Skip to main content
guidesSource-backedReview first Safety Privacy

Using Claude Code in Healthcare and PHI-Sensitive Environments

The Claude Code data-handling controls that matter for teams working near PHI: no-training commercial policy, retention windows, Zero Data Retention, encryption, local transcript handling, telemetry opt-outs, and security model.

by JSONbored·added 2025-10-27·
HarnessClaude Code
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://code.claude.com/docs/en/data-usage, https://github.com/JSONbored/awesome-claude/blob/main/content/guides/healthcare-hipaa-guide.mdx
Safety notes
Claude Code stores session transcripts locally in plaintext under `~/.claude/projects/` for 30 days by default; tune retention with `cleanupPeriodDays`., Telemetry, error reporting, and `/feedback` send data off-machine on the Anthropic API by default; disable with `DISABLE_TELEMETRY`, `DISABLE_ERROR_REPORTING`, `DISABLE_FEEDBACK_COMMAND`, or `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC`., Zero Data Retention is not part of the standard Enterprise plan—it requires separate Anthropic enablement and disables features such as Claude Code on the web and `/feedback`.
Privacy notes
PHI-sensitive: transcripts saved locally in plaintext may contain prompt and file content; control them via `cleanupPeriodDays` and disk-level protections., Under commercial terms (Team/Enterprise/API) Anthropic does not train models on Claude Code prompts unless you opt in to the Development Partner Program; consumer plans may be used for training when the setting is on., `/feedback` transcripts are retained for up to 5 years; standard commercial retention is 30 days; consumer retention is 30 days or 5 years depending on the training setting.
Author
JSONbored
Claim status
unclaimed
Last verified
2025-10-27

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Copy & paste

Copy-ready — paste the snippet to get started.

Install command

Not provided

Config snippet

Not provided

Copy snippet

Provided

Prerequisites

3 to clear

Platforms

1 listed

Difficulty

60/100

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

3 prerequisites to line up before setup. Have accounts and credentials ready first. Includes a review or approval gate.

0/3 ready
Account & credentials1Review & approval1General1

Safety & privacy surface

Safety & privacy surface

3 safety and 3 privacy notes across 5 risk areas. Review closely: credentials & tokens.

5 areas
  • SafetyCredentials & tokensClaude Code stores session transcripts locally in plaintext under `~/.claude/projects/` for 30 days by default; tune retention with `cleanupPeriodDays`.
  • SafetyExecution & processesTelemetry, error reporting, and `/feedback` send data off-machine on the Anthropic API by default; disable with `DISABLE_TELEMETRY`, `DISABLE_ERROR_REPORTING`, `DISABLE_FEEDBACK_COMMAND`, or `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC`.
  • SafetyData retentionZero Data Retention is not part of the standard Enterprise plan—it requires separate Anthropic enablement and disables features such as Claude Code on the web and `/feedback`.
  • PrivacyLocal filesPHI-sensitive: transcripts saved locally in plaintext may contain prompt and file content; control them via `cleanupPeriodDays` and disk-level protections.
  • PrivacyGeneralUnder commercial terms (Team/Enterprise/API) Anthropic does not train models on Claude Code prompts unless you opt in to the Development Partner Program; consumer plans may be used for training when the setting is on.
  • PrivacyExecution & processes`/feedback` transcripts are retained for up to 5 years; standard commercial retention is 30 days; consumer retention is 30 days or 5 years depending on the training setting.

Safety notes

  • Claude Code stores session transcripts locally in plaintext under `~/.claude/projects/` for 30 days by default; tune retention with `cleanupPeriodDays`.
  • Telemetry, error reporting, and `/feedback` send data off-machine on the Anthropic API by default; disable with `DISABLE_TELEMETRY`, `DISABLE_ERROR_REPORTING`, `DISABLE_FEEDBACK_COMMAND`, or `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC`.
  • Zero Data Retention is not part of the standard Enterprise plan—it requires separate Anthropic enablement and disables features such as Claude Code on the web and `/feedback`.

Privacy notes

  • PHI-sensitive: transcripts saved locally in plaintext may contain prompt and file content; control them via `cleanupPeriodDays` and disk-level protections.
  • Under commercial terms (Team/Enterprise/API) Anthropic does not train models on Claude Code prompts unless you opt in to the Development Partner Program; consumer plans may be used for training when the setting is on.
  • `/feedback` transcripts are retained for up to 5 years; standard commercial retention is 30 days; consumer retention is 30 days or 5 years depending on the training setting.

Prerequisites

  • Confirm your account type (Free/Pro/Max vs. Team/Enterprise/API), since data-training and retention behavior differ by type.
  • Engage your compliance/legal team and review HHS HIPAA guidance before processing any PHI; this guide does not establish HIPAA compliance.
  • Identify your model provider (Anthropic API, Bedrock, Vertex AI, or Foundry), since encryption-at-rest and default telemetry differ by provider.

Schema details

Install type
copy
Reading time
6 min
Difficulty score
60
Troubleshooting
No
Breaking changes
No
Skill and platform metadata
Retrieval sources
https://code.claude.com/docs/en/data-usagehttps://code.claude.com/docs/en/zero-data-retentionhttps://code.claude.com/docs/en/security
Full copyable content
## TL;DR

If your team works near protected health information (PHI), the questions that matter for adopting Claude Code are concrete and answerable from Anthropic's own documentation: Does Anthropic train on your prompts? How long is data kept? What does Zero Data Retention actually turn off? How is data encrypted? Where do transcripts live on disk, and how do you control them? What telemetry leaves the machine, and how do you stop it?

This guide answers those questions from the published Claude Code data-usage, Zero Data Retention, and security docs. It does **not** establish HIPAA compliance and does not claim Claude Code is "HIPAA certified."

> **This is not legal or compliance advice.**
>
> Whether any tool can lawfully process PHI depends on your contracts (including any Business Associate Agreement), your configuration, and your obligations under HIPAA. Consult official [HHS HIPAA guidance](https://www.hhs.gov/hipaa/index.html) and your own compliance and legal team before processing PHI with Claude Code or any AI tool. Nothing below is a representation that Claude Code is HIPAA compliant.

**Key points (all grounded in Claude Code docs):**

- Under commercial terms (Team, Enterprise, API), Anthropic does not train generative models on Claude Code code or prompts unless you opt in.
- Standard commercial retention is 30 days; Zero Data Retention (ZDR) is