An HR team runs almost everything on Claude Team — same-day, no contract. Genuine plan-side PHI is the one case Team can’t cover, because Team carries no BAA; only the API and Enterprise do. If a benefits team handles claims for a self-insured plan, that narrow set routes to one of two covered paths — and that routing is a company/compliance/IT decision, not an HR-team one.
Before you architect for HIPAA, classify. HIPAA-PHI is health information held by a covered entity — the company’s group health plan — not the employer acting as an employer.
Benefits enrollment, FMLA notes, and ADA files held on the employer side are sensitive but generally aren’t HIPAA-PHI — that work stays on Team. Run the data-classification sort first — most of the apparent PHI turns out not to be, and the problem shrinks to a narrow real set. The paths below are only for what genuinely remains.
The Primary Owner activates HIPAA-readiness in Org settings → Data & privacy; the BAA is click-to-accept, no legal cycle. Staff get a covered chat surface.
Catches: Covered Models require 30-day retention, which isn’t available with Zero Data Retention. Claude Code is only covered with ZDR on. An API BAA signed before December 2, 2025 does not extend — you need a new one.
HIPAA-eligible under your existing AWS BAA. The data stays inside AWS and is never sent to Anthropic — often the cleanest path for health-data-heavy work.
Tradeoff: this is a build path, not a chat seat. You’re calling the API from your own application, not handing staff a chat box. The right path when PHI lives in a product or a data pipeline.
Team, Cowork, Console, Workbench, and personal Free / Pro / Max accounts carry no BAA — this is the one place the HR team’s default plan stops. Team is the right surface for everything that isn’t genuine PHI; it is never the surface for the PHI itself. The assumption that one signed BAA covers every Claude surface is the single most common HIPAA mistake. (See the surface map.)
| If your genuine PHI is… | Use |
|---|---|
| In a chat workflow staff run by hand | HIPAA-ready Enterprise (BAA on, retention posture set) |
| In a product, pipeline, or health-data-heavy build | The API on AWS Bedrock (data stays in AWS) |
| Not actually held by a covered entity | Neither — it’s sensitive HR data, not PHI. Stay on Team (Enterprise only if IT mandates it company-wide). |
Anthropic changes plan structure, BAA terms, and surface coverage often — re-verify at support.claude.com and claude.com/pricing at decision time. Legal points are for your counsel to confirm; this isn’t legal advice.
Classify first, and genuine PHI shrinks to a narrow set — often none. The rest stays on Team, the HR team’s default. For what remains, HIPAA-ready Enterprise covers chat and Bedrock covers builds — the one case Team can’t, and a company/compliance/IT decision when it comes up.
The mistake is skipping classification and reaching for a BAA to bless everything. It doesn’t.
A Sprint confirms what’s genuinely PHI, routes it to the right covered path, and keeps the rest of the workforce on a simpler surface — with counsel confirming the scope.
This is my AI-for-HR practice — one of three I run, alongside Total Rewards and HR Systems. They’re separate practices; you can hire me for any one of them on its own.
Start a conversation →No cost to find out where you stand.