Is GPT-5.6 HIPAA Compliant?

An honest look at OpenAI's GPT-5.6, business associate agreements, and the preview-access trap that can leave protected health information uncovered.

GPT-5.6 can be used in a HIPAA-compliant way, but only if you sign OpenAI's Business Associate Agreement (BAA) and the specific model is named in scope. The model alone does not make you compliant.

There is one catch that trips teams up. GPT-5.6 launched on June 26, 2026 as a limited preview to a small set of vetted organizations, opened this way at the US government's request. So you must confirm your BAA covers the preview model before you send any protected health information (PHI).

Healthcare teams assume a platform-level BAA covers every model OpenAI ships. It does not. Coverage applies only to models named in scope, and a preview model may not be listed yet.

Reviewed by Jonathan West, Founder of Layer3 Labs, on July 5, 2026. We research using primary vendor and regulator sources.


The Honest Answer

GPT-5.6 can be part of a HIPAA-compliant workflow, but only after you sign OpenAI's BAA and confirm the model is in scope. No AI model is HIPAA compliant on its own.

OpenAI signs a BAA for eligible services, which covers its Zero Data Retention API and ChatGPT Enterprise. But a BAA covers the models named in your agreement, not automatically every new model OpenAI releases.

GPT-5.6 is in limited preview right now. Do not assume your existing OpenAI BAA already covers it. Confirm the preview model is named in scope, in writing, before any PHI touches it.

  • No model is HIPAA compliant by itself
  • OpenAI signs a BAA for its Zero Data Retention API and ChatGPT Enterprise
  • A BAA covers only the models named in scope
  • GPT-5.6 preview may not be in scope yet — confirm in writing
GPT-5.6 is not HIPAA compliant by default. It can be used with PHI only after a signed OpenAI BAA that names the preview model in scope.

Want help confirming your OpenAI BAA names GPT-5.6 in scope before you use it with PHI under HIPAA?

Book a Consultation

What HIPAA Requires of an AI Vendor

HIPAA requires a signed BAA plus real safeguards before any vendor can handle PHI. A BAA is the contract that makes the vendor legally responsible for protecting patient data.

The safeguards matter as much as the contract. HHS requires access controls, audit logging, breach reporting, and limits on how the vendor may use or disclose the data. For AI, that also means the vendor must not train its models on your PHI.

These rules apply to the model provider the same way they apply to any other vendor. The model being powerful or new does not change what HIPAA asks of it.

  • A signed BAA before any PHI is sent
  • Access controls and audit logging
  • Breach reporting duties defined in the contract
  • No training on your PHI

OpenAI's Compliance Baseline

OpenAI holds the core certifications healthcare buyers look for, including SOC 2 and ISO 27001. It also maintains a Trust Portal where you can review its controls.

OpenAI signs a HIPAA BAA on its API and Enterprise products once a model is in scope. Coverage runs through the Zero Data Retention API and ChatGPT Enterprise, and business data is not used to train its models.

That baseline is solid, but it is a platform baseline. It confirms OpenAI can support HIPAA in general. It does not confirm that a specific model like GPT-5.6 is covered for you today.

  • SOC 2 and ISO 27001 in place
  • HIPAA BAA on API and Enterprise once a model is in scope
  • Covered through the Zero Data Retention API and ChatGPT Enterprise
  • Business data is not used for model training
OpenAI's certifications prove the platform can support HIPAA. They do not prove GPT-5.6 is in scope on your account — that is a separate check.

The Preview-Access Caveat (The Real Gotcha)

GPT-5.6 is in limited preview, and a model not yet named in your BAA is not covered. This is the specific compliance trap on this page.

OpenAI released GPT-5.6 on June 26, 2026 to a small set of vetted organizations through the API and Codex, opened at the US government's request. General availability is planned in the coming weeks. During a preview, the model may not appear in your BAA's in-scope list.

So the platform-level BAA you already signed may not extend to GPT-5.6 yet. Email OpenAI at baa@openai.com and confirm the preview model is named in scope before you send PHI. Get the confirmation in writing.

  • GPT-5.6 launched June 26, 2026 as a limited preview
  • Preview access opened at the US government's request
  • A model not named in your BAA is not covered
  • Confirm scope in writing before any PHI
The trap: teams assume a platform BAA covers every model. It does not. A preview model is not covered until it is named in scope on your account.

Sol, Terra, and Luna: Confirm the Tier You Use

GPT-5.6 ships in three tiers, and your BAA needs to cover the exact tier and access route you use. The tiers are Sol, Terra, and Luna, priced from higher to lower.

Sol runs $5 input and $30 output per million tokens, Terra runs $2.50 and $15, and Luna runs $1 and $6. A team may test on one tier and deploy on another, which changes what your BAA must name.

