Skip to main content
LearnFor ManagersGitHub Copilot & HIPAA
Beginner10 min read

GitHub Copilot and HIPAA: What Every Healthcare PM Needs to Know

Is GitHub Copilot HIPAA compliant? Yes, but only with Business tier + BAA. This guide explains everything in plain English—no technical jargon, just actionable steps.

Share this guide:

Quick Answer

GitHub Copilot Business ($19/user/month) is HIPAA compliant when you have a signed Business Associate Agreement (BAA) from GitHub. The free and standard tiers are NOT HIPAA compliant.

Jump to action plan

In This Guide

What is GitHub Copilot? (Explain Like I'm 5)

GitHub Copilot is like autocomplete for code. Just like your phone suggests the next word when you're texting, Copilot suggests the next lines of code when developers are programming.

How It Works (Simple Version)

  1. 1Developer types a comment describing what they want to build
  2. 2Copilot sends that comment + surrounding code to Microsoft's servers
  3. 3Microsoft's AI analyzes it and suggests code
  4. 4Developer accepts or rejects the suggestion

The Key HIPAA Concern

Step #2 is the problem: Code snippets are sent to Microsoft's servers. If that code contains Protected Health Information (PHI), you've just transmitted PHI to a third party without proper safeguards.

The HIPAA Concern

What is PHI?

Protected Health Information (PHI) is any health data that can identify a person. Examples:

Obvious PHI

  • • Patient names
  • • Social Security Numbers
  • • Medical record numbers
  • • Email addresses
  • • Phone numbers

Less Obvious PHI

  • • IP addresses
  • • Device identifiers
  • • Biometric data
  • • Photos
  • • Any unique identifier

The Problem with Standard Copilot

Free & Standard Tiers Are NOT HIPAA Compliant

  • No Business Associate Agreement (BAA) available
  • Your code is used to train Microsoft's AI models
  • Code snippets may be retained indefinitely
  • No audit logs or compliance controls

Real Example: What Could Go Wrong

Scenario: A developer is working on your patient database. They write a comment:

// Get patient John Smith (MRN: 12345) appointment history

Copilot sends this to Microsoft's servers. Now Microsoft has:

  • • Patient name: John Smith
  • • Medical record number: 12345
  • • Context: Appointment history

That's a HIPAA violation. Potential fine: $50,000 per violation.

Is GitHub Copilot HIPAA Compliant?

It depends on which tier you're using. Here's the complete breakdown:

TierPriceBAA Available?HIPAA Compliant?Code Used for Training?
Individual (Free)Free No NO Yes
Standard$10/user/mo No NO Yes
Business$19/user/mo Yes YES (with BAA) No
Enterprise$39/user/mo Yes YES (with BAA) No

GitHub Copilot Business IS HIPAA Compliant

When properly configured with a signed BAA, Copilot Business meets HIPAA requirements:

  • BAA available from GitHub (covers you legally)
  • Code NOT used for training (your data stays private)
  • Audit logs (track who used Copilot and when)
  • Admin controls (restrict which repos can use Copilot)
  • Data encryption in transit and at rest

What You Need to Do (5-Minute Action Plan)

Follow these 5 steps to get HIPAA-compliant with GitHub Copilot:

1

Find Out If Your Team Is Using Copilot

You can't manage what you don't know about. Send this email to your team:

Subject: Quick Question About AI Tools

Hi team,

I'm working on ensuring we're compliant with HIPAA regulations for AI tools.

Could you reply (anonymously if you prefer) and let me know:
1. Are you using GitHub Copilot?
2. If yes, which repos/projects do you use it on?

No judgment—just trying to get visibility so we can make sure we're set up properly.

Thanks!

Alternative: Check your GitHub Organization settings → Copilot → Usage to see who has Copilot enabled.

2

Determine Which Tier They're Using

Go to your GitHub Organization → Settings → Billing → Copilot

If you see "Individual" or "Standard" → NOT compliant
If you see "Business" or "Enterprise" → Potentially compliant (need BAA)
3

Assess PHI Exposure Risk

Determine which repositories contain PHI:

High-Risk Repos (Likely Contain PHI)

  • • Patient database code
  • • Electronic Health Record (EHR) integrations
  • • Billing/claims processing
  • • Patient portal code
  • • Any code that queries patient data

Action: Create a list of high-risk repos. These MUST NOT use Copilot Individual/Standard.

4

Get a BAA from GitHub (If Business/Enterprise)

If you're on Business or Enterprise tier, request a BAA:

1Contact GitHub Enterprise Support
2Request "Business Associate Agreement for GitHub Copilot Business"
3Review with your legal team
4Sign and return (typically 1-2 weeks)

What to look for in the BAA: Ensure it covers data encryption, breach notification, audit rights, and data retention policies.

