Can I use ChatGPT if I never include the client's name?

Removing a client's name is not sufficient de-identification under HIPAA. The Safe Harbor method requires removing 18 specific identifiers, including dates of service, geographic information, and unique descriptions that could reasonably be used to identify an individual. A session note describing 'a 34-year-old female architect in Portland dealing with a custody dispute' contains several identifiers even without a name. When in doubt, do not use a non-compliant tool.

Does ChatGPT Enterprise make ChatGPT HIPAA compliant?

ChatGPT Enterprise offers stronger data protection than the consumer product, including a commitment that data will not be used for model training. OpenAI has indicated willingness to sign BAAs under certain enterprise arrangements. However, this requires active procurement, legal review specific to your use case, and proper configuration. It is not automatic. If you are considering this route, involve your healthcare attorney before proceeding.

Is Google Gemini HIPAA compliant for therapists?

Google offers HIPAA-eligible services through Google Workspace for healthcare under a BAA, and Gemini for Workspace may be included in that arrangement — but the conditions, configurations, and exclusions are specific and require careful review. Standard, consumer-facing Gemini (gemini.google.com) is in the same position as consumer ChatGPT: no BAA, not appropriate for PHI.

What is the penalty for accidentally using ChatGPT with PHI once?

A single, isolated incident involving limited PHI, where the practice self-reports promptly and can demonstrate it was unintentional and has since implemented corrective measures, is far less likely to result in significant financial penalties than a pattern of non-compliant behavior. OCR's penalty tier structure distinguishes between unknowing violations and willful neglect. That said, breach notification obligations may still apply. Document the incident, assess whether notification is required, and consult your attorney.

Are there HIPAA-compliant AI tools for writing therapy notes specifically?

Yes. PsyFiGPT (https://psyfigpt.com) is purpose-built for mental health clinical documentation, including SOAP notes, intake summaries, and treatment plans, within a HIPAA-compliant framework. It is designed specifically for the workflows where therapists are most tempted to use general AI tools.

How do I handle AI chatbots on my practice website for client inquiries?

A chatbot that collects information from prospective or current clients — scheduling requests, symptom descriptions, insurance questions — can quickly touch PHI. You need a HIPAA-compliant chatbot solution backed by a BAA. PsyFi Assist (https://psyfiassist.com) is designed for exactly this use case, providing AI-powered client intake and FAQ handling for behavioral health practices with appropriate compliance infrastructure.

Where can I learn more about privacy-first AI for mental health?

Our post on AI Therapy Journaling and Privacy-First Reflection (/blog/ai-therapy-journaling-privacy-first/) covers the privacy principles that should govern any AI tool touching sensitive mental health data. For a deeper look at what vendor security claims actually mean, see Private AI for Mental Health: What 'Encrypted Memory' Should Mean (/blog/private-ai-mental-health-encrypted-memory/).

Is ChatGPT HIPAA Compliant? A 2026 Guide for Mental Health Practices

Quick Answer: Is ChatGPT HIPAA Compliant?

No. Standard ChatGPT is not HIPAA compliant for Protected Health Information (PHI). OpenAI does not offer a Business Associate Agreement (BAA) for its consumer ChatGPT product, meaning any PHI you enter — client names, diagnoses, session notes, dates of service — violates HIPAA. Mental health practices need purpose-built, BAA-backed AI tools designed specifically for clinical workflows.

Why This Matters for Your Mental Health Practice

AI has moved from buzzword to daily workflow tool for thousands of therapists, psychologists, and counselors. The appeal is real: faster SOAP notes, easier treatment plan drafts, quicker intake summaries. The problem is equally real: the most well-known AI tool on the market — ChatGPT — was not built to handle patient data.

For mental health professionals, the stakes are higher than in most other healthcare settings. Your clients share their most sensitive experiences. A HIPAA breach involving mental health records can expose you to Office for Civil Rights (OCR) enforcement, state licensing board complaints, and the kind of client trust destruction that no practice recovers from easily.

This guide explains exactly what makes ChatGPT non-compliant, what a safe alternative looks like, and how to evaluate any AI tool before it touches your clinical workflow.

What Makes an AI Tool HIPAA Compliant?

Before diagnosing ChatGPT's compliance status, it helps to understand the standard every AI tool must meet to legally handle PHI.

The Three Non-Negotiables

1. A signed Business Associate Agreement (BAA) Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on your behalf is a "Business Associate." You must have a signed BAA with them before PHI flows to their platform. Without it, every session note you paste into their system is a potential violation.

