Physician warns ChatGPT lab data HIPAA risk

A physician’s warning on X has put a familiar healthcare compliance problem back in view: consumer AI tools are easy to reach, but protected health information is not automatically safe once staff paste it into them. Roupen Odabashian, a hematology-oncology fellow who posts as @RoupenMD, wrote that dropping patient lab results into ChatGPT can send protected health information to third parties without a business associate agreement, or BAA. His post named OpenAI, Anthropic and Google as potential processors and argued that many hospitals still do not offer staff a safe, approved way to use generative AI with patient data. The post also pointed to a 2023 Harris Poll commissioned by ClearDATA that found 81% of Americans wrongly assumed health data entered into digital apps was protected by HIPAA. ### If a clinician pastes lab results into a chatbot, what is the compliance issue? HIPAA applies to covered entities and their business associates, not to every app a worker can open in a browser. If a hospital employee submits identifiable lab values, diagnoses, dates, or other patient-linked details to a vendor that is processing that information, the organization generally needs a compliant arrangement with that vendor, including a BAA where required. (cleardata.com) ClearDATA’s July 11, 2023 release said many consumers misunderstand that boundary and incorrectly assume digital health apps are broadly covered by HIPAA. A BAA is the contract healthcare organizations use with a vendor that handles protected health information on their behalf. OpenAI’s help center says organizations that want to use its API platform with PHI must first obtain a BAA with OpenAI. Google Cloud says customers handling PHI must review and accept Google’s BAA and avoid products not explicitly covered. Anthropic’s trust center says its HIPAA-ready offering includes BAA coverage for certain enterprise services. (cleardata.com) ### Does that mean OpenAI, Anthropic and Google cannot be used in healthcare? OpenAI, Anthropic and Google all now market healthcare or HIPAA-ready paths for some enterprise customers. OpenAI said in January that ChatGPT for Healthcare and its API platform can support HIPAA-compliant use, with a BAA, data controls and a commitment that content shared with ChatGPT for Healthcare is not used to train models. Anthropic said in a January healthcare announcement that it offers Claude for Healthcare with HIPAA-ready infrastructure, while its trust center says its native API is an eligible service under a BAA. (help.openai.com) Google Cloud says its HIPAA BAA covers listed cloud products and that customers remain responsible for configuring compliant environments. The distinction is product-specific. OpenAI’s enterprise privacy page says business offerings, including ChatGPT for Healthcare, ChatGPT Enterprise, ChatGPT Business and the API platform, come with privacy and compliance commitments. That does not mean every public, consumer-facing chatbot session used by an individual clinician is automatically covered for PHI. ### Why did the physician focus on “shadow AI” inside hospitals? (openai.com) Hospitals have moved unevenly on internal generative AI rollouts, leaving many clinicians with consumer tools that are fast but not formally approved for patient data. Odabashian’s post argued that this gap encourages “shadow AI” use — staff improvising with whatever tools are available when official options are missing. His warning was less about whether AI can be used in medicine than whether organizations have established approved workflows, vendor contracts and technical controls before frontline staff start using them. (openai.com) ClearDATA’s survey helps explain why that gap can persist. The company said 58% of people who had used digital health apps had never considered where their health data was shared, and 81% assumed app-collected health data was HIPAA-protected. ### What should readers take from the warning? (youtube.com) The immediate point is narrower than a blanket claim that “AI is not HIPAA compliant.” The compliance question turns on the exact product, the contract in place, the organization using it and whether PHI is being entered. OpenAI, Anthropic and Google all describe enterprise pathways for regulated healthcare use, but each also limits that coverage to specified services and customer arrangements. (cleardata.com) May 18 is likely to bring more scrutiny to that distinction as hospitals decide whether to expand approved AI access or tighten internal rules on consumer tools. The next documents to watch are vendor BAA terms, covered-product lists and hospital AI policies from named providers adopting OpenAI, Anthropic or Google Cloud healthcare offerings. (openai.com) (help.openai.com)