How can you use large language models and stay HIPAA or GDPR compliant?

If you are developing an application that needs to interpret free-text medical notes, you might be interested in getting the best possible performance by using OpenAI, Gemini, Claude, or another large language model. But to do that, you would need to send sensitive data, such as personal healthcare data, into the third party LLM. Is this allowed?

Fortunately, it is possible to use LLMs for sensitive data. You just need to ensure a few boxes are checked.

Generally, you are not safe to paste sensitive data into the browser version of a large language model such as GPT. You would not have the guarantee that the company running the LLM will not store your data or use it for training.

However, if you set up a deployment of the relevant model, you can use it and be sure that the data is safe.

What is HIPAA?

The Health Insurance Portability and Accountability Act, or HIPAA, is the main healthcare privacy law that you will need to be aware of if you are processing data in the US. HIPAA is a U.S. federal law designed to keep protected health information (PHI) from being disclosed without the patient’s consent or knowledge. HIPAA ensures that doctors, hospitals, and insurance companies keep patient data safe, while also giving patients the right to see their own records.

HIPAA applies to “Covered Entities” (doctors, insurers) and their “Business Associates” (billing companies, IT) within the U.S. healthcare system. If you are developing a healthcare application for the US market, you will be likely considered a Business Associate and need to sign a Business Associate Agreement (BAA).

How does HIPAA compare to GDPR?

If you are processing personal data of people living in the UK or EU, you will need to be aware of your obligations under GDPR, the General Data Protection Regulation. While HIPAA and GDPR both aim to protect sensitive information, they are built on fundamentally different philosophies. HIPAA is a specialised law for the American healthcare industry, while GDPR is a broad “human rights” law for all personal data in the EU.

GDPR applies to any organisation anywhere in the world that processes the personal data of people living in the EU or UK. If a Londoner uses a U.S.-based app, that app must follow GDPR.

One way in which GDPR is stricter than HIPAA is in the “right to be forgotten”. If a user requests their data be deleted, you are responsible for removing that data from any storage and ensuring its permanent deletion.

Staying HIPAA compliant with OpenAI via Microsoft Azure

To use OpenAI and remain HIPAA compliant, one of the simplest approaches is to use OpenAI via a Microsoft Azure account. At present, using the OpenAI API provided directly by OpenAI rather than via Microsoft Azure is not HIPAA compliant. There are also separate products such as ChatGPT for Healthcare which offer HIPAA compliance.

You need to have an organisational account with Microsoft Azure, and you can create a deployment of OpenAI in your Azure account. This deployment should be located in the USA. You can then connect up your application to the API endpoint within your Microsoft Azure account.

If you use Microsoft Azure, you will be covered by a Business Associate Agreement (BAA) between Microsoft and your organisation, which is an essential requirement of HIPAA compliance.

To ensure that your entire application is HIPAA compliant, you need to ensure that:

1. The connection is authenticated and HTTPS secured.
2. The application is located within the US.
3. You are only using OpenAI for text processing, not for images or PDFs, as only the OpenAI text processing endpoint is certified for HIPAA. You cannot pass any PDFs to Azure OpenAI, you have to convert them to text first using other tools, such as Apache Tika.
4. Your application does not cache inputs.
5. You need to set up access control, audit logs, data retention/deletion, and disaster recovery.

Staying HIPAA compliant with AWS and other cloud providers

Amazon Web Services (AWS) offers a similar service called Amazon Bedrock, where you can build a HIPAA compliant application and be covered by a signed Business Associate Agreement (BAA) with AWS.

Staying HIPAA compliant with on-premises hosting

Another way of keeping on the right side of HIPAA is to use an on-premises or self hosted solution. Instead of using a closed source model like OpenAI, you can host your own version of an open-weights model like DeepSeek.

Since you are in control of all servers in this scenario, you only need to take the usual steps to ensure HIPAA compliance, such as no caching, secure connections, but you don’t need to worry about the aspects of compliance that are associated with an external provider like OpenAI.

What about GDPR compliance?

The above Azure and AWS solutions can also be made to be GDPR compliant, but like HIPAA, you must fulfil certain responsibilities to remain GDPR compliant. AWS and Microsoft provide the secure infrastructure, but you are responsible for how you handle personal data within it.

Instead of a Business Associate Agreement, under GDPR, you must have a formal agreement with any “Data Processor” (like AWS). The AWS GDPR Data Processing Addendum is automatically included in the AWS Service Terms.

GDPR also often requires that data stays within the EU or a country with “adequate” protections, so you would need to deploy the large language model in the appropriate region such as the UK or Ireland.

Comparison between HIPAA and GDPR

Products for specific use cases

In addition to using the regular general-purpose large language models, the big tech companies have developed products for particular purposes. For example, if your goal is clinical documentation (like transcribing doctor-patient visits), AWS offers a specialized service called AWS HealthScribe, which is powered by Bedrock. It is specifically designed to be HIPAA-compliant for medical note generation.