A Business Associate Agreement (BAA) is a contract required under the US HIPAA law between a covered entity — such as a healthcare provider — and any outside vendor that will handle protected health information (PHI) on its behalf. The BAA makes that vendor legally accountable for safeguarding the data, and without one in place, sharing PHI with the vendor is itself a HIPAA violation.
The pieces: PHI, covered entity, business associate
Protected health information (PHI) is health data that can be tied to an individual — diagnoses, treatment notes, identifiers. A covered entity is a health plan, clearing house, or provider. A business associate is any vendor that touches PHI while working for a covered entity (a transcription service, a cloud host — or an AI tool). Whenever PHI flows to a business associate, HIPAA requires a signed BAA first.
Why this matters for AI
Standard consumer AI products — a free or personal ChatGPT, Claude, or Gemini account — do not sign a BAA. So pasting session notes or patient details into one means PHI has gone to a vendor with no BAA in place, outside HIPAA's requirements. Some providers will sign BAAs for eligible enterprise or API customers under specific terms, but that is a separate, contracted arrangement — not what you get from the everyday consumer app. The practical implications for clinicians are covered in is ChatGPT HIPAA compliant? a guide for therapists and coaches.
Where Secret Chat AI stands (honestly)
Secret Chat AI is a privacy-focused gateway, not a HIPAA compliance solution, and it does not sign a BAA. It reduces exposure — local-only history, anonymized email-only sessions, no training on your prompts — but reducing exposure is not the same as HIPAA compliance. If you are handling PHI, treat a BAA and your own compliance program as the requirement, and remove identifying details before sending anything to any cloud AI. Honesty here is the point: we tell you what we do and do not cover.
Frequently Asked Questions
- Is ChatGPT HIPAA compliant?
Not in its consumer form. OpenAI does not sign a BAA for free or personal ChatGPT plans, so sending protected health information to a consumer ChatGPT account falls outside HIPAA's requirements.
- Does Secret Chat AI sign a BAA?
No. Secret Chat AI is a privacy-focused gateway, not a HIPAA compliance solution, and does not sign a BAA. It lowers data exposure but should not be relied on as a compliance control for protected health information.
- Who needs a BAA?
Any HIPAA covered entity (or business associate) that lets an outside vendor handle protected health information on its behalf. The BAA must be in place before the PHI is shared, not after.
Related terms: Training Opt-Out · Zero-Retention API · all glossary terms