HIPAA

HIPAA at SiteGPT

The current status of HIPAA compliance and BAA availability at SiteGPT, straight from the source.

Current status

Last Updated: July 2026

This page is the authoritative source for HIPAA availability at SiteGPT. If you have read elsewhere that SiteGPT offers Business Associate Agreements (BAAs) on all paid plans, that is not accurate: BAAs are an Enterprise plan feature. The details are below.

What is true today

  • SiteGPT has been assessed for HIPAA compliance by DPLMC International, covering HIPAA security and privacy safeguards.
  • We have completed a SOC 2 Type II examination with zero exceptions noted across all tested controls.
  • We are GDPR certified by DPLMC International.
  • All data is encrypted in transit (TLS 1.2+) and at rest.
  • Your data is never used to train AI models, by us or by our AI subprocessors.
  • Our full subprocessor list is published at /legal/subprocessors.

Business Associate Agreements

BAAs are available for Enterprise plan customers and are executed as part of enterprise onboarding. Before we sign yours, we complete signed BAA coverage across every vendor that touches Protected Health Information (PHI) in your deployment, because anything less would not genuinely protect you. That diligence is part of onboarding, not an extra you have to ask for.

Our standard BAA is published at /legal/baa, where your legal team can review it and download a copy prefilled with your organization's details. Most customers sign it as-is; it includes Security Rule safeguards, defined breach notification timelines, full subcontractor flow-down, and a commitment that PHI is never used to train AI models.

To request a BAA, email bhanu@sitegpt.ai with a short note about your organization and use case, and we will scope your deployment together.

How BAA onboarding works

  1. Request: email us with your organization and use case.
  2. Scoping: we confirm your deployment together, including which content sources and features will carry PHI.
  3. Legal review: your team reviews our standard BAA from /legal/baa.
  4. Execution: both parties sign; we countersign only after signed BAA coverage across the full PHI vendor chain for your deployment is in place.
  5. Enablement: we enable HIPAA processing for your account and confirm in writing. Only after this confirmation should PHI flow through your chatbot.

What this means for PHI

Until a BAA is executed for your account, do not submit PHI through SiteGPT. This includes chatbot training content, end-user conversations, uploaded files, and lead capture. This is a condition of our Terms and Conditions.

After your BAA is executed, PHI is scoped to end-user conversations: patients and visitors can share PHI while chatting with your bot, and that conversation data is protected under the BAA. Chatbot training content (your website pages, uploaded documents, Q&A entries) must remain free of PHI. For nearly every healthcare chatbot this is the natural shape of the deployment anyway: the knowledge base is your public service information, and PHI only ever arrives in the conversation. Keeping training content PHI-free is what lets us keep the PHI vendor chain minimal (see the subprocessor list).

If you run a healthcare organization and want to use SiteGPT today for content that contains no PHI (public website FAQs, scheduling guidance, service information), that use is fully supported.

Frequently asked questions

Which plans include a BAA?

BAAs are available on the Enterprise plan. They are not available on Starter, Growth, or Scale today. A self-serve HIPAA tier is planned; email us if you want to be notified when it ships.

Will the BAA cover the AI models you use?

Yes. The entire PHI processing chain for your deployment, including our AI providers, operates under signed agreements before we execute your BAA.

What is the timeline?

BAAs are executed during enterprise onboarding. Timelines depend on your deployment's requirements; contact us and we will scope it with you.

Questions

Email bhanu@sitegpt.ai to request a BAA, or support@sitegpt.ai for anything else.