Fundamentals7 min read

Is ChatGPT Safe for Therapy? What Happens to What You Share

Not clinically: a “therapy” chat with ChatGPT has no professional privilege, falls outside HIPAA, and can be produced in court. What actually protects what you share.

By Pierre de ONYRI

No — not in the way you'd expect from care: a “therapy” conversation with ChatGPT is not confidential. OpenAI's CEO has acknowledged it publicly — talking to a therapist, a lawyer or a doctor is covered by a legally recognized professional privilege, but nothing equivalent exists for your exchanges with ChatGPT. Concretely: no professional privilege, no HIPAA protection for consumer accounts, conversations that are retained and possibly reviewed, and the possibility that they're produced in court. The tool can help you put words to what you feel; it is neither a therapist nor a confidential setting. The only reliable fix is to never enter details that can identify you.

Why a “therapy” chat isn't confidential

When you confide in a psychologist or a doctor, the law protects the exchange: that's professional privilege, tied to a care relationship. This framework doesn't exist with a consumer chatbot, which is neither a healthcare professional nor bound by a duty of confidentiality. OpenAI's CEO himself explained that, under current law, the company could be legally compelled to produce your conversations in a dispute or under a court order. A mental-health exchange entered into ChatGPT is therefore not shielded from being produced in court — unlike a protected clinical record.

Retention, review, court: what really happens to the content

Retention isn't neutral. On consumer accounts (Free, Plus, Pro), using conversations to train the models is on by default: you have to turn it off yourself in Settings → Data Controls (OpenAI Help Center — Data Controls FAQ). And that opt-out isn't retroactive: it erases neither past conversations nor data already absorbed into completed training runs, and copies may be kept for a time for security. Deleting a chat in the interface therefore doesn't instantly remove every trace. Humans can also access it: OpenAI says it scans messages and routes concerning cases — an imminent threat of serious physical harm — to a small team of reviewers, with the option of reporting to authorities (OpenAI — usage policies and safety review process).

This isn't just hypothetical. In the dispute between OpenAI and the New York Times, a federal judge ordered the company to hand over 20 million ChatGPT conversation logs (anonymized) to the plaintiffs; the judge affirmed the order in early 2026, rejecting OpenAI's confidentiality objections. The court noted that users had voluntarily submitted their messages and that OpenAI's legal ownership of the logs wasn't contested — in other words, procedurally, your messages don't belong to you the way a protected clinical record does.

Diagram: at top, a mental-health confidence in the clear (amber) goes to ChatGPT where it's retained, reviewed by a human and producible in court; at bottom, the same message anonymized leaves only tokens (cobalt) and a checkmark, nothing identifying to expose.
After TechCrunch (OpenAI CEO statements), Bloomberg Law (logs ordered in the New York Times litigation), the FTC (BetterHelp), and OpenAI's policies (Data Controls, safety review).

HIPAA doesn't cover personal “therapy” use

Many assume their “medical” exchanges are protected by HIPAA. For personal use, that's wrong. HIPAA (HHS.gov — HIPAA guidance, Mental Health FAQ) applies only to “covered entities” — healthcare professionals and organizations — and their business associates under a Business Associate Agreement (BAA). An app freely chosen by an individual, with no clinician involved, simply falls outside HIPAA's scope. And OpenAI offers a BAA only for a small set of enterprise/health products (API on eligible endpoints, ChatGPT Enterprise, ChatGPT Edu, a dedicated health offering): the consumer plans (Free, Plus, Team) have no BAA and cannot legally handle protected health information (HIPAA Journal — “Is ChatGPT HIPAA Compliant?”).

Mental-health data is among the most sensitive there is, and exposing it has already proven costly. The FTC banned BetterHelp — an online therapy service — from disclosing its users' health data for advertising, and imposed a $7.8 million penalty, after finding it shared emails, IP addresses and answers to health questionnaires with advertising platforms despite confidentiality promises. The FTC also faulted BetterHelp for a misleading use of HIPAA-evoking seals. The lesson: a reassuring badge is not real legal protection.

SettingProfessional privilegeCovered by HIPAAProducible in court
Therapist / doctorYesYes (clinician)Protected
Consumer ChatGPT (Free/Plus/Pro)NoNo (no BAA)Yes, possible
ChatGPT with upfront anonymizationNoN/A (no personal data)Nothing identifying to produce
Comparison across equal privacy dimensions. Consumer use offers neither professional privilege nor HIPAA protection; anonymizing upfront removes the stakes by stripping the identifying information.

What actually helps: talk without exposing yourself

Let's be honest: a tool like ChatGPT can help you put words to what you feel, clarify or rephrase it, prepare what you'll tell a real professional, or set down ideas at night. That's not nothing. But it doesn't replace a therapist and offers no confidential setting. Good hygiene means separating the benefit (finding the words) from the exposure (handing over identifying details).

  • For acute distress or suicidal thoughts, contact a professional or emergency service — not a chatbot.
  • Don't expect follow-up from ChatGPT: it doesn't know you, bears no duty of care, and has no obligation of secrecy.
  • Before sending, strip anything that identifies you: name, employer, address, dates, unique details.
  1. 1Turn off training in Settings → Data Controls: good basic hygiene, but it erases neither the past nor security retention.
  2. 2Anonymize the sensitive data before sending: replace identities and re-identifying details with neutral tokens.
  3. 3Restore the answer on your side if needed: you, not the AI, hold the link between the token and the real value.

That's exactly what ONYRI Sanitize is for: the engine replaces re-identifying details with reversible tokens before sending; detection and the token↔value mapping stay in your browser, and only anonymized text reaches ChatGPT. Whether a reviewer looks, the conversation is retained, or it's one day produced in court, there are only tokens to expose — not you.

Frequently asked questions

Is ChatGPT safe for therapy?
Not in a clinical sense. A “therapy” conversation with ChatGPT isn't confidential: there's no professional privilege, no HIPAA protection on consumer accounts, exchanges are retained and may be reviewed, and they can be produced in court. The tool can help you put words to what you feel, but it doesn't replace a therapist. The only reliable fix is to anonymize identifying details before sending.
Are my ChatGPT conversations confidential?
No, not legally. OpenAI's CEO has acknowledged that no confidentiality privilege applies to ChatGPT exchanges, unlike what covers a therapist or a lawyer. A court has already ordered OpenAI to hand over 20 million conversation logs in a lawsuit. So your messages can be retained, reviewed and produced in court.
Is ChatGPT HIPAA compliant for personal therapy use?
No. HIPAA only applies to healthcare professionals and their business associates under a Business Associate Agreement. An app freely chosen by an individual falls outside HIPAA's scope. OpenAI offers a BAA only for certain enterprise/health products; the consumer plans (Free, Plus, Team) have no BAA and cannot handle protected health information.

Sources & references

Keep your sensitive data in your browser

ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.

Anonymize my prompt

Read next