Is Claude HIPAA Compliant? 2026 Guide (BAA, Code, Cowork, Enterprise)

✨ Is Claude HIPAA Compliant? The Direct Answer

Claude can be used in a HIPAA-compliant way — but only on specific Anthropic products, only under a signed Business Associate Agreement, and only when the customer adds an additional layer of data protection that controls what PHI ever reaches Claude in the first place.

Anthropic itself does not make Claude HIPAA-compliant by default. It offers HIPAA-ready services — a specific set of products, configurations, and contractual protections — that enable covered entities and business associates to deploy Claude in line with HIPAA's Security Rule. The rest is the customer's responsibility under the HIPAA shared-responsibility model.

The two questions that actually matter for healthcare teams in 2026:

1. Which Claude product are you using? Some products are HIPAA-eligible under Anthropic's BAA. Most are not.
2. What stops PHI from reaching Claude in the first place? A BAA is a legal instrument; it does not prevent a clinician from pasting a patient's chart into Claude. The HIPAA minimum-necessary standard (45 CFR 164.502(b)) is a technical control you are expected to enforce, not a policy you can paper over.

The rest of this guide covers each Claude product individually, the AWS Bedrock alternative, the gap a BAA does not close, and the practical deployment checklist.

✨ What Anthropic's HIPAA BAA Actually Covers

This is the table every healthcare buyer wishes Anthropic published on a single page. Sourced directly from Anthropic's privacy center as of May 2026.

Source: Anthropic's official HIPAA-ready Enterprise plans documentation, current as of May 2026.

Four things worth flagging that healthcare teams routinely get wrong:

• An Enterprise contract is not automatically a HIPAA contract. The default Enterprise plan does not include BAA coverage. The Primary Owner must navigate to Organization Settings > Data and Privacy > HIPAA Compliance, review the BAA, review the Implementation Guide, and click Accept and enable HIPAA.
• Enabling HIPAA is a one-way decision. Per Anthropic: "This is a one-way decision." Once enabled, the workspace cannot be flipped back to non-HIPAA mode without contracting changes. It also resets certain settings across the organization.
• BAAs signed after December 2, 2025 can cover both Claude API and Enterprise usage under a single agreement, simplifying the contracting flow for organizations using both.
• The BAA covers Anthropic's processing of your data, not your users' behavior. Anthropic's BAA does not redact a screenshot of a patient record before it's uploaded. It does not prevent a user on the wrong plan from accessing the same Claude conversation. Those are customer responsibilities — and the gap most healthcare deployments overlook.

Is Claude AI HIPAA Compliant? (The Claude.ai Web App)

Claude AI — the consumer-facing chat product at claude.ai — is not HIPAA compliant on the Free, Pro, Max, or Team plans. On those tiers Anthropic will not sign a BAA, and using Claude.ai with PHI on any of them is a HIPAA violation full stop.

Claude Enterprise is the only Claude.ai tier where HIPAA compliance is achievable — and only with all of these in place:

1. A signed Anthropic BAA executed by your workspace admin.
2. Workspace configuration matching Anthropic's HIPAA-ready service requirements (zero data retention enabled, feature restrictions for non-HIPAA features, audit logging on).
3. SSO + SCIM enforced so departing employees lose Claude access immediately.
4. An external data-protection layer that ensures users do not paste PHI into prompts in ways the BAA never contemplated (the minimum-necessary standard is a control, not a policy).

Without all four, a Claude Enterprise BAA is a paper protection that will not survive an OCR audit.

The realistic risk on Claude AI today

Healthcare organizations adopting Claude AI almost never start with Enterprise. The pattern is:

• A clinician signs up for Claude Pro with their personal email
• A care coordinator pastes a patient discharge summary in to "summarize this for the family"
• A billing analyst uploads a spreadsheet with names, DOBs, and MRNs to "categorize the rejections"

Each of these is a HIPAA violation under any reasonable reading of the Privacy Rule. Anthropic's BAA does not exist to catch them — and would not apply to Claude Pro even if it did.

