Physician warns ChatGPT HIPAA risk

A physician’s warning about ChatGPT and patient privacy circulated on X this week as hospitals and clinicians expand their use of generative AI. Roupen Haladjian, a physician who posts as RoupenMD, wrote that pasting patient labs into ChatGPT can create HIPAA risk because the data may pass through third parties that do not have a business associate agreement with the provider. His post pointed readers to American Medical Association guidance on approved tools, de-identification, retention practices and documentation. Federal HIPAA guidance and OpenAI’s own product materials show the distinction turns on which tool is being used and under what contract. ### What exactly was the physician warning about? Roupen Haladjian wrote in an X post that entering patient labs or other protected health information into ChatGPT can violate HIPAA when the tool is not covered by a business associate agreement. The post said healthcare workers should not put PHI into consumer ChatGPT products and cited AMA guidance on safer use of AI tools. The warning spread because it framed a common clinical shortcut in compliance terms. Haladjian’s core point was that the issue is not simply whether AI is useful, but whether the specific product and workflow are approved for handling protected health information. ### Why does a business associate agreement matter here? The U.S. Department of Health and Human Services says a cloud service provider that creates, receives, maintains or transmits electronic protected health information on behalf of a covered entity is a business associate under HIPAA. (ama-assn.org) HHS also says a covered entity or business associate may use a cloud service for ePHI only if it enters into a HIPAA-compliant business associate agreement with that provider and otherwise complies with the HIPAA Rules. HHS says the agreement is meant to set permitted uses and disclosures and require safeguards for the information. The agency also says covered entities must understand the cloud environment they are using and conduct their own risk analysis and risk management. ### Does that mean every use of ChatGPT by a clinician is barred? (hhs.gov) OpenAI says no, but it draws a line between regulated offerings and general consumer use. OpenAI’s healthcare page says ChatGPT for Healthcare is built to support HIPAA-compliant use and that organizations can obtain a business associate agreement with OpenAI. The company also says content shared with ChatGPT for Healthcare is not used to train models. (hhs.gov) OpenAI’s help documentation says BAAs are available for most API services, and that ChatGPT BAAs are limited to sales-managed ChatGPT Enterprise or Edu customers. The same help page says OpenAI does not offer a BAA for ChatGPT Business. That means the compliance answer depends on the product, the contract and the employer’s approval process, not on the word “ChatGPT” alone. (openai.com) ### What does the AMA tell doctors and hospitals to do? The American Medical Association says health systems should have formal AI governance and policies that define when AI can be used, how vendors are evaluated and how oversight will work. An AMA article on organizational AI policy says health systems should spell out definitions, responsibilities, intake and assessment processes, and monitoring. (help.openai.com) The AMA’s broader AI principles say privacy and security are central issues as generative AI moves deeper into healthcare settings. Those principles address data privacy, security, oversight and transparency as AI use expands beyond medical devices into administrative and clinical applications. ### So what is the practical takeaway for healthcare workers? HHS guidance says the first question is whether the tool is receiving or transmitting ePHI and whether a HIPAA-compliant business associate agreement is in place. (ama-assn.org) OpenAI says some enterprise and healthcare products can be configured for that use, while consumer-grade offerings may not meet that standard. (ama-assn.org) The next step for clinicians is usually internal, not public. The AMA says organizations should maintain AI policies and governance processes, and OpenAI says regulated healthcare use is tied to specific products and account arrangements. (ama-assn.org) (hhs.gov)