This is about your HR team's own data, not the whole company. HIPAA governs health plans, not employers — so the people data HR handles every day (pay, performance, reviews, the SSN on a tax form) is sensitive, but not HIPAA-regulated. That one distinction is usually what stands between your team and Claude. Here's how it sorts out.
HIPAA protects health information held by a covered entity — a health plan, a healthcare provider, a clearinghouse. An ordinary employer isn't one, and neither is its HR team.
The data your HR team handles — compensation, performance, reviews, the SSN on a tax form — is sensitive, and it's governed by privacy and employment law. But it sits outside HIPAA entirely. The worry that "we handle people data, so AI is off the table" almost always comes from treating those two things as the same. They aren't — and because almost none of it is HIPAA-PHI, your HR team can adopt Claude Team without waiting on a BAA.
Health information held by a health plan is HIPAA's concern. The pay, performance, and personnel data an employer holds is not. Almost everything your HR team would bring to Claude is the second kind.
One clean exception — and if it's yours, stop here.
If your organization is itself a HIPAA covered entity — a hospital, clinic, medical or dental practice, a health plan, or a health-data business — patient and member health information runs through your core operations. That's a different, larger analysis than this one. The same is true if you self-insure your health plan and want to use its claims data. If that's you, don't use this framework — reach out and we'll work it directly.
With covered entities set aside, the data your HR team handles falls cleanly into two tiers. The tier tells you the surface — and for the sensitive tier, that surface is Claude Team.
Job descriptions, leveling guides, policies, org charts, posted pay ranges, training content.
No personal sensitivity. Use it on any plan, including Pro.
Compensation, performance, reviews, benefits elections, employee PII.
Sensitive and regulated — but not HIPAA, so no BAA is required. Use Team, where Claude doesn't train on your content by default, and keep access need-to-know. Enterprise only if the company already mandates it.
| Data type | Tier | What to do |
|---|---|---|
| Job descriptions, leveling guides | Open | Any plan — Pro, Team, or Enterprise |
| Policies, org charts, posted pay ranges | Open | Any plan |
| Compensation bands, merit matrices | Sensitive | Team — no-training default, no BAA needed |
| Individual pay, performance reviews | Sensitive | Team — keep access need-to-know |
| Benefits enrollment elections | Sensitive | Team — feels like health data, isn't |
| SSNs, bank / direct-deposit numbers | Sensitive · PII | Don't paste raw — they're rarely needed for the work |
The one thing that doesn't belong on this page: health information held by your group health plan, if you self-insure. That's true PHI, and it has its own path. Everything else your HR team touches is in the two tiers above.
Once the data is sorted, using it safely is short.
Sensitive HR data goes on Claude Team, where no-training-on-content is the default and no BAA is needed. Open data is fine anywhere, Pro included.
Not everyone needs every file. Set permissions need-to-know, and use SSO so access follows the org.
SSNs and bank numbers are almost never needed for the actual work. Keep them out of the prompt instead of managing the risk of having put them in.
HR owns this call, but it rarely makes it alone. Here's the one-line answer each of them needs.
| Desk | What you can tell them |
|---|---|
| Legal | Our HR team's data sits outside HIPAA — it's employer-held, not plan-held — so no BAA is required for it. On Claude Team, Claude doesn't train on our content by default. A BAA would only matter for true plan-side PHI, which we're not putting in. (Scope confirmed with our counsel.) |
| Finance | Team is a flat per-seat cost — predictable, no metered surprises for this kind of use, and it deploys the same day with no contract. (See the cost model.) |
| IT / Security | Claude Team gives us SSO, central admin, and per-user spend caps self-serve — we set permissions need-to-know, and access de-provisions with the employee. If you later run a company-wide rollout, that's your call; this is scoped to the HR team. |
For an ordinary employer, almost none of your HR team's data is HIPAA data. It's sensitive — so you put it on Claude Team, keep access need-to-know, and leave raw identifiers out. No BAA, no sales cycle. That's the discipline.
Sort it once, and the question changes — from "are we allowed to use this?" to "what do we want to use it for?"
The Sprint takes a company from "we're not sure we can use AI" to a sanctioned, classified, and costed rollout — with the materials HR needs to bring Legal, Finance, and IT along. Classification is where it starts.
This is my AI-for-HR practice — one of three I run, alongside Total Rewards and HR Systems. They’re separate practices; you can hire me for any one of them on its own.
Start a conversation →The first conversation is free.
AI for HR · Start here / 1 Data / 2 Plan / 3 Cost / 4 Rules
This is for ordinary employers and the HR data they hold. If your organization is a HIPAA covered entity — healthcare, a health plan, a clearinghouse — or you self-insure and want to use plan data, that's a separate analysis; reach out directly. This is a starting point, not legal advice: confirm scope with your benefits and employment counsel. Plan facts verified June 2026 — re-check at claude.com/pricing and support.claude.com, which change often.