Your Doctor Can't Share Your Medical Records. ChatGPT Can.

Forty million people ask ChatGPT health questions every day. Since January 2026, OpenAI's new ChatGPT Health feature lets them upload their actual medical records — lab results, visit summaries, clinical history — to get personalized answers. The catch: the moment those records leave your doctor's system and land in ChatGPT, HIPAA stops protecting them.

That's not a bug. It's how the law works.

The HIPAA Gap Nobody Talks About

HIPAA covers doctors, hospitals, and insurers. It doesn't cover tech companies. This isn't new — fitness trackers and period-tracking apps have operated in this gray zone for years. But ChatGPT Health is different in scale and depth.

We're not talking about step counts. We're talking about clinical histories, lab results, mental health records. The kind of data that, in a hospital's hands, would require encryption, audit trails, and strict access controls under federal law.

Sara Geoghegan, senior counsel at the Electronic Privacy Information Center (EPIC), put it bluntly: sharing medical records with ChatGPT Health "would remove the HIPAA protection from those records, which is dangerous."

OpenAI has built real safeguards. Health conversations sit in a separate, encrypted section. The data isn't used for model training. Users can delete everything at any time. But these are company policies, not legal obligations. OpenAI could change them tomorrow.

The US has no comprehensive federal privacy law that would stop them.

Why 40 Million People Don't Care

Here's the thing that privacy advocates struggle with: people are doing this voluntarily, and they're doing it because the healthcare system has failed them.

Of ChatGPT's 800 million users, one in four asks a health question every week. That's not curiosity — that's desperation. Getting a doctor's appointment takes weeks. Understanding a lab result takes a medical degree. Decoding a hospital bill takes a lawyer.

ChatGPT answers in seconds, in plain language, for free.

Dr. Danielle Bitterman, a radiation oncologist at Mass General Brigham, told TIME she wasn't surprised by the demand. "This speaks to an unmet need," she said. "It's difficult to get in to see a doctor. There is, unfortunately, some distrust in the medical system."

OpenAI spent two years working with more than 260 physicians to shape ChatGPT Health's responses. The tool connects with Apple Health, MyFitnessPal, and a blood-testing platform called Function that tracks over 160 biomarkers. Users can ask things like "How's my cholesterol trending?" or "What should I discuss at my physical tomorrow?"

It's genuinely useful. That's what makes the privacy question so uncomfortable.

The Atlantic Between the US and EU

The perception gap on AI health data splits cleanly along the Atlantic.

In the US, the conversation is framed around innovation and access. ChatGPT Health fills a gap that the healthcare system created. If people want to share their data, that's their choice. The market will sort it out.

In Europe, the same product would face an entirely different legal reality. The EU's GDPR protects all personal data regardless of who holds it — not just healthcare providers. Violations carry fines up to 20 million euros or 4% of global revenue, whichever is higher. The EU AI Act adds another layer, classifying health-related AI as high-risk, requiring conformity assessments before deployment.

ChatGPT Health launched in the US only. That's not a coincidence.

HIPAA caps penalties at $1.5 million per violation category per year. GDPR's ceiling for a company OpenAI's size would be hundreds of millions. The regulatory asymmetry means Americans are essentially beta-testing AI health tools under weaker protections than Europeans would ever accept.

The Breach Math

Healthcare data breaches cost an average of $7.42 million per incident — the most expensive of any industry. Between September 2025 and January 2026, the US averaged 47 healthcare data breaches per month.

Now imagine a breach at OpenAI's scale. Forty million daily health users. Clinical histories, mental health records, substance use data. The kind of information that can't be changed like a credit card number. Your medical history is permanent.

OpenAI isn't a small startup anymore. It's one of the most targeted companies on earth. Every AI lab is under constant attack from state-sponsored hackers, criminal groups, and opportunistic attackers. Adding millions of medical records to that target profile raises the stakes considerably.

The Deeper Question

The real story isn't whether ChatGPT Health is safe today. OpenAI's safeguards are genuinely better than most consumer health apps. The real story is what happens next.

Once 40 million people normalize sharing medical records with AI, there's no going back. Every competitor will follow. Google, Meta, Apple — they'll all want your health data feeding their models. The companies with the best health data will build the best health AI. The incentive to collect more, keep more, and use more is enormous.

And the legal framework protecting that data in the US was written in 1996, before Google existed.

HIPAA was designed for a world where your medical records lived in filing cabinets and hospital servers. It never anticipated a world where people would voluntarily hand those records to a chatbot — because doing so was easier and more helpful than calling their doctor.

The US needs a federal privacy law that covers health data wherever it goes, not just inside hospitals. Until that happens, 40 million people are making a bet every day: that OpenAI's promises will hold, that the data won't leak, and that the policies won't change.

It's a reasonable bet today. Whether it stays reasonable depends entirely on decisions that haven't been made yet — by companies, regulators, and a Congress that hasn't passed major privacy legislation in three decades.

Your doctor is legally bound to protect your records. The AI you just shared them with isn't. That gap is the story of health privacy in 2026.