The control that prevents these incidents is in-flight redaction at the browser: regulated data is stripped from the prompt before it reaches Claude. This is exactly what Strac's Browser DLP for Claude does (see the Generative AI DLP integration); see also our broader AI Data Governance framework for how this fits inside the SOC 2 / HIPAA / EU AI Act compliance program.

Is Claude Code HIPAA Compliant?

No — Claude Code as a product is not covered by Anthropic's HIPAA BAA, even when bundled into a HIPAA-ready Claude Enterprise plan. Anthropic's official guidance is explicit: "Claude Code bundled seats are not currently covered as part of the HIPAA-ready offering... only the chat functionality is covered. Claude Code usage is not covered, even when purchased as part of a bundled seat."

This is a more restrictive position than many healthcare engineering teams assume. The practical map:

The cleanest HIPAA path for engineering teams using Claude as a coding assistant in 2026 is Claude via AWS Bedrock, not Claude Code directly. Anthropic may extend BAA coverage to Claude Code in a future update, but as of May 2026 it is outside scope.

Where Claude Code introduces HIPAA risk that Claude AI does not: Claude Code reads local files, executes shell commands, and writes to your filesystem. If those local files contain PHI (medical records exported to a developer's laptop, patient data in a CSV pulled from a warehouse, screenshots of EHR dashboards), Claude Code will happily read them, ship the relevant content to the model, and — even if the underlying API call is BAA-covered — incorporate the data into outputs that flow through Claude Code's tool layer. The data layer risk is real, the contractual coverage is not.

For engineering teams in healthcare:

• Do not use bundled Claude Code in HIPAA-ready Enterprise for PHI workloads. The bundle does not cover Claude Code.
• If using Claude as a coding assistant with PHI, route through Claude on AWS Bedrock under your existing AWS BAA.
• Enforce technical controls (DLP, endpoint agents, MCP-level inspection) that prevent PHI-containing files from being fed into any Claude client — Code, Cowork, or otherwise.

✨ Is Claude Cowork HIPAA Compliant?

No. Claude Cowork is explicitly excluded from Anthropic's HIPAA BAA as of May 2026. Cowork is the agentic desktop product Anthropic launched in late 2025 that runs on the user's machine, accesses local files and applications, and acts autonomously across the data surface a knowledge worker actually works in.

That's a powerful product. It's also, from a HIPAA standpoint, a serious risk:

• Cowork reads local files. Folders that contain patient records, exported reports, scanned documents, EHR screenshots — anywhere a healthcare worker has accumulated PHI on their laptop is now accessible to an autonomous agent that decides on its own which files to open.
• Cowork reaches into every SaaS app you've connected. Via the Model Context Protocol (MCP), Cowork can pull PHI out of Slack channels, Google Drive folders, Gmail threads, Notion pages, Jira tickets, and any other SaaS app you've authorized it to access — and synthesize that data across systems into a single output. PHI siloed across ten apps can now be aggregated into a single brief in seconds.
• The BAA does not apply. Anthropic's privacy center is explicit: Cowork is not within the BAA scope. Healthcare organizations using Cowork with any PHI exposure are in violation, regardless of which SaaS app the PHI came from.

The only effective control here is to prevent Cowork from seeing PHI in the first place — across every surface it can reach, not just local files. That has to happen at the data layer — before Cowork's agent decides to read a file, query a Drive folder, or grep a Slack channel — which is exactly the gap Strac's MCP DLP closes.

