* they may be HIPAA-compliant (ie: they fulfill the requirements),
* they haven't gone through a HIPAA-certification (no third-party cert),
* they aren't using services that aren't HIPAA-certifiable
The latter point is important, because there are some services (ie: firebase) that apparently won't be HIPAA compliant. Some services are HIPAA-compliant if configured correctly. AWS has a list. I believe google does too.
There are a bunch of HIPAA guides out there.
So as a demo, it's not a big deal. But if they start selling this they need at least to be HIPAA-compliant with certification on the roadmap.
HIPAA is a self certification. You can claim compliance simply by following the rules. Therefore, you’re either HIPAA compliant or your not. I have never heard anyone describe it as being HIPAA-eligible.
HITRUST is a third party audit with higher standards than HIPAA. That is not a self-attestation.
I’ve spent a bunch of time in this space. Most of the major players offer HIPAA compliant services and sign BAAs. As of now, I don’t believe OpenAI offers a BAA, so this is dead in the water.
Well, HIPAA can be self-certified, but that probably won't stand up in court so most organizations will pay a third-party provider to perform the certification for them. That also lets you see the gaps, because HIPAA is big.
Here's AWS's list of HIPAA-eligible services. HIPAA-eligible is technology provider specific:
* they may be HIPAA-compliant (ie: they fulfill the requirements), * they haven't gone through a HIPAA-certification (no third-party cert), * they aren't using services that aren't HIPAA-certifiable
The latter point is important, because there are some services (ie: firebase) that apparently won't be HIPAA compliant. Some services are HIPAA-compliant if configured correctly. AWS has a list. I believe google does too.
There are a bunch of HIPAA guides out there.
So as a demo, it's not a big deal. But if they start selling this they need at least to be HIPAA-compliant with certification on the roadmap.