When you confirm scope with OpenAI, name the tier and the access path, whether that is the API or Codex. Do not assume coverage of one tier extends to the others.

  • Sol: $5 input / $30 output per million tokens
  • Terra: $2.50 input / $15 output per million tokens
  • Luna: $1 input / $6 output per million tokens
  • Confirm the BAA names your exact tier and access route

A Safe-Use Checklist for Clinics and Practices

Follow a short checklist before GPT-5.6 sees any patient data. Each step closes a gap that a preview model can leave open.

Start by confirming the BAA is signed and that GPT-5.6 is named in scope for your tier and access route. Then confirm you are on the Zero Data Retention API and that data is not used for training.

Until every box is checked, keep PHI out of the model. You can still use GPT-5.6 or a covered model for tasks that contain no patient data, so your team can learn the tool while the paperwork clears.

  • Confirm a signed OpenAI BAA is in place
  • Confirm GPT-5.6 is named in scope for your tier and access route
  • Confirm you are on the Zero Data Retention API
  • Confirm data is not used for training
  • Keep all PHI out until every box is checked
One careless paste of patient data into an out-of-scope preview model can create a reportable breach. Check scope before, not after.

When to Prefer a GA Model With a Confirmed BAA

Prefer a generally available model with a confirmed BAA when you need to send PHI now and cannot wait for preview scope to clear. A GA model removes the preview uncertainty entirely.

Claude Fable 5 is a strong option here. Anthropic offers a HIPAA BAA on its API and Enterprise plans, holds SOC 2, ISO 27001, and ISO 42001, and Fable 5 returned to worldwide general availability on July 1, 2026. Note that Fable 5 carries a mandatory 30-day safety retention on business accounts, so full zero-data-retention is not available.

The decision rule is simple. If your work with PHI cannot wait, use a GA model whose BAA you have confirmed. Save GPT-5.6 for non-PHI tasks until its preview scope is settled on your account.

  • Choose a GA model with a confirmed BAA when PHI cannot wait
  • Claude Fable 5 offers a HIPAA BAA on API and Enterprise
  • Fable 5 holds SOC 2, ISO 27001, and ISO 42001
  • Use GPT-5.6 for non-PHI tasks until preview scope clears
If you must move regulated data today, a GA model with a confirmed BAA beats a preview model whose scope you are still chasing.

The Bottom Line

GPT-5.6 can be HIPAA compliant, but only with a signed OpenAI BAA that names the model in scope. The model by itself does not make you compliant.

The preview status is the risk to manage. A model not yet named in your BAA is not covered, and GPT-5.6 is in limited preview right now.

Confirm scope in writing, use the Zero Data Retention API, and keep PHI out until every check clears. When in doubt, use a GA model with a confirmed BAA instead.

  • The model alone does not make you compliant
  • A signed BAA that names GPT-5.6 does the work
  • Preview scope is the specific trap to avoid
  • Prefer a confirmed-BAA GA model when PHI cannot wait

Frequently Asked Questions

  • Not by itself. GPT-5.6 can be used in a HIPAA-compliant way only after you sign OpenAI's BAA and the model is named in scope. Because GPT-5.6 is in limited preview, confirm it is covered in writing before sending any PHI.
  • Yes. OpenAI signs a HIPAA BAA for eligible services, which cover its Zero Data Retention API and ChatGPT Enterprise. Request one by emailing baa@openai.com. A BAA covers the models named in scope, not automatically every model OpenAI releases.
  • Only if your BAA names the preview model in scope for your tier and access route. GPT-5.6 launched as a limited preview on June 26, 2026, and a platform-level BAA may not cover it yet. Confirm scope in writing first.
  • Do not assume so. A BAA covers the models named in scope on your account, and a preview model may not be listed. Email baa@openai.com and confirm GPT-5.6 is in scope before any PHI touches it.
  • Name the exact tier and access path you use — Sol, Terra, or Luna, through the API or Codex. Coverage of one tier does not automatically extend to another, so confirm the tier you deploy on is in scope.
  • OpenAI states business data is not used to train its models, and the Zero Data Retention API is the eligible path for PHI. Confirm zero data retention is enabled for your account and access route in writing.
  • Use a generally available model with a confirmed BAA. Claude Fable 5 offers a HIPAA BAA on its API and Enterprise plans and is worldwide GA. Keep GPT-5.6 for tasks that contain no patient data until preview scope clears.
  • Check OpenAI's Help Center article on getting a BAA and its Trust Portal, and confirm scope with baa@openai.com. For the HIPAA rules themselves, rely on HHS.gov, not third-party summaries.

Not sure if your OpenAI BAA covers GPT-5.6?

Layer3 Labs helps clinics and practices use AI within HIPAA. Book a free AI workflow audit and we will help you confirm BAA scope, data settings, and a safe workflow for GPT-5.6.

Book a Free AI Workflow Audit