HIPAA AI under a BAA, defined

HIPAA AI under a BAA is AI made HIPAA-compliant by a signed Business Associate Agreement covering the tenancy that processes protected health information, not by the model itself. Anthropic signs a BAA for Claude Enterprise and the API. Consumer tiers like Claude.ai Free and Pro are not covered.

The mistake regulated teams make is reading model quality as compliance. A model can write a flawless clinical narrative and still leave you exposed if the PHI passed through a tenancy with no BAA behind it. The agreement is what assigns legal responsibility for that data to the vendor. Skip it and the deployment is itself a reportable breach.

The BAA is the legal floor, not the whole building. On top of it you scope access to the minimum data each task needs, keep an audit trail, and put a named person on every output. That is the same discipline behind audit-ready AI agents, and it is how we set up our security posture and regulatory affairs work.

Common questions

Does Anthropic sign a BAA?

Yes, for Claude Enterprise and the Anthropic API. A signed Business Associate Agreement lets protected health information be processed in that tenancy. The consumer Claude.ai Free and Pro tiers are not covered by a BAA, so PHI does not belong there.

Does the BAA make the AI compliant on its own?

No. The BAA is the legal floor. You still need access scoped to the minimum data the task needs, an audit trail, and a named person accountable for each output. HIPAA compliance comes from how the tenancy is built and run, not from the model.