Short answer: Claude is not "HIPAA compliant" out of the box, but Anthropic offers Business Associate Agreements (BAAs) for eligible enterprise customers using Claude for Work, the Anthropic API, and Claude on Amazon Bedrock or Google Vertex AI. The free and Pro tiers of Claude.ai are not BAA-eligible and cannot be used for protected health information (PHI). This guide explains, in 2026, what HIPAA actually requires of an AI tool, which Anthropic products can be made compliant, and what a clinical or health-tech team has to do to keep PHI from leaking — including when staff use unsanctioned accounts.

What HIPAA requires of any AI tool

The Health Insurance Portability and Accountability Act (HIPAA) is implemented through three rules that all apply when an AI vendor handles PHI on your behalf:

Privacy Rule — defines PHI and the conditions under which it may be used or disclosed.
Security Rule — defines administrative, physical, and technical safeguards for electronic PHI (ePHI).
Breach Notification Rule — defines what counts as a breach and the timelines for reporting it.

For Anthropic (or any other AI provider) to lawfully process PHI for a covered entity, three conditions must be true:

The provider qualifies as a business associate because it creates, receives, maintains, or transmits PHI on the covered entity's behalf.
A signed Business Associate Agreement (BAA) contractually extends HIPAA obligations to the provider.
The product, in the configuration you actually use, supports the Security Rule's required safeguards — access control, audit logging, encryption, integrity controls, transmission security.

Without a BAA, sending PHI to Claude is an unpermitted disclosure under the Privacy Rule, regardless of how secure Anthropic's infrastructure is.

Where Anthropic stands on HIPAA in 2026

As of April 2026, Anthropic publicly supports BAAs across four product paths:

Claude for Work (Team and Enterprise plans) — BAA available on request for eligible Enterprise customers, with admin controls, SSO, and audit logging.
Anthropic API (direct) — BAA available for eligible customers under the API's data processing addendum, with zero retention available for HIPAA workloads.
Claude on Amazon Bedrock — covered under the AWS BAA for AWS HIPAA-eligible services (which now includes Bedrock and the Anthropic-hosted models on Bedrock).
Claude on Google Vertex AI — covered under the Google Cloud BAA for HIPAA-eligible Vertex AI configurations.

The free and Pro tiers of Claude.ai are not BAA-eligible. Conversations on those plans are excluded from training by default — a meaningful privacy improvement over consumer tiers from some other providers — but exclusion from training is not the same as HIPAA coverage. PHI sent to Claude.ai Pro is still an unpermitted disclosure for a covered entity.

This distinction matters because the user interface is the same. A clinician at claude.ai cannot tell from the chat window whether they are signed into a personal Pro account or the BAA-covered enterprise tenant their employer manages. Operationally, "is Claude HIPAA compliant?" is really "which Claude account am I in right now, and is it under a BAA?"

What a HIPAA-aligned Claude deployment looks like

A health system, payer, digital-health vendor, or research org that wants to use Claude on PHI typically needs to:

Sign a BAA with Anthropic (for Claude for Work or the direct API), AWS (for Bedrock), or Google Cloud (for Vertex AI). The BAA must cover the specific product and endpoints your workforce uses.
Configure zero retention where it is offered. The Anthropic API supports zero data retention for eligible customers; Bedrock and Vertex deployments inherit AWS and GCP HIPAA controls including encryption, KMS, and VPC endpoints.
Restrict workforce access to the BAA-covered tenancy. Block Claude.ai consumer endpoints at the network or identity layer so a staff member cannot accidentally sign into a personal Pro account on a work device.
Enforce least privilege in any agentic, MCP-tool-using, or Projects-style configuration — limit data sources Claude can read and tools it can call.
Log access in a way that satisfies the Security Rule's audit-control requirement. Claude for Work exposes admin and audit logs; on the API you must instrument logging on your side.
Train the workforce on what may and may not be sent. A signed BAA does not authorize pasting any PHI — only PHI the workforce member is otherwise permitted to disclose for the specific task at hand.
Document everything — risk assessment, BAA, configuration, training records — because HHS-OCR audits documentation, not just controls.

This is a real project, not a checkbox. Most organizations underestimate steps 3 and 6 — and they are exactly where most breaches start.

The "shadow Claude" problem

Even with an enterprise contract, the highest-frequency HIPAA exposure in 2026 is workforce members using consumer Claude.ai (or ChatGPT Plus, or Gemini, or Grok) for clinical or administrative tasks because the personal account is faster and feels less monitored than the sanctioned tool. Survey data from KLAS Research and HIMSS in 2025 consistently put unsanctioned generative-AI use among US clinicians above 50%.

Two technical controls help materially:

Browser-level redaction. A local-first tool such as Sonomos detects PHI categories — names, dates, MRNs, diagnoses, drug names, payer IDs — inside the browser and replaces them with reversible tokens before the prompt leaves the device. Even when staff use a non-sanctioned Claude.ai account, the unmasked PHI never crosses the wire.
Egress controls for AI domains. Add claude.ai, chat.openai.com, gemini.google.com, copilot.microsoft.com, and similar destinations to your DLP and CASB rules. Treat them the same way you treat traffic to a personal cloud-storage provider.

Both controls are additive, not substitutes for a BAA. They reduce the size and severity of a leak when policy slips.

