· 9 min read

Is Claude HIPAA-Compliant? What Anthropic's BAA Actually Covers

Anthropic will sign a BAA for some Claude products and not others. Here's what that BAA covers, what it leaves to you, and how to tell the difference.

Table of contents

Claude the model is neither HIPAA-compliant nor non-compliant — because compliance is a property of a deployment, not a property of a model. The honest answer to “is Claude HIPAA-compliant?” is that it depends entirely on which Claude product you use, how you’ve configured it, and what exists around it.

The stakes for this configuration are higher than in any other industry. Healthcare remains the most expensive sector for data breaches for the 14th consecutive year, with the average breach now costing $9.77 million.[7] Despite these risks, over 70% of healthcare organizations were already pursuing or implementing generative AI capabilities by the start of 2024.[8]

Anthropic does sign a Business Associate Agreement. But the BAA covers specific Claude products and explicitly excludes others, and even where it applies, it covers Anthropic’s piece of the path — not the organizational controls a covered entity still has to put in place. The gap between “Anthropic signed a BAA” and “our Claude deployment is HIPAA-compliant” is wide enough that teams fall into it routinely.

What Anthropic’s BAA actually covers

Anthropic offers a BAA to commercial customers for what it calls its HIPAA-ready services. As of 2026, that means two things: the first-party Claude API, and HIPAA-ready Claude Enterprise plans.[1]

That is a real commitment, and it is more than some AI vendors offer. A BAA from Anthropic obligates the company, as a business associate, to handle PHI only as the contract permits and to apply the safeguards HIPAA requires.[2]

The exclusions are where teams get caught. Anthropic’s BAA does not cover Claude Free, Pro, or Team plans.[1] It does not cover the Workbench and Console. It does not cover features in beta. If a clinician opens claude.ai on a personal Pro account and pastes in a chart note, that disclosure sits entirely outside any BAA — no different from pasting it into a consumer chatbot with no BAA at all.

The date of signature matters too. Anthropic has stated that BAAs signed before December 2, 2025 cover API usage only and do not extend to the HIPAA-ready Enterprise plan.[1] An organization that signed early and assumes the agreement now covers Enterprise seats is mistaken about its own scope.

A BAA covers the services it names — nothing else

This is not an Anthropic quirk. It is how every BAA works. A Business Associate Agreement is a contract, and like any contract it covers the services described in it.[2] The required elements of a BAA under HIPAA — set out at 45 CFR 164.504(e) — define the permitted uses and disclosures of PHI, the safeguards the business associate must apply, breach reporting obligations, and termination rights.[3] Outside the named services, the BAA is silent.

So the relevant question for a Claude deployment is not “did Anthropic sign?” It is “does the BAA cover the exact product, plan, and configuration your team uses every day?” A BAA that covers the API does nothing for a paralegal using a personal Pro account. A BAA scoped to one Enterprise organization does nothing for a second organization, or for the Workbench a developer uses to prototype.

Anthropic also notes that HIPAA-ready use carries configuration requirements and that not every API feature is eligible.[1] A signed BAA plus a non-eligible feature is, again, a covered agreement and an uncovered data flow. The signature is the easy part. Matching scope to actual use is the work.

What the BAA does not give you

Even a correctly scoped BAA — the right Claude product, the right plan, the eligible features — covers Anthropic’s responsibilities as a business associate. It does not, by itself, produce a compliant deployment for the covered entity. Several things HIPAA expects still have to come from somewhere else.

Organizational access controls. A BAA says nothing about who inside your organization may use the tool or with what data. HIPAA’s minimum necessary standard expects PHI access to be limited to what each role needs.[4] A general AI product has no concept of which staff member is a treating clinician and which is front-desk — that is a control the deploying organization has to impose.

A check on what gets sent. A BAA permits PHI to flow; it does not inspect prompts. If your organization’s policy is that certain information should be handled one way and other information another, nothing in the model enforces that. The person pressing send is the only safeguard, and “remember the policy every time” is not a safeguard.

A compliance-grade audit trail. HIPAA’s Audit Controls standard requires mechanisms to record and examine activity in systems containing PHI.[5] Conversation history in a Claude account is not that. It is not tamper-evident, it is not tied to verified identities at the level a regulator expects, and it is not retained under a policy your organization controls.

Scope-matching across the team. A BAA covers a product. It does not stop a team member from using a different, uncovered Claude product on the same laptop. Closing that gap is an organizational discipline — provisioning, policy, training — not something the agreement does for you.

On the data-handling questions a compliance officer asks, Anthropic’s commercial terms are reassuring: the company does not use API inputs and outputs to train its models.[6] That is the right posture, and it matters. But it is one input to a compliant deployment, not the whole of it.

Be fair to Claude — the model is not the problem

None of this is a knock on Claude. It is a capable model, and Anthropic has done more than many vendors to make a HIPAA path available: a self-serve BAA for the API and HIPAA-ready Enterprise plans, a commercial commitment against training on customer data, and clear documentation of what is and is not in scope.

The point is narrower. A strong model with a real BAA still leaves the covered entity holding most of the compliance work. The model answers prompts well. It does not enforce your access policy, inspect prompts for PHI before they leave your environment, or produce an audit trail that survives an investigation. Those are deployment properties — and a model BAA, however well drafted, is not a deployment.

This is the same gap general-purpose AI hits in every regulated context. We covered the equivalent question for OpenAI in is ChatGPT HIPAA-compliant? — the answer rhymes, because the structure is the same. A consumer tier with no BAA, a commercial tier with a scoped one, and a deploying organization left to build the controls around it.

What a compliant Claude deployment actually needs

If you want to use Claude with PHI and be able to defend that decision, the deployment has to satisfy more than a signed BAA. Concretely:

  • The exact product is in scope. Not “we have an Anthropic BAA,” but “the specific Claude product, plan, and features our team uses are named as eligible, and we use nothing outside that.”
  • The full path is covered. Every entity that processes PHI along the way needs to be under a BAA your arrangement relies on — not just the vendor whose name is on the contract.
  • Access is controlled at the organizational level. Who can use the tool, with what data, enforced technically rather than stated in a training slide.
  • Prompts are checked before they leave. A systematic check for PHI ahead of the model call, with the policy decided by your organization — let it through under the BAA, redact it, or block it.
  • The audit trail holds up. Tamper-evident, tied to verified identities, retained under your policy, and verifiable without trusting the vendor’s word.

Anthropic’s BAA delivers the first and, for the API, contributes to the second. The rest is on the deploying organization — which is exactly the work most teams underestimate.

Where this leaves a regulated team

“Is Claude HIPAA-compliant?” is the wrong question, because it asks about a model when compliance is a property of a deployment. The better questions are: which Claude product are we using, is it named in the BAA, and what controls have we built around it?

HASP is built so the answer to all three is settled. It runs Claude-class models for regulated work under one BAA that covers the AI tool and the model path behind it — every prompt checked for PHI before it reaches a model, organizational access controls, and an append-only, hash-chained audit trail you can verify independently. A BAA is included on every paid plan, from Solo at $199 / mo. The result is a deployment you can defend, not just an agreement you can point to. See what that looks like in HASP Assistant, or read the full picture in the complete guide to HIPAA-compliant AI.

Sources

  1. Anthropic. “Business Associate Agreements (BAA) for Commercial Customers.” Anthropic Privacy Center. privacy.claude.com

  2. U.S. Department of Health & Human Services. “Business Associates.” HHS.gov. hhs.gov

  3. U.S. Department of Health & Human Services. “Business Associate Contracts.” HHS.gov. hhs.gov

  4. U.S. Department of Health & Human Services. “Summary of the HIPAA Privacy Rule.” HHS.gov. hhs.gov

  5. U.S. Department of Health & Human Services. “Summary of the HIPAA Security Rule.” HHS.gov. hhs.gov

  6. Anthropic. “Commercial Terms of Service.” Anthropic. anthropic.com

  7. IBM Security. Cost of a Data Breach Report 2024 (2024). ibm.com

  8. McKinsey & Company. “The state of AI in early 2024: Gen AI adoption spikes and starts to generate value” (2024). mckinsey.com

Related pages

BAA-included AI One BAA from HASP covering the AI tool and the model path behind it. View → The complete guide to HIPAA-compliant AI What HIPAA actually requires of an AI deployment, end to end. View → HASP and HIPAA BAA scope, PHI handling at the gateway, and the signed audit chain. View → HASP Assistant HIPAA-ready AI chat and document work for regulated teams. View →

More from HIPAA + AI

HIPAA Security Rule and AI: What § 164.308 Requires of Vendors When you put AI into a HIPAA workflow, the AI vendor becomes a business associate. Here is how to evaluate that vendor through the lens of § 164.308. Read → Real HIPAA Violations From AI: What Regulators Have Penalized OCR has not yet fined anyone for an AI tool by name. That is a lag, not an all-clear. Here is what regulators have penalized that maps directly onto how AI fails. Read → How to Evaluate HIPAA AI Vendors: A 20-Point Checklist A 20-point checklist for evaluating HIPAA AI vendors — BAA scope, the inference path, PHI handling, audit integrity, and the vendor's own posture. Read →