5

Create a Policy

Document your GitHub Copilot usage policy. Key points to include:

Approved Use

  • ✅ GitHub Copilot Business on non-PHI repos
  • ✅ GitHub Copilot Business on PHI repos (with BAA signed)

Prohibited Use

  • ❌ GitHub Copilot Individual/Standard on ANY repos
  • ❌ Copilot on PHI repos without signed BAA
  • ❌ Copying PHI into Copilot prompts
Download Policy Template

Email Templates

Template 1: Email to Developers

Subject: GitHub Copilot Usage - Action Required

Hi team,

As part of our HIPAA compliance program, we're updating our GitHub Copilot usage policy.

What's changing:

  • We're upgrading to GitHub Copilot Business ($19/user/month)
  • We've signed a Business Associate Agreement (BAA) with GitHub
  • Copilot is now approved for use on all repos, including PHI-containing code

What you need to do:

  1. If you're using Copilot Individual/Standard, switch to Business tier (I'll send upgrade link)
  2. Review the updated policy: [link]
  3. Complete 5-minute training: [link]

Deadline: [Date - give 2 weeks]

Questions? Reply to this email or ping me on Slack.

Thanks,
[Your name]

Template 2: Email to Legal

Subject: GitHub Copilot HIPAA Compliance Status

Hi [Legal contact],

Following up on your question about AI tool compliance, here's the status of GitHub Copilot:

Current Status:

  • Tool: GitHub Copilot Business
  • Users: [X] developers
  • Cost: $19/user/month = $[total]/month
  • BAA Status: Signed on [date]
  • HIPAA Compliance: ✅ Compliant

Safeguards in place:

  • Code is NOT used for AI training
  • Data encrypted in transit and at rest
  • Audit logs enabled (can track all usage)
  • Admin controls restrict usage to approved repos
  • Team trained on policy (completion rate: [X]%)

Documentation:

  • BAA: [link to signed document]
  • Usage policy: [link]
  • Training materials: [link]
  • Audit logs: Available upon request

Let me know if you need any additional information for the compliance review.

Best,
[Your name]

Frequently Asked Questions

Q: What if my team is already using Copilot Individual?

A: Don't panic. Here's what to do:

  1. Immediately upgrade to Copilot Business
  2. Get BAA signed ASAP (1-2 weeks)
  3. Audit past 6 months: Which repos were accessed? Any PHI exposure?
  4. Document findings and remediation steps
  5. Inform legal if you discover PHI was transmitted

Q: How much does Copilot Business cost?

A: $19/user/month. For a team of 10 developers, that's $190/month or $2,280/year. Compare that to a single HIPAA violation fine ($50,000+) and it's a no-brainer.

Q: What if legal says no to Copilot entirely?

A: You have alternatives:

  • Amazon CodeWhisperer: Also offers BAA, similar pricing
  • Tabnine: Self-hosted option (data never leaves your servers)
  • No AI tools: Restrict all AI coding assistants (developers won't be happy)

Q: Do we need a separate BAA for each developer?

A: No. One BAA covers your entire GitHub Organization. All developers under that org are covered.

Q: Can I restrict Copilot to only certain repos?

A: Yes! Copilot Business allows you to enable/disable Copilot per repository. You can:

  • Enable Copilot on low-risk repos (no PHI)
  • Disable Copilot on high-risk repos (contains PHI)
  • Require approval before enabling on new repos

Q: How do I monitor Copilot usage?

A: GitHub provides usage reports:

  • Go to Organization Settings → Copilot → Usage
  • See which users are active, which repos they're using Copilot on
  • Export data monthly for compliance records
  • Set up alerts for unusual activity

Summary: GitHub Copilot CAN Be HIPAA Compliant

GitHub Copilot Business ($19/user/month) is HIPAA compliant with a signed BAA

Free and Standard tiers are NOT HIPAA compliant (no BAA available)

Follow the 5-step action plan above to get compliant

Download our policy template to save time

What's Next?

You've learned about GitHub Copilot HIPAA compliance. Now expand your knowledge:

How to Audit Your Team's AI Tool Usage

Copilot isn't the only AI tool your team might be using. Learn how to discover all AI tools.

Read next

Creating Your AI Usage Policy in 30 Minutes

Beyond just Copilot—create a comprehensive AI usage policy for your entire organization.

Read guide

Found this helpful? Share it!

Help other healthcare project managers discover this guide.

Download: GitHub Copilot HIPAA Policy Template

Save hours of work. Get our ready-to-use policy template specifically designed for healthcare organizations.

Download Policy Template (PDF)Browse All Manager Guides

AI Program Management Framework (CSM6)

A structured approach to AI governance. Free interactive checklist, templates, and step-by-step guide for project managers.

Start the ChecklistLearn About the Framework