How Strac MCP DLP secures Claude Cowork — across every connected SaaS

Cowork uses the Model Context Protocol (MCP) to discover and access tools, files, and APIs across the user's local machine and every authorized SaaS app. Strac's MCP DLP sits in that protocol layer for each surface and:

• Slack — when Cowork queries Slack via MCP, Strac's Slack MCP DLP inspects message content and file shares for PHI before content reaches the Claude model. Redacts PHI inline, lets the agent complete its task on the non-PHI portion.
• Google Drive — Strac's Google Drive MCP DLP inspects documents, spreadsheets, and PDFs Cowork reads, including text inside images and scanned documents. Same redact-before-the-model behavior.
• Gmail — Strac's Gmail MCP DLP inspects email content, attachments, and threads when Cowork's agent reads inbox data. PHI is redacted before the prompt is assembled.
• Notion, Jira, Confluence, Salesforce, GitHub, Zendesk, Intercom, SharePoint, OneDrive — Strac's MCP DLP layer extends across the broader SaaS surface. New SaaS integrations are being added on a continuous basis as the MCP ecosystem grows.
• Local files — Strac's endpoint and MCP DLP inspects local filesystem reads with the same OCR and document parsing used on SaaS surfaces.

Across every surface, three things happen consistently:

1. PHI is redacted or vaulted inline — the resource appears to Cowork without the regulated data, so the agent can still complete its task with non-PHI content.
2. Every tool invocation is logged — the SaaS app, the user, the resource accessed, the PHI detected, and the disposition (allowed, redacted, blocked) — producing audit evidence mapped to HIPAA §164.312(b) (audit controls).
3. A policy boundary is enforced that the BAA cannot: regulated data simply never enters the Cowork context window, regardless of which app or file it lived in.

This is, to our knowledge, the only category-defining MCP DLP control available today, and the only one with breadth across both local files and the SaaS surface a real healthcare worker actually uses. It is the practical answer to the question "can we let our analysts use Claude Cowork without violating HIPAA?"

The same MCP DLP pattern is already in production at Strac for Microsoft 365 / SharePoint, where Claude (or any MCP-aware agent) routes through a dedicated strac-m365-dlp MCP server that strips SSNs, credit card numbers, emails, and other sensitive elements out of SharePoint and OneDrive documents before they reach the model. See the Strac MCP DLP in action — SharePoint Redaction walkthrough for the live example. For healthcare teams adopting Claude Cowork in 2026, the same pattern extends to every SaaS surface Cowork touches.

Is Anthropic Claude on AWS Bedrock HIPAA Compliant?

Yes — under an AWS Business Associate Agreement. This is a separate compliance path from Anthropic's direct BAA, and for many healthcare organizations it's the cleaner option.

How it works:

• AWS Bedrock is a HIPAA-eligible service under the AWS BAA.
• Claude models (Sonnet, Opus, Haiku) are available on Bedrock as first-class foundation models.
• Bedrock keeps your prompts, inputs, and outputs inside AWS infrastructure. Anthropic never receives the data.
• You sign one BAA — with AWS — and it covers Claude usage along with every other HIPAA-eligible AWS service.

The trade-offs vs. the Anthropic-direct BAA path:

For most healthcare buyers we work with, Claude on Bedrock under the AWS BAA is the default recommendation: one BAA, data residency control, integrates with the rest of your AWS security stack, and removes Anthropic as a data processor entirely.

This path still requires a data-protection layer above the API — see the next section.

The Gap: What Even a Signed BAA Doesn't Protect You From

A BAA is necessary. It is not sufficient. Here's what neither Anthropic's nor AWS's BAA stops:

1. Users pasting PHI into prompts. The BAA governs the processor's handling. It cannot prevent the upstream input.
2. PHI embedded in uploaded files. A PDF lab report, a screenshot of a patient chart, a spreadsheet of MRNs — uploaded as context, processed under the BAA, but never authorized for that use.
3. Outputs containing PHI being shipped downstream. Claude's response goes into a Slack channel, an email, a Notion doc — places the BAA does not extend.
4. The minimum-necessary standard. HIPAA §164.502(b) requires that only the minimum PHI necessary for the purpose is disclosed. If your clinician pastes a full chart to ask one question, you've violated minimum-necessary even under a BAA.
5. Audit accounting of disclosures. HIPAA §164.528 expects you to track who saw which PHI, when, and why. Anthropic's logs don't produce HIPAA-shaped accounting; you need that layer yourself.
6. Workforce training evidence. Annual training is one Security Rule control. Demonstrating that the training actually prevented incidents is another. Both belong to the customer, not the BAA counterparty.
7. Breach notification readiness. If a Claude conversation leaks PHI, the BAA defines who notifies whom — it does not produce the forensic timeline you'll need to satisfy OCR.

