Is Claude HIPAA Compliant? What Healthcare Teams Need to Know in 2026

Anthropic signs a BAA for some Claude products, not all. Here is exactly what counts.

Is Claude HIPAA compliant? The short answer is yes, but only on the right plans. Anthropic will sign a Business Associate Agreement (BAA) for its first-party API and HIPAA-ready Enterprise plans.

No AI tool is HIPAA compliant on its own. Compliance depends on the plan you use, a signed BAA, and how your team handles protected health information (PHI).

This guide breaks down which Claude services are covered, which are not, and how to set up Claude for healthcare the right way. We cite Anthropic's own docs throughout.

Is Claude HIPAA Compliant? The Short Answer

Claude can be used in a HIPAA-compliant way. But it is not compliant by default.

Anthropic offers a BAA for two surfaces only. These are the first-party Claude API and HIPAA-ready Enterprise plans.

A BAA is a legal contract required by HIPAA. It makes Anthropic a "business associate" and lets you share PHI with covered services.

For Enterprise, an admin must turn on HIPAA settings and sign the BAA. For the API, an admin signs the BAA and contacts Anthropic to enable it.

  • Covered: first-party Claude API (Messages API and related endpoints)
  • Covered: HIPAA-ready Claude Enterprise (chat, projects, artifacts, and more)
  • A signed BAA is required before sending any PHI
  • You must turn on HIPAA settings; it is not automatic
Bottom line: Claude is HIPAA-ready, not HIPAA-compliant out of the box. You must use a covered plan and sign a BAA first.

What Is a Claude BAA and Why Does It Matter?

A BAA is the heart of HIPAA compliance for any vendor. Without it, sharing PHI with Claude breaks the law.

HIPAA requires a BAA before a covered entity shares PHI with a vendor. The vendor must agree to protect that data.

Anthropic's BAA covers how it handles, stores, and protects your data. It also sets breach notice rules.

A signed Claude BAA is the line between safe use and a violation. Sending PHI without one is a HIPAA breach, even by accident.

  • The BAA names Anthropic as your business associate
  • It covers data handling, security, and breach reporting
  • For Enterprise, the BAA is click-to-accept in admin settings
  • For the API, you sign the BAA and Anthropic enables coverage

Which Claude Services Are HIPAA-Ready?

Coverage is narrow and specific. Only named services fall under the BAA.

On HIPAA-ready Enterprise, you get chat, projects, artifacts, voice, web search, research, and skills. File creation and code execution are covered too.

On the first-party API, the Messages API is covered. This includes prompt caching, structured outputs, memory, web search, and tool use.

Claude Code is covered only under set conditions. It needs Enterprise plans or the API with zero-data-retention enabled.

  • Enterprise: chat, projects, artifacts, voice, web search, research, skills
  • API: Messages API, token counting, models, and compliance endpoints
  • Claude Code: covered only with the right plan and ZDR enabled
Always check the current coverage list in Anthropic's BAA article. The named services can change as products evolve.

Which Claude Products Are NOT HIPAA Compliant?

This is where teams get into trouble. Many popular Claude products are not covered at all.

Claude Free, Pro, Max, and Team plans get no BAA. Never put PHI into them.

The Workbench and Console are also excluded. So are Cowork, Claude for Office, and most beta features.

Using any excluded product with PHI is a HIPAA violation. This is true no matter how careful your team is.

  • Not covered: Claude Free, Pro, Max, and Team
  • Not covered: Workbench and Console
  • Not covered: Cowork, Claude for Office, Claude Design
  • Not covered: Batch API, Files API, and most beta features
Warning: A nurse pasting patient notes into Claude Pro is a HIPAA breach. The plan matters more than the prompt.

Claude Certifications and Zero Data Retention

Strong certifications back up Anthropic's HIPAA posture. They show that an outside auditor checked the controls.

Anthropic holds SOC 2 Type I and Type II, ISO 27001:2022, and ISO/IEC 42001:2023. The 42001 standard covers AI management systems.

A Zero-Data-Retention (ZDR) addendum is also available. With ZDR, Anthropic does not store your inputs or outputs, except where law requires.

ZDR applies to eligible APIs and Claude Code for Enterprise. It adds a strong layer of protection for Claude PHI workflows.

  • SOC 2 Type I and Type II
  • ISO 27001:2022 for information security
  • ISO/IEC 42001:2023 for AI management systems
  • Zero-Data-Retention addendum for eligible API and Code plans

Does Claude Fable 5 Inherit the Same HIPAA Coverage?

Anthropic released Claude Fable 5 on June 9, 2026. Many healthcare teams ask if it is safe to use.

New models run on the same API and Enterprise surfaces. So Claude Fable 5 inherits the same BAA and certifications.

The model does not change the rules. Coverage still depends on your plan, a signed BAA, and HIPAA settings being on.

Use Fable 5 through the first-party API or HIPAA-ready Enterprise. Then it follows the same compliant path as earlier models.

A new model name does not create new compliance. The plan and the signed BAA are what make Claude HIPAA compliant.

How to Use Claude for Healthcare the Right Way

Setup is simple once you know the steps. The goal is a covered plan plus the right controls.

Pick the first-party API or a HIPAA-ready Enterprise plan. Then sign the BAA and turn on HIPAA settings.

Add your own safeguards on top. HIPAA still requires access controls, audit logs, and staff training on your side.

A partner can help you map these steps to your practice. That cuts risk and speeds up your rollout.

  • Choose a covered plan: first-party API or HIPAA-ready Enterprise
  • Sign the BAA before sending any PHI
  • Turn on HIPAA settings in admin or contact sales for the API
  • Add access controls, audit trails, and staff training
  • Consider enabling Zero-Data-Retention for extra protection

Frequently Asked Questions

  • Claude is HIPAA-ready, not compliant by default. Anthropic signs a BAA for its first-party API and HIPAA-ready Enterprise plans. You must use a covered plan, sign the BAA, and turn on HIPAA settings before sending any PHI.
  • Yes. Anthropic offers a Business Associate Agreement for two surfaces: the first-party Claude API and HIPAA-ready Enterprise plans. No other plan is covered.
  • No. Claude Free, Pro, Max, and Team plans get no BAA. Putting PHI into them is a HIPAA violation, even by accident.
  • Anthropic holds SOC 2 Type I and Type II, ISO 27001:2022, and ISO/IEC 42001:2023. These show that outside auditors checked its security and AI management controls.
  • Zero-Data-Retention (ZDR) is an addendum where Anthropic does not store your inputs or outputs, except where law requires. It applies to eligible APIs and Claude Code for Enterprise.
  • Claude Fable 5 runs on the same API and Enterprise surfaces. So it inherits the same BAA and certifications. Coverage still depends on your plan and a signed BAA.
  • No. The Console and Workbench are excluded from the BAA. Do not use them with PHI. Use the first-party API or HIPAA-ready Enterprise instead.
  • A BAA covers Anthropic's side only. You still need access controls, audit logs, data rules, and staff training on your side to meet HIPAA.

Get Claude Set Up for HIPAA the Right Way

Want to use Claude with PHI without the legal risk? Layer3 Labs helps healthcare teams pick the right plan, sign the BAA, and lock down the settings. Book a free 30-minute AI compliance review and get a clear, safe path forward.

Book Your Free Compliance Review