Is it legal to put patient data into ChatGPT?
Pasting identifiable patient data into ChatGPT is, in most cases, a breach of the GDPR and medical confidentiality. What the law says, and the compliant path.
Pasting identifiable patient data into a consumer assistant like ChatGPT is, in most cases, a breach of medical confidentiality and data-protection law: the GDPR in the European Union (health is a “special category”), HIPAA in the United States. The professional — and their employer — face sanctions. The compliant path isn't to avoid AI, but to send it no identifying data: you anonymize first.
Health data: a strict legal regime
The GDPR prohibits processing health data as a matter of principle, save for framed exceptions (care, explicit consent…). Handing it to a third-party service with no legal basis and no contractual framing falls outside those exceptions. In the United States, HIPAA has the same effect: sending identifiable health information to an uncovered third party is an unauthorized disclosure. On the threads where the question comes up, professionals answer bluntly: “it's 100% a violation.”
Why a personal account isn't compliant
An individual account, free or paid, comes with no commitment suited to processing health data. For a use to be defensible, you need a contractual framework with the provider (in the US, a “BAA” — Business Associate Agreement; in the EU, an Article 28 GDPR processing agreement) and the matching technical guarantees. Without that, the plan doesn't matter: the data left with no basis.
- No suitable processing agreement = no basis to process health data.
- Professional confidentiality doesn't depend on the channel: a third-party AI is still a third party.
- A “paid” plan isn't a “compliant” plan without contractual framing and guarantees.
- The risk falls on the person who pasted, and on the organization that employs them.
If the data has already left
A colleague already pasted a file into an AI? Treat it as a personal-data breach: document the incident, assess its scope, and check the notification duty. In France, a breach likely to create a risk must be notified to the CNIL, in principle within 72 hours, and the people concerned informed if the risk is high. The next reflex: tool up anonymization so it can't happen again.
The compliant path: never send an identifier
- 1Detection: the engine spots identity, care identifiers and re-identifying elements.
- 2Tokenization: each element becomes a neutral token, kept in local memory.
- 3Sending: only the anonymized text reaches the AI — no identifiable health data transits.
- 4Restoration: the answer is de-tokenized in your browser, tied to the right file.
ONYRI Sanitize detects a file's identifying data — identity, social-security number, contact details, medical elements — and restores the answer in your browser. Health professionals keep AI's help to rephrase or summarize, on the right side of the law.
Frequently asked questions
- Is it illegal to put patient data into ChatGPT?
- In most cases, yes: it breaches medical confidentiality and, absent a legal basis and framing, the GDPR (health data = special category) or HIPAA in the US. The fix isn't avoiding AI, but sending it no identifying data.
- Does the paid $20 plan fix the problem?
- No. A paid plan isn't a “compliant” plan: to process health data you need a suitable contractual framework (a BAA in the US, an Article 28 GDPR processing agreement in the EU) and technical guarantees. Without that, the price doesn't change the data's legal status.
- A colleague already did it — what should I do?
- Treat it as a data breach: document (who, what, when), assess the risk and check the notification duty (in France, the CNIL within 72 hours in principle, and inform individuals if the risk is high). Then put anonymization in place to prevent a repeat.
Sources & references
Keep your sensitive data in your browser
ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.
Anonymize my prompt