The gap is, in every case, a data-layer control problem — discovery, classification, redaction, audit. That gap is where data protection platforms like Strac live.

✨ How Strac Adds HIPAA-Grade Data Protection Across All Claude Products

Strac is a data security platform. For healthcare teams using Claude, that means we operate at the data layer — across Claude AI, Claude Code, Claude Cowork, and Claude on Bedrock — and produce the technical controls and audit evidence that HIPAA actually requires.

The two surfaces that matter most for Claude specifically:

Strac Browser DLP for Claude AI

The Strac browser extension sits inside the user's browser session on claude.ai and inspects every prompt and file upload as the user composes it — before submission. PHI patterns (names + DOB + MRN co-occurrence, ICD-10 codes adjacent to identifiers, lab values, etc.) are detected and either redacted inline, replaced with tokens, or blocked depending on the policy.

What this looks like in practice:

• A clinician drafts "Mary Johnson DOB 03/14/1962 was discharged with diagnosis I50.9..." → the extension tokenizes the name, DOB, and any other identifiers before the prompt is submitted, so the model receives "PATIENT_001 DOB_REDACTED was discharged with diagnosis I50.9..."
• A care coordinator uploads a PDF discharge summary → the extension inspects the PDF (including text inside images), redacts PHI elements, and lets the now-redacted version through.
• An audit-grade log of every prompt, every detection, and every disposition lands in Strac's evidence trail mapped to HIPAA §164.312(b).

This works across every Claude AI tier — including the personal plans Anthropic will not sign a BAA on. For healthcare organizations whose workforce is using Claude Pro today (which is almost every healthcare organization in 2026), Browser DLP is the only meaningful control.

The same extension covers ChatGPT, Microsoft Copilot, Google Gemini, and other generative AI surfaces — one policy, one audit log, every model.

Strac MCP DLP for Claude Cowork

Detailed in the Cowork section above. The short version: Cowork is explicitly outside Anthropic's BAA. The control that makes Cowork safe for healthcare use is the MCP DLP layer that inspects and redacts PHI from every file Cowork's agent decides to open — before the content reaches Claude.

Strac is, to our knowledge, the only DLP vendor with native MCP-layer inspection in May 2026. For healthcare teams interested in adopting Cowork, this is currently the only path to a defensible deployment.

Strac data security across the rest of the Claude footprint

• Claude Code on developer laptops — Strac's endpoint agent inspects files and folders developers may inadvertently expose to Claude Code, with the same redaction and audit pipeline.
• Claude via Bedrock in your AWS environment — Strac's cloud DSPM continuously discovers PHI across S3, RDS, Snowflake, and the other data stores Bedrock prompts may pull from, so context windows assembled inside your VPC do not include unauthorized PHI.
• Audit evidence mapped to HIPAA — every detection, every redaction, every Cowork tool invocation, every prompt-time block produces evidence formatted for the HIPAA controls a covered entity will be tested against.

A Practical Claude HIPAA Deployment Checklist

If you are a covered entity or business associate planning to deploy Claude in 2026, the following is the realistic step-by-step:

Phase 1 — Contracts and configuration (Weeks 1–2)

• [ ] Decide your deployment path: Claude API direct under Anthropic BAA, Claude Enterprise under Anthropic BAA, or Claude on AWS Bedrock under AWS BAA.
• [ ] Execute the appropriate BAA. For Anthropic, submit an inquiry to sales with your deployment details. For AWS, ensure your existing AWS BAA is active and Bedrock is enabled in a HIPAA-eligible region.
• [ ] Enable zero-retention (Anthropic API), workspace HIPAA mode (Enterprise), or Bedrock model invocation logging to S3 (AWS path).
• [ ] Confirm which Claude features are restricted under HIPAA-ready configuration and communicate the scope to your workforce.