Examples: what is and is not allowed

The lines below assume a covered entity has a signed BAA covering Claude for Work or the Anthropic API. Without that BAA, the answer to every "yes" example is "no, this is an unpermitted disclosure."

| Scenario | Compliant? | Why | | --- | --- | --- | | Clinician pastes a Safe-Harbor de-identified case summary into Claude.ai Pro to brainstorm differentials | Yes | De-identified data is not PHI | | Clinician pastes the same summary with the patient's name and MRN into Claude.ai Pro | No | PHI to a non-BAA tenancy | | Clinician pastes the same PHI into Claude for Work (BAA + zero retention) | Yes | Permitted disclosure to a business associate | | Health-tech team uses the Anthropic API (BAA + ZDR) to extract ICD-10 codes from chart notes | Yes | Permitted; log the disclosure | | Front-desk staff drafts an appointment-reminder text that includes patient name and visit date in Claude.ai Pro | No | PHI to a non-BAA account | | Same staff drafts the message with "[Patient]" placeholders, then fills the name in the EHR | Yes | No PHI sent to Anthropic | | Researcher uses Claude on AWS Bedrock under the AWS BAA to summarize de-identified clinical-trial transcripts | Yes | BAA-covered service; no PHI in scope |

The pattern: keep PHI inside the BAA boundary, or remove PHI before the request leaves the device.

How Claude for Work compares to ChatGPT Enterprise for healthcare

Both products can be configured for HIPAA workloads under a BAA. The relevant differences in 2026 are:

Default training posture. Claude excludes customer prompts from training by default across consumer and enterprise tiers. OpenAI excludes Enterprise, Edu, Team, and API traffic by default; consumer ChatGPT requires opt-out.
Zero retention. Both vendors offer ZDR for HIPAA-eligible customers on the API; both require it to be requested and configured.
Cloud presence. Claude is uniquely available on both AWS Bedrock and Google Vertex AI under their respective BAAs, which can simplify procurement for organizations already standardized on those clouds.
Audit logging. Both expose admin audit logs on enterprise plans. The richness varies by feature; verify the specific events your compliance program needs are captured.

The product-level "which is more HIPAA-friendly" question matters less than the organizational question: which BAA do you already have, and how well can you keep your workforce inside the covered tenancy?

Frequently asked questions

Does signing a BAA make Claude HIPAA compliant?

A BAA is necessary but not sufficient. Compliance requires the BAA plus the Security Rule's administrative, physical, and technical safeguards in your configuration and operation. Anthropic's BAA covers their part; the rest — workforce access controls, audit logs, training, incident response — is yours.

Is Claude.ai Pro HIPAA compliant if I only use it for de-identified data?

If the data is genuinely de-identified under HIPAA's Safe Harbor or Expert Determination methods, it is no longer PHI and HIPAA does not apply. The risk is that "de-identified" is harder than it looks: Safe Harbor requires removing 18 specific identifier categories, and a single rare diagnosis plus a ZIP code can re-identify on its own. If you cannot document the de-identification method, treat the data as PHI.

What about Claude Projects, memory, and Computer Use?

For BAA-covered tenancies, Anthropic publishes guidance on which features are eligible for HIPAA workloads. As of 2026, Claude for Work admins can govern Projects, file uploads, and integrations at the workspace level. Computer Use and other agentic features have their own data-flow profiles — confirm the current eligibility list with your account team before turning them on for clinical workflows.

Can a doctor use Claude.ai Pro with PHI if they "don't share the chats"?

No. The Privacy Rule regulates the act of disclosure to a non-BAA third party, not the visibility of the chat in the user's history. Pasting PHI into Claude.ai Pro is the disclosure, regardless of whether the conversation is later deleted or shared.

What if my staff already pasted PHI into a personal Claude account?

Treat it as a potential breach. Investigate the account's data settings and any retention windows that apply, document the disclosure, and apply the Breach Notification Rule's risk-of-compromise factors. "We did not realize the tool was unsanctioned" has not been an effective defense in OCR enforcement actions.

Is Claude on Amazon Bedrock the same as Claude.ai for HIPAA purposes?

No. Claude on Bedrock is governed by the AWS HIPAA-eligible-services framework and the AWS BAA; Claude.ai is governed by Anthropic's consumer or Claude for Work terms. The model weights are similar; the contractual, retention, and infrastructure posture is different. Pick the path your security and procurement teams can support.

How does Sonomos relate to HIPAA?

Sonomos is not a covered entity or business associate. It is a privacy layer that runs entirely in the user's browser and never receives PHI or any other data. By detecting PHI categories on-device and replacing them with reversible tokens before the prompt leaves the browser, Sonomos materially reduces the surface where PHI can leak — including to non-BAA accounts. It is complementary to a properly executed BAA program, not a substitute for one.

A short HIPAA + Claude checklist

Decide which Anthropic products your workforce may use for PHI, and which are blocked.
Sign a BAA with Anthropic, AWS, or Google Cloud covering the specific Claude path you use.
Enable Zero Data Retention or the equivalent where available.
Block or proxy Claude.ai consumer endpoints at the network and identity layers.
Deploy a local-first redaction tool to every browser used by clinical and administrative staff.
Add AI-bound traffic to your DLP, CASB, and audit-log review.
Train staff specifically on what may and may not be sent — verify with periodic walk-throughs, not just attestations.
Re-assess annually; vendor product lines and HIPAA-eligible feature sets change frequently.

The bottom line

In 2026, "Is Claude HIPAA compliant?" is the wrong question. The right questions are: which Anthropic product am I using, do I have a BAA covering that product, is the configuration aligned with the Security Rule, am I sure my workforce is in the BAA-covered tenancy, and what happens when they aren't? Get those right and Claude is a useful tool inside a HIPAA program. Skip any one of them and you are running on luck.

Is Claude HIPAA Compliant? A 2026 Guide for Healthcare Providers