Is ChatGPT or Gemini HIPAA-Compliant?

Author

HIPAA Insider
October 03, 2025

A Complete Guide to HIPAA-Safe LLMs
by HIPAA Vault

LLMs like ChatGPT and Google Gemini are transforming healthcare, but when Protected Health Information (PHI) is involved, compliance risks skyrocket. Under HIPAA, even typing a patient’s name into a chatbot can be a violation—unless the model is deployed in a HIPAA-safe way.

Key requirements for HIPAA-compliant LLMs:

  •  Business Associate Agreement (BAA) with the vendor

  •  Encryption in transit & at rest

  •  No PHI used for model training

  •  Audit logging for every action

Safe options:

  •  ChatGPT Enterprise / API (with BAA)

  •  Gemini in Google Workspace Enterprise (with BAA)

  •  Self-hosted LLMs like Meta LLaMA (if you manage full compliance)

Not safe:

  • Consumer ChatGPT (Free/Pro)

  • Consumer Gemini
    No BAAs, prompts may be stored, and they’re not HIPAA-compliant.

As HIPAA Vault’s Gil Vidals puts it: “If it’s free, you’re the product.”

Industry News Roundup

Michigan Hospital Breach Exposes Data of 78,000 Individuals

Sturgis Hospital, a rural critical access hospital in Michigan, has reported two separate hacking incidents affecting up to 77,771 patients and employees.

The first intrusion was discovered in December 2024, and a second round of unauthorized activity was detected in June 2025. Investigations confirmed that sensitive files were accessed and may have been exfiltrated. Exposed data includes:

  • Names & contact information

  • Social Security numbers & government IDs

  • Financial account details

  • Health insurance & clinical records (treatments, prescriptions, etc.)

Hospital response:

  • Engaged third-party cybersecurity experts

  • Secured systems & added new safeguards

  • Offered free credit monitoring & ID theft protection

  • Notified law enforcement and impacted individuals

Context: Sturgis isn’t alone—Aspire Rural Health (MI) and Endless Mountains Health (PA) also suffered cyberattacks this year. With limited budgets and staff, rural providers remain attractive targets. To address this, HHS has announced $50 billion in grants over five years to bolster rural healthcare and cybersecurity.

August 2025 Healthcare Data Breach Report

Healthcare data breaches continued to climb in August 2025, with 58 large incidents (500+ individuals affected) reported to HHS — a 13.7% increase month over month. While slightly below this year’s monthly average (63.5), the scale of exposure remains massive.

Across all incidents, the PHI of 3.79 million individuals was compromised, though that figure is still down sharply compared to 2024 due to the outlier Change Healthcare breach.

Largest breaches in August:

  • DaVita Inc. (CO): 2,689,826 affected – ransomware (Interlock)

  • Vital Imaging Medical Diagnostic Centers (FL): 260,000 affected – suspected data theft

  • Aspire Rural Health System (MI): 138,386 affected – ransomware (BianLian)

  • Highlands Oncology Group (AR): 111,766 affected – ransomware (Medusa)

Key trends:

  • 87.9% of breaches tied to hacking/IT incidents

  • Most compromised data stored on network servers, followed by email accounts

  • California, Florida, and Texas saw the highest number of incidents

Enforcement news: OCR announced a new settlement in August — BST & Co. CPAs (NY) agreed to pay $175,000 after a Maze ransomware attack exposed data from 170,000 patients.

Try HIPAA-Compliant sFTP Hosting — Live in 24 Hours

HIPAA Vault’s Fully Managed sFTP Hosting makes compliance effortless with flat-rate pricing and audit-ready servers—starting at just $229/month (with a 30-day risk-free trial).

No DevOps hires. No AWS billing spikes. No compliance delays killing deals. Just fast, secure, and compliant file transfer, backed by 24/7 U.S.-based support and proven HIPAA expertise.

✅ What’s Included:

  • Private, dedicated HIPAA-compliant server

  • Encrypted transfers, logs, & signed BAA

  • Audit-ready configuration with safeguards built-in

  • Fully managed setup & maintenance (no DevOps required)

  • Scale storage & performance without downtime

🛡️ Trusted by healthcare orgs, labs, and SaaS startups to stay compliant and move faster.
⚡ Go live tomorrow — close contracts sooner.

👉 Start Your 30-Day Risk-Free Trial Today — and be audit-ready by tomorrow.

AI is changing healthcare faster than ever — but without HIPAA safeguards, tools like ChatGPT and Gemini can put patient data at risk.

The bottom line: Only HIPAA-safe deployments with a BAA, encryption, and audit logging make LLMs compliant. Free or consumer versions don’t cut it.

Ready to innovate with AI while keeping PHI protected?
👉 Explore all of HIPAA Vault’s trusted solutions and secure your data today.

Until next time,
The HIPAA Vault Team