Realizing that many people still fundamentally misunderstand HIPAA and PHI:
1. First, you really only need to worry about the specifics of HIPAA if you are a "covered entity" under the law (primarily a hospital or other healthcare provider, or a health insurer), or if you have signed a BAA with another company (more on that below). There are all sorts of misunderstandings that you can't, for example, say something like "Jane couldn't make the meeting because she's out with the flu" at a company - that's not how it works. Unless you're a covered entity, you're under no obligation to keep PHI private under HIPAA.
2. If you do work at a HIPAA covered entity, it usually is made explicitly clear where patient data is or is not allowed. Even if GitHub Copilot were "HIPAA Compliant", unless they signed a HIPAA BAA (business associate agreement) with your company, it's still not OK to send them any PHI.
Point being, there are plenty of reasons to be worried about customer privacy and data security, but people like to bring up HIPAA rules in lots of situations where they simply don't apply.
> Copilot for Business does not retain any telemetry or Code Snippets Data.
https://docs.github.com/en/copilot/configuring-github-copilo...