2. Technical safeguards for PHI The HIPAA Security Rule requires covered entities and their Business Associates to implement access controls, audit logs, encryption in transit and at rest, and automatic logoff for systems handling ePHI.

3. No secondary use of clinical data A compliant AI vendor cannot use your client's PHI to train their models, improve their products, or share data with third parties without your explicit authorization. This is the rule most general-purpose AI tools silently break.

Why Standard ChatGPT Fails All Three Tests

No BAA Available for Consumer ChatGPT

OpenAI's standard terms of service for ChatGPT do not include a BAA and do not position the product as a HIPAA-covered service. OpenAI does offer enterprise arrangements — ChatGPT Enterprise and the OpenAI API — with data processing agreements that may support BAA execution for specific use cases, but these require active procurement, legal review, and technical configuration that the average private practice has not completed.

If you are using ChatGPT through a browser at chat.openai.com, you do not have a BAA. Full stop.

Data Is Used for Model Training by Default

OpenAI's data usage policies have evolved, but the default position for consumer accounts has historically permitted using conversation data to improve their models. Even under current policies where you can opt out, the burden falls on you to take action — and most clinicians using ChatGPT informally have never reviewed those settings.

General Architecture Was Not Designed for PHI

ChatGPT was built for broad, general-purpose use. It does not have the role-based access controls, audit logging, or data residency guarantees that clinical environments require. When you paste a session note into ChatGPT, you have no visibility into where that text goes, how long it is retained, or who at OpenAI could theoretically access it.

Real-World Risks for Mental Health Clinicians

Understanding the abstract legal risk is one thing. Here is what HIPAA non-compliance with AI actually looks like in practice for therapists and counselors.

OCR enforcement action. The HHS Office for Civil Rights actively investigates HIPAA complaints. Fines range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category. A pattern of pasting session notes into ChatGPT could be characterized as multiple violations.
State licensing board complaints. Most state licensing boards for counselors, psychologists, and social workers have ethics codes that require reasonable safeguards for client data. Routine ChatGPT use with PHI could trigger a complaint.
Client discovery. If a client asks how their data is handled and learns their session notes were processed through a non-HIPAA-compliant AI, that becomes a trust and legal liability issue simultaneously.
Breach notification obligations. If a non-compliant AI vendor experiences a data breach, you may be on the hook for notifying affected clients and the OCR — even though you had no direct visibility into the breach.

What You Can Use ChatGPT For (Safely)

ChatGPT is not without legitimate value in your practice. It just cannot touch PHI. Here are the tasks where it is safe to use, because no identifying client information is involved.

Safe, non-PHI uses for ChatGPT in mental health practices:

Drafting newsletter content and general psychoeducation articles
Creating website copy, bio updates, and marketing materials
Brainstorming office policy language (before personalizing with practice-specific details)
Researching clinical topics, summarizing research papers, or exploring therapeutic frameworks
Writing general intake form templates (not pre-filled with any client data)
Generating social media post ideas around mental health awareness topics

The governing principle is simple: if the task could be completed by a contractor who knows nothing about any of your clients, it is likely safe for ChatGPT.

HIPAA-Compliant AI Alternatives Built for Mental Health

The good news is that purpose-built, HIPAA-compliant AI tools for mental health are no longer niche products. They exist, they work, and they are designed around the specific workflows that consume therapists' administrative time.

PsyFiGPT: Clinical Documentation Without PHI Risk

PsyFiGPT is an AI-powered clinical documentation assistant built specifically for mental health professionals. It generates SOAP notes, intake summaries, and treatment plan drafts without sending PHI to third-party AI services. The AI processing happens in a HIPAA-compliant environment, and the product is designed for the BAA relationship your practice needs.

For therapists spending 30-60 minutes per session on documentation, PsyFiGPT addresses the exact problem that drives clinicians toward ChatGPT in the first place — but without the compliance exposure.

Best for: Therapists, psychologists, and counselors who want faster clinical notes and treatment documentation.

PsyFi Assist: HIPAA-Safe Intake and Scheduling Automation

Administrative burden is not limited to documentation. Intake coordination, scheduling, client matching, and FAQ responses eat significant time in any growing practice. PsyFi Assist handles these workflows with AI intake forms, calendar integration, and automated therapist matching — all within a HIPAA-compliant framework.

