Is it safe to share {X} with {Y}?

No, it is not safe to share medical records with ChatGPT under normal circumstances. When you enter information into ChatGPT, OpenAI may retain that data for up to 30 days for safety review and model improvement unless specific API agreements are in place. Medical records contain protected health information that, once entered, leaves your direct control and enters third-party infrastructure without HIPAA-compliant safeguards by default.

Why this matters

  • OpenAI's standard consumer platform is not a HIPAA-covered entity, meaning there is no Business Associate Agreement protecting your medical data by default.
  • Prompts entered into ChatGPT can be reviewed by human trainers as part of OpenAI's safety and quality processes, exposing sensitive diagnoses, medications, or treatment histories to third parties.
  • Data submitted through the consumer interface may be used to improve future model versions, creating a persistent risk that medical details persist beyond the original session.

For enterprise

Employees who submit patient or personal medical records into ChatGPT outside of IT-approved, HIPAA-compliant tools expose their organization to serious regulatory liability under HIPAA and equivalent frameworks. This includes internal HR medical records, patient intake data, or clinical notes shared informally to speed up documentation tasks. Most enterprise data governance and acceptable use policies explicitly prohibit this, and violations can trigger mandatory breach notification requirements.

Compliances at risk

What counts as Medical Records?

  • Medical histories
  • Clinical notes
  • Hospital records
  • Treatment records
  • Electronic health records (EHRs)

Why people share Medical Records with ChatGPT

  • To summarize patient history
  • To review treatment information
  • To prepare referrals
  • To generate clinical documentation

What actually happens when you paste Medical Records into ChatGPT

When you paste Medical Records into ChatGPT, that data is transmitted from your device to external servers operated by the AI provider.

Depending on system configuration and policies, the data may be logged, temporarily stored, or reviewed for safety and quality purposes. Retention can last from days to weeks, and in some cases may extend beyond the immediate session.

Statements such as “we do not train on your data” do not eliminate risks related to retention, logging, or internal access. These controls vary by product and setting, and are not always visible to end users.

From a governance perspective, any non-zero retention window introduces exposure risk when sensitive data is shared without controls, auditability, or enforcement.

Risks of sharing Medical Records with ChatGPT

  • Patient privacy violations: Protected health information may be exposed without authorization.
  • Regulatory penalties: Improper disclosure can violate healthcare privacy regulations such as HIPAA.
  • Medical identity theft: Health records can be exploited for insurance fraud or identity misuse.

Real incidents

Is this allowed under policy or law?

Context Is it safe?
Personal experimentation No
Business use No
Regulated industry Definitely not
With redaction Rarely

Safer ways to handle Medical Records

Medical Records should not be shared with consumer AI tools without controls in place. If AI assistance is required, organizations should use systems that enforce data redaction, access controls, and policy enforcement before data leaves their environment.

  • Automatically redact sensitive fields before sending data to AI models
  • Prevent unauthorized data from being entered into external tools
  • Maintain audit logs and visibility into how data is used
  • Ensure compliance with frameworks like GDPR, CCPA, and SOC 2

Platforms like Wald are designed to enable safe AI usage by ensuring sensitive data never leaves your control unprotected.

How Wald.ai handles this safely

Wald adds a governance layer to AI usage, helping organizations monitor and control how sensitive data like Medical Records is shared.

AI DLP

Identifies Medical Records in context and enables teams to:

  • Observe AI usage
  • Detect sensitive data in prompts
  • Allow, warn, or block actions
  • Maintain audit logs

LLM Pack

Provides controlled access to multiple AI models (ChatGPT, Claude, Grok, and others) through a single governed environment.

  • Centralized model access
  • Policy enforcement
  • Usage visibility
  • Auditability

Frequently Asked Questions

Is it safe to share Medical Records with ChatGPT?
No. Medical Records should not be shared with ChatGPT. Exposure can create security, privacy, or compliance risks, and once submitted there may be limited control over retention, logging, or downstream processing.
What happens when Medical Records is entered into ChatGPT?
The data is transmitted to the AI provider's infrastructure for processing. Depending on the service and configuration, it may be temporarily stored, logged, or retained for security and operational purposes.
Can ChatGPT retain Medical Records after a conversation ends?
ChatGPT providers may temporarily retain prompts and responses for security, abuse monitoring, or operational purposes. Depending on the platform and settings, Medical Records may remain stored beyond the immediate session. In some cases, submitted data may be retained for up to 30 days before deletion. Organizations should assume that any sensitive information shared with AI systems could persist beyond the active conversation.
Does ChatGPT train on Medical Records?
Some AI providers allow organizations to disable training on submitted data, while others may use interactions to improve services. Even when training is disabled, Medical Records may still be processed, logged, or retained according to provider policies.
What happens if Medical Records is accidentally shared with ChatGPT?
Once submitted, organizations may have limited visibility into how the information is retained, processed, or accessed. The appropriate response depends on the sensitivity of the data, internal policies, and incident response procedures.
Why do traditional DLP solutions struggle to identify Medical Records in AI prompts?
Traditional DLP tools rely heavily on pattern matching and predefined rules. AI prompts often contain fragmented, transformed, or contextual information that can be difficult to classify accurately. Context-aware AI DLP solutions can evaluate surrounding context to better distinguish between similar data types and reduce false positives and false negatives.
blog-cta-image
Secure Your Employee Conversations with AI Assistants
Book A Demo