a BAA for ChatGPT?" states:
If you're interested in exploring a BAA for ChatGPT Enterprise or Edu, please contact sales. Only ChatGPT Enterprise or Edu customers that have a sales-managed account are eligible for a BAA for ChatGPT at this time. Please note that we don't offer a BAA for ChatGPT Business.
In other words, OpenAI does not sign BAAs for ChatGPT Personal, Plus, or Business accounts - the only plans available for self-service signup without contacting OpenAI's sales team.
As discussed in the previous section, you are legally required to obtain a BAA before sharing your clients' Protected Health Information with ChatGPT.
Method 1: Sign Up for a ChatGPT Enterprise or Edu Plan
An Enterprise plan generally makes sense only for larger organizations purchasing a significant number of user seats.
One indicator of the minimum seat requirement comes from this Reddit post from two years ago, which mentions a minimum of 150 seats.
Another clue appears on OpenAI's contact sales page. When you specify a company size of 1–50 people, the website displays a message suggesting the ChatGPT Business plan instead. This message does not appear for larger organization sizes.
Regardless, Enterprise plans are typically structured as large sales to justify the effort required from sales representatives and operations engineers. Unless you're prepared to spend a substantial amount annually (tens or hundreds of thousands of dollars), it's unlikely OpenAI will offer you an Enterprise plan.
Edu plans are designed for educational institutions serving students and faculty, so private therapy practices are unlikely to qualify:
ChatGPT Edu is designed for schools that want to deploy AI more broadly to students and their campus communities.
Finally, obtaining an Enterprise plan is a slow and laborious process. It requires reaching out to OpenAI's sales team and negotiating an agreement. Even if you're willing to purchase many seats and invest significant funds, securing an Enterprise plan for your organization will be a considerable undertaking.
Method 2: Use ChatGPT, But Be Careful to Avoid Exposing PHI
Based on the discussion above, you might assume that as long as the information you share with ChatGPT is properly de-identified, you won't need a Business Associate Agreement. However, de-identification is rarely straightforward. The HHS guidelines for de-identification state:
There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual's relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
While avoiding names seems simple enough, unique circumstances can still make an individual identifiable. For example, if you mention a client's profession (without naming their employer), their immigration status, and their sexual orientation in a sufficiently small town, it may be possible to identify them - especially if they're active on social media.
A 2023 research paper demonstrates how AI can infer identifying details from seemingly innocuous information. In one case, the AI correctly identified that a Reddit poster was from Melbourne based solely on a post mentioning "a nasty intersection on my commute where I always get stuck waiting for a hook turn." As AI capabilities improve, reverse-engineering identities from seemingly harmless details will only become easier.
Attempting to de-identify client information while using ChatGPT is both inconvenient and risky, even when you believe you've taken every precaution.
Overall, we do not recommend attempting to de-identify client information for use with the public version of ChatGPT.
Method 3: Using IntelliSession's ChatGPT Integration
IntelliSession offers a HIPAA-compliant version of ChatGPT that allows users to discuss their clients securely.
For those curious about how this works: OpenAI permits software developers to integrate ChatGPT's core AI into their own applications in a HIPAA-compliant manner through the ChatGPT API. Developers can readily obtain a BAA from OpenAI to ensure their implementation of ChatGPT remains fully compliant.
While IntelliSession's primary function is AI-powered therapy note-taking, it opens a ChatGPT chat interface for each client after you generate their therapy note, enabling you to discuss the case within a protected environment.
Bonus: IntelliSession Has the Full Context of the Client
Because you engage with IntelliSession's ChatGPT feature after generating a therapy note, the system already has access to the full therapy transcript and note from the current session. Additionally, it retains previous session records, meaning you don't need to re-introduce the client's background each time you want to discuss them.
FAQs About Using ChatGPT in a HIPAA-Compliant Therapy Practice
Is ChatGPT HIPAA-compliant?
No. ChatGPT (Free, Plus, and Business) is not HIPAA compliant and does not offer a BAA. Only ChatGPT Enterprise or Edu plans can be made HIPAA-compliant through a signed agreement.
Can therapists discuss clients with ChatGPT?
Only if:
You fully de-identify all client information and
The remaining details cannot reasonably be used to re-identify the individual
Otherwise, you must use a HIPAA-compliant alternative with a BAA.
Does ChatGPT sign BAAs?
Only for ChatGPT Enterprise or Edu plans, and only through OpenAI's sales team. Self-service plans do not qualify.
Is de-identifying information enough to use ChatGPT safely?
Not always. AI tools can infer identities from seemingly unrelated details, which makes de-identification risky and often insufficient for true protection.
What is the safest way for therapists to use AI to discuss clients?
Use a HIPAA-compliant ChatGPT integration through a platform that has already signed a BAA with OpenAI - such as IntelliSession.
Why is IntelliSession HIPAA-compliant while regular ChatGPT isn't?
IntelliSession uses the ChatGPT API under a signed BAA with OpenAI and stores all data within a HIPAA-compliant infrastructure, ensuring full regulatory compliance.
Summary
Using ChatGPT in a therapy practice isn't as simple as avoiding names or removing a few identifying details. Under HIPAA, any software that handles identifiable health information must operate under a signed BAA - and standard ChatGPT does not. While therapists can technically use ChatGPT if all information is properly de-identified, modern AI models can often re-identify individuals from contextual clues, making this approach both risky and time-consuming.
ChatGPT Enterprise or Edu plans can be made HIPAA-compliant, but they are costly, require engagement with OpenAI's sales team, and are rarely accessible to individual clinicians or small practices.
For most therapists, the safest and most practical option is to use a platform that offers a HIPAA-compliant ChatGPT integration under its own BAA with OpenAI. Platforms like IntelliSession provide this protected environment while also offering additional benefits such as automatic session context, stored notes, and private client-specific chat threads.
AI is increasingly becoming integral to clinical workflows, and adopting it thoughtfully - and compliantly - can significantly enhance documentation efficiency and clinical insight. By choosing a HIPAA-compliant solution, therapists can leverage AI's power confidently while protecting client privacy and meeting all regulatory requirements.