Unlike using a general chatbot on your website (another common compliance gap), PsyFi Assist is designed from the ground up for behavioral health practices, with the data handling standards your clients' information requires.

Best for: Practice owners and group practices managing intake volume, scheduling complexity, and client-facing communications.

PsyFi Reports: Compliant Analytics and Clinical Reporting

Practice analytics and formal clinical report generation carry their own compliance requirements. PsyFi Reports provides clinical report generation and behavioral health analytics in a compliant environment, giving practice owners visibility into outcomes and operational performance without moving client data through unsecured systems.

Best for: Practice owners tracking clinical outcomes, generating formal reports, and making data-informed operational decisions.

How to Evaluate Any AI Tool Before Using It in Your Practice

Whether you are evaluating PsyFi products, a competitor, or any general AI tool a vendor claims is "HIPAA compliant," ask these specific questions before any PHI touches the system.

Evaluation Criterion	What to Ask	What a Good Answer Looks Like
BAA availability	"Will you sign a BAA with my practice?"	Yes, provided as a standard part of onboarding
Data training use	"Is my data used to train your models?"	No — client data is never used for model training
Encryption	"Is data encrypted in transit and at rest?"	Yes, with specific standards cited (e.g., AES-256, TLS 1.2+)
Data residency	"Where is my data stored?"	US-based servers, or a specific jurisdiction your compliance requires
Access controls	"Who at your company can access my data?"	Strict role-based access with audit logging
Deletion rights	"Can I request deletion of my data?"	Yes, with a documented process and timeline
Breach notification	"What is your breach notification process?"	Written policy aligning with HIPAA's 60-day requirement

Any vendor that cannot clearly answer all seven questions is not ready to handle PHI from your practice.

Building a Practice-Wide AI Policy

Individual compliance knowledge is not enough. If you have staff, contractors, or trainees, your entire team needs clear guidance on AI tool use.

Minimum Elements of a Practice AI Policy

1. Approved tool list. Name the specific AI tools your practice has approved for clinical use, administrative use, and personal productivity — separately. Be explicit about which tools are cleared for PHI.

2. PHI prohibition for unapproved tools. State clearly that entering any PHI into a non-approved AI tool (including ChatGPT, Google Gemini, Claude, and similar general-purpose tools) is prohibited and constitutes a potential HIPAA violation.

3. Incident reporting. Define what staff should do if they realize they have accidentally entered PHI into a non-compliant tool. Having a reporting process reduces the time between the incident and your required breach response.

4. Training cadence. Commit to annual or semi-annual AI compliance training that keeps pace with how quickly these tools are evolving.

5. Vendor review process. Establish that any new AI tool must be reviewed and approved before use, not after a staff member has already been using it for weeks.

For deeper guidance on protecting client data in AI-assisted workflows, see our related post on Private AI for Mental Health: What "Encrypted Memory" Should Mean.

Performing a Risk Assessment for AI Integration

HIPAA's Security Rule requires covered entities to conduct periodic risk assessments. When you add AI tools to your clinical or administrative workflow, that is a material change to your information environment and warrants a specific review.

Your AI risk assessment should document:

Which tools are in use, including free, informal tools staff may be using without formal approval
What data each tool touches, distinguishing between PHI, administrative data, and purely internal content
What safeguards are in place for each tool, including whether a BAA exists
What the residual risk is after safeguards, and whether it is acceptable
What your mitigation plan is for tools or gaps that represent unacceptable risk

This process does not need to be elaborate for a solo or small-group practice. A documented two-page review updated annually is far better than nothing, and it demonstrates the "good faith" posture that regulators consider in enforcement decisions.

The Bottom Line

ChatGPT is a powerful tool. It is not a HIPAA-compliant tool for clinical use without significant enterprise procurement and legal due diligence that most private practices have not completed. The default position — using ChatGPT through a standard account to draft session notes or summarize client information — is a HIPAA violation, regardless of whether any actual harm results.

The solution is not to avoid AI. AI tools built specifically for mental health practice can save therapists hours per week on documentation, intake, scheduling, and reporting. The solution is to use the right tools.

For clinical documentation: PsyFiGPT
For intake, scheduling, and client-facing AI: PsyFi Assist
For clinical reporting and practice analytics: PsyFi Reports

Your clients trust you with their most sensitive experiences. The technology infrastructure supporting that relationship should reflect the same level of care.

This post is for informational purposes only and does not constitute legal advice. Consult a healthcare attorney for guidance specific to your practice's compliance obligations.