OpenAI just revealed that over 230 million people every week are asking ChatGPT for health advice—sharing diagnoses, medications, and lab results with a chatbot that isn't bound by the same privacy laws as your doctor. The company launched ChatGPT Health this month, positioning the AI as a healthcare "ally" to help navigate insurance, interpret test results, and track wellness data. But here's the catch: unlike hospitals and clinics governed by HIPAA, tech companies operate in a regulatory gray zone where privacy promises live in terms of service that can change overnight. Legal experts tell The Verge that users handing over sensitive medical information to AI chatbots are taking a leap of faith with little legal recourse if things go wrong.
OpenAI is betting big that you'll trust its chatbot with your most intimate secrets. Every week, more than 230 million people are already asking ChatGPT about their health—from decoding confusing lab results to navigating insurance nightmares to making sense of scary diagnoses. The company wants to deepen that relationship. This month it launched ChatGPT Health, a dedicated tab inside ChatGPT where users can feed the AI their medical records, prescription lists, and wellness data from apps like Apple Health and Peloton in exchange for personalized insights.
The pitch is seductive: an always-available medical companion that doesn't judge, never rushes you, and speaks in plain English instead of medical jargon. OpenAI says many users already see ChatGPT as an "ally" helping them become better self-advocates in a frustrating healthcare system. CEO Sam Altman even brought a cancer patient onstage during the GPT-5 launch to share how the tool helped her understand her diagnosis.
But there's a problem: ChatGPT isn't your doctor, and it isn't governed like one. While OpenAI promises to keep health data confidential, encrypt it by default, and never use it for AI training, those assurances live entirely in the company's privacy policy—a document that can be rewritten at any time. "You are not protected by law, and it is allowed to change terms of use over time," Hannah van Kolfschooten, a digital health law researcher at the University of Basel, told The Verge. "You will have to trust that ChatGPT does not do so."
That's a stark contrast to traditional healthcare providers, who operate under the Health Insurance Portability and Accountability Act, better known as HIPAA. The 1996 federal law creates strict rules about who can access your medical information and imposes serious penalties for violations—up to $1.5 million per year for repeat offenses, plus potential criminal charges. Tech companies face no such constraints when building consumer products. "Data protection for AI tools like ChatGPT Health largely depends on what companies promise in their privacy policies and terms of use," Sara Gerke, a law professor at the University of Illinois Urbana-Champaign, explained to The Verge.
The situation gets murkier thanks to OpenAI's confusing product lineup. The day after announcing ChatGPT Health, the company unveiled ChatGPT for Healthcare—a nearly identical-sounding product aimed at hospitals, clinics, and physicians. This enterprise version does come with HIPAA compliance and stronger security guarantees, designed to help doctors draft clinical notes, summarize patient charts, and stay current on medical research. The problem? The similar names and simultaneous launches have created widespread confusion about which product has which protections. Multiple people interviewed by The Verge for its investigation mistakenly believed the consumer ChatGPT Health had the same safeguards as the clinical tool.
Even if OpenAI voluntarily complies with HIPAA-like practices for its consumer product, that doesn't carry the force of law. "There's very limited protection," Carmel Shachar, an assistant clinical professor at Harvard Law School, told The Verge. "Some of it is their word, but they could always go back and change their privacy practices." The value of HIPAA, she explained, is enforcement—something voluntary compliance lacks.
The privacy gap is just one concern. There's also the question of accuracy. Medicine is heavily regulated for good reason: mistakes can kill. ChatGPT has already demonstrated its capacity for dangerous misinformation, like when it told a man concerned about his salt intake to replace regular salt with sodium bromide—a compound historically used as a sedative that caused him to develop a rare toxic condition. Google's AI Overviews made a similar error, advising pancreatic cancer patients to avoid high-fat foods when they should be doing the exact opposite, according to The Verge.
OpenAI tries to sidestep liability by explicitly stating ChatGPT Health "is not intended for diagnosis and treatment" and should be used "in close collaboration with physicians." That disclaimer carries significant regulatory weight. Products designed for diagnosis and treatment are classified as medical devices by the FDA and must go through rigorous clinical trials and safety monitoring. By saying ChatGPT Health isn't meant for that purpose—even though 230 million people use it for health advice each week—OpenAI keeps the product outside the FDA's jurisdiction.
But van Kolfschooten questions whether that's the right call. When OpenAI encourages users to upload lab results, track health behaviors, and reason through treatment decisions, the line between "informational tool" and "medical device" starts to blur. "If a product is doing this, one could reasonably argue it might fall under the US definition of a medical device," she told The Verge. She speculates that Europe's stricter regulatory framework may explain why ChatGPT Health isn't available there yet.
The medical disclaimers may also be ineffective at actually changing user behavior. OpenAI has spent considerable effort positioning ChatGPT as medically competent—developing HealthBench, its own benchmark created with 260+ physicians to "test how well AI models perform in realistic health scenarios." Independent studies, though often small or funded by OpenAI itself, suggest ChatGPT can pass medical licensing exams, communicate more empathetically than some doctors, and in certain cases outperform physicians at diagnosis. When a system "feels personalized and has this aura of authority, medical disclaimers will not necessarily challenge people's trust in the system," van Kolfschooten warned.
OpenAI isn't alone in this push. Anthropic launched Claude for Healthcare this month, marketing it as "HIPAA-ready" for both providers and consumers. Notably absent from the healthcare AI race is Google, though the company did quietly announce updates to its MedGemma medical AI model for developers. Health and wellness is emerging as the next major battleground for AI labs—a test of whether users will welcome these systems into their most vulnerable moments.
The scale suggests they already are. With 230 million weekly users asking health questions, ChatGPT has become one of the world's most-consulted medical resources almost by accident. In a country where stark health inequalities persist and millions struggle to afford basic care, an AI that's free, always available, and actually listens could genuinely help people. But only if the trust users are placing in these systems is deserved.
We trust doctors with our private information because the medical profession has spent centuries earning that trust—through ethical codes, legal accountability, and institutional oversight. The tech industry's mantra has long been "move fast and break things." The question now is whether an industry built on that philosophy has earned the right to hold our most sensitive secrets, protected only by a promise that could vanish with the next privacy policy update.
The rise of AI health advisors like ChatGPT Health represents a fundamental shift in how millions of people seek medical guidance—but it's happening in a regulatory vacuum. While 230 million users weekly are already trusting these systems with their most sensitive information, the protections governing that data remain dangerously thin, dependent entirely on corporate promises rather than legal safeguards. As OpenAI, Anthropic, and others race to dominate this emerging market, the absence of comprehensive privacy laws and clear FDA oversight creates a perfect storm of risk. The technology may offer genuine benefits, especially for underserved populations struggling to navigate a broken healthcare system. But until regulators close the gap between what these tools can do and how they're governed, users sharing their medical records with chatbots are making a bet that tech companies will keep their word—even when there's no legal requirement to do so.