Phase 2 — Data-layer controls (Weeks 2–4)

• [ ] Deploy a browser-level DLP that inspects prompts and uploads to Claude AI for PHI before submission. Confirm coverage of text, files, and images.
• [ ] If using Claude Cowork in any capacity, deploy an MCP-layer DLP that intercepts file reads and tool invocations before content reaches the model. Note: this is required because Cowork is outside Anthropic's BAA.
• [ ] Deploy an endpoint-level DLP on workforce devices that prevents PHI from being copied into AI tools by drag-and-drop or copy-paste.
• [ ] Stand up data classification that distinguishes PHI from non-PHI at the prompt and file level.

Phase 3 — Workforce and policy (Weeks 3–6)

• [ ] Publish an Acceptable AI Use policy specifically covering Claude — what's allowed on which plan, what data is permitted, and what is prohibited.
• [ ] Train clinical, administrative, and engineering workforce on the policy and the technical controls.
• [ ] Inventory every Claude API key and Claude.ai workspace member; remove any unauthorized access.

Phase 4 — Audit and lifecycle (Ongoing)

• [ ] Wire Claude usage logs (Anthropic logs, Bedrock CloudTrail, Strac evidence) into your SIEM and GRC platform.
• [ ] Map each control to specific HIPAA Security Rule sections (§164.308 administrative, §164.310 physical, §164.312 technical).
• [ ] Schedule quarterly access reviews and an annual security risk analysis (required under §164.308(a)(1)(ii)(A)) that explicitly covers Claude.
• [ ] Track any incidents, near-misses, and policy violations as part of your breach-notification preparedness.

Healthcare organizations that get all four phases in place can run Claude — across API, Enterprise, Code, Cowork (if MCP DLP is in place), and Bedrock — with a defensible HIPAA posture. Skipping any phase, especially the data-layer controls in Phase 2, leaves a gap that a real audit will find.

🌶️ Spicy FAQs for Is Claude HIPAA Compliant

Is Claude HIPAA compliant out of the box?

No. Claude is not HIPAA compliant by default on any plan. HIPAA compliance for Claude requires (a) the right product surface — Claude API under a HIPAA-Enabled Organization, Claude Enterprise with admin opt-in, or Claude on AWS Bedrock — (b) a signed BAA, (c) compliant configuration, and (d) external data-layer controls. Out of the box, Claude is a general-purpose LLM with no PHI safeguards.

Will Anthropic sign a BAA on Claude Pro or Claude Team?

No. Anthropic's BAA covers only the Claude API and the Claude Enterprise plan (with admin opt-in). Pro, Team, Max, Free, Workbench, Console, Cowork, Design, and beta features are all explicitly out of scope. If anyone on your workforce is using Claude Pro for any task that touches PHI, that is a HIPAA violation regardless of how careful they are.

Is Claude Code HIPAA compliant?

No. Anthropic's official guidance is explicit: "Claude Code bundled seats are not currently covered as part of the HIPAA-ready offering... only the chat functionality is covered." Even on a HIPAA-ready Claude Enterprise plan, the Claude Code seats bundled with that plan are outside BAA scope. For engineering teams that need a Claude-powered coding assistant in a HIPAA environment, the supported path is Claude on AWS Bedrock under your existing AWS BAA — not bundled Claude Code on Enterprise.

Is Claude Cowork HIPAA compliant?

No. Anthropic explicitly excludes Cowork from its HIPAA BAA. Because Cowork is an agentic desktop product that reads local files and reaches into every SaaS app you authorize via MCP (Slack, Google Drive, Gmail, Notion, Jira, and dozens more), the risk of incidental PHI exposure is high across many surfaces, and Anthropic's contractual coverage is zero on all of them. The only defensible way to use Cowork with any PHI exposure is to add an MCP-layer DLP control that prevents Cowork from ever seeing PHI in the first place — for each SaaS surface Cowork can reach as well as local files. Strac is currently the only vendor with category-defining MCP DLP across this full SaaS surface.

Is Claude on AWS Bedrock HIPAA compliant?

Yes — under the AWS Business Associate Agreement. Bedrock is a HIPAA-eligible AWS service, your prompts and outputs stay inside AWS infrastructure, and Anthropic never receives the data. For healthcare organizations already standardized on AWS, this is typically the cleanest deployment path: one BAA, full data residency control, and integration with the rest of the AWS security stack.

Is Claude on Google Vertex AI HIPAA compliant?

Yes — under Google Cloud's BAA. Same model as AWS Bedrock: third-party-hosted Claude under the cloud provider's BAA, with data staying inside the cloud provider's infrastructure. Suitable for healthcare organizations standardized on GCP.

Does Anthropic's BAA protect us if a clinician pastes a patient's chart into Claude?

It governs Anthropic's handling of the data that reaches them. It does not prevent the disclosure from being made, does not enforce the HIPAA minimum-necessary standard, does not redact PHI before transmission, and does not produce the audit accounting HIPAA §164.528 requires. The BAA is one control layer. You still need technical controls on the customer side — that's why an external DLP layer matters.

How does Strac help with HIPAA compliance for Claude?

Strac sits at the data layer across every Claude surface: Browser DLP redacts PHI from Claude AI prompts and uploads before submission, MCP DLP intercepts PHI from files Claude Cowork reads, endpoint agents prevent PHI exposure on Claude Code workstations, and cloud DSPM continuously discovers and protects PHI across the data stores Bedrock prompts may reach. All findings, redactions, and disclosures are logged with HIPAA-mapped evidence ready for a covered entity's risk analysis or an OCR audit.

What's the fastest path to a HIPAA-compliant Claude deployment in 2026?

For most healthcare organizations the fastest defensible path is: (1) Claude on AWS Bedrock under your existing AWS BAA, (2) Strac Browser DLP for any direct Claude AI usage by the workforce, (3) Strac MCP DLP if Cowork is in play, (4) audit logs wired to your SIEM, and (5) a one-page Acceptable AI Use policy covering Claude. Most teams get to a defensible posture in 4–6 weeks following this path.

Where can I read Anthropic's actual HIPAA BAA terms?

Anthropic publishes the scope of HIPAA-ready services in their privacy center BAA article. The full BAA text is provided during the contract execution process via Anthropic Sales.

The Bottom Line

Claude can be deployed HIPAA-compliantly — on Claude API, Claude Enterprise, or Claude on AWS Bedrock — but only under a properly executed BAA and only when the customer adds a data-protection layer above the model. The default consumer-facing products (Claude Pro, Team, Max, Cowork) are not HIPAA-eligible, and "be careful" is not a HIPAA control.

For healthcare teams adopting Claude in 2026:

• Pick your deployment path. Bedrock is the cleanest for most.
• Execute the right BAA. Confirm in writing which products it covers.
• Deploy data-layer controls (browser, MCP, endpoint, cloud) that prevent PHI from reaching Claude in the first place — and produce the audit evidence HIPAA actually requires.
• Treat Claude Cowork as a special case until and unless an MCP DLP layer is in place.

A signed BAA is the start of HIPAA compliance for Claude. It is not the finish.

If you'd like to see how Strac wires this together across Claude AI, Code, Cowork, and Bedrock — book a 30-minute demo. We'll walk through the browser extension, the MCP DLP layer, the HIPAA evidence trail, and a deployment plan for your specific Claude footprint.