When AI Tools Handle Medical Data: Why HIPAA Covered Entities Aren't the Only Concern

OpenAI’s newly announced ChatGPT Health feature has triggered serious questions about how sensitive personal information is protected when users entrust their medical records to artificial intelligence platforms. While the company claims to have implemented safeguards, privacy advocates argue that existing regulations create dangerous gaps in consumer protection.

The Privacy Protection Gap Beyond HIPAA Covered Entities

Here’s the critical distinction that most users miss: health data receives different legal treatment depending on who holds it. When HIPAA covered entities—such as hospitals, insurers, or doctor’s offices—store your medical information, strict privacy rules apply. However, technology companies, AI platforms, and health app developers operate in a largely unregulated space.

Andrew Crawford, a senior policy counsel at the Center for Democracy and Technology, highlights this disparity: “The HIPAA privacy rules apply when your health data is held by your doctor or insurance company. The same is not true for non-HIPAA-covered entities, like developers of health apps, wearable trackers, or AI companies.” This means ChatGPT Health, despite encryption and separated storage, isn’t bound by the same compliance standards as traditional healthcare providers.

OpenAI’s Approach to the New Feature

ChatGPT Health allows users to upload medical records and wellness information directly into the platform. OpenAI states that the tool is designed to help users understand their health rather than provide diagnostic or treatment services. The company emphasizes it will share only general, factual health information and flag high-risk scenarios for consultation with actual healthcare professionals.

Rollout begins this week for select users outside the EU and UK, with iOS and web access expanding over the coming weeks.

The Deeper Concern: Who Controls Your Data?

J.B. Branch, Public Citizen’s big-tech accountability advocate, points out that self-regulation isn’t sufficient. “Even when companies claim to have privacy safeguards, consumers often lack meaningful consent, transparency, or control over how their data is used, retained, or repurposed,” Branch stated. “Health data is uniquely sensitive, and without clear legal limits and enforceable oversight, self-policed safeguards simply cannot protect people from misuse, re-identification, or downstream harm.”

The issue extends beyond current usage. OpenAI says health conversations won’t train its foundation models, but the absence of comprehensive federal privacy legislation means there’s little to prevent future repurposing of this data.

The Growing Mental Health Dimension

The timing of ChatGPT Health’s launch is noteworthy. OpenAI previously disclosed that over 1 million users discuss suicide and mental health crises with ChatGPT weekly—representing approximately 0.15% of its user base. This volume underscores how the platform has become a de facto mental health resource, yet one without the regulatory framework that typically governs sensitive psychological data.

The Real Problem: Consumer Burden in an Unregulated Landscape

Crawford emphasizes that federal policy has essentially shifted the burden onto individual users. “Our current laws place responsibility on consumers to analyze whether they’re comfortable with how the technology they use daily handles their data,” he explained. “The absence of comprehensive federal privacy law governing health data held by technology companies means individuals must conduct their own risk assessments.”

Unlike HIPAA covered entities bound by statutory obligations, companies like OpenAI define their own privacy standards. Without federal intervention or updated regulations accounting for AI-held health data, this imbalance will likely persist.