Is ChatGPT HIPAA Compliant?
ChatGPT is not HIPAA compliant at the time of writing and cannot be used by covered entities or their workforces to create content that requires disclosures of Protected Health Information. However, OpenAI โ the developers of ChatGPT โ are working on making ChatGPT HIPAA compliant and a suitable version of the program may be available soon.
ChatGPT is a Generative Pre-trained Transformer (GPT) that uses Artificial Intelligence to follow an instruction (โpromptโ) and provide a detailed response (โoutputโ). In theory, there are multiple uses for ChatGPT in the healthcare industry that could reduce the time spent performing repetitive tasks and increase efficiency. It has even been suggested physicians could use the program to assist with diagnoses and develop treatment plans.
However, to fully utilize the programโs capabilities in the healthcare industry, this would require prompting the program with Protected Health Information (PHI). To be able to prompt the program with PHI, it would be necessary for ChatGPT to be HIPAA compliant and for covered entities to enter into a Business Associate Agreement (BAA) with OpenAI. At present ChatGPT is not HIPAA compliant and OpenAI does not offer a BAA for ChatGPT.
Why Might the Situation Soon Change?
The situation may soon change due to more features being made available for users to secure OpenAI accounts, the development of compliance APIs that connect with DLP and SIEM tools, and the willingness of OpenAI to enter into BAAs with enterprise clients for API services with endpoints that are eligible for zero retention. These developments indicate OpenAI is taking steps to make ChatGPT HIPAA compliant for enterprise clients.
In the meantime, covered entities can still use Chat GPT provided no PHI is disclosed to the program or provided any PHI used to prompt the program is de-identified. This may mean that use of the program is limited to those members of the workforce with a track record of HIPAA compliance, or that HIPAA training is provided to members of the workforce before using ChatGPT in order to mitigate the risk of a HIPAA violation.
How to Make ChatGPT HIPAA Compliant
An option to make ChatGPT HIPAA compliant without waiting for OpenAI to support HIPAA compliance is to deploy an anonymizer in front of the ChatGPT program. The anonymizer works by tokenizing any PHI included in a prompt, and then re-identify the PHI when the output is received from ChatGPT. While this circumnavigates the need for ChatGPT to be HIPAA compliant, it will still be necessary to enter into a BAA with the anonymizer vendor.
In addition to the option of deploying an anonymizer to make ChatGPT HIPAA compliant, there are several alternatives to ChatGPT that support HIPAA compliance. Some have been specifically designed for the healthcare industry rather than being adopted to meet the needs of the healthcare industry post development. Covered entities may wish to evaluate these rather than waiting for OpenAI to make ChatGPT HIPAA compliant or deploying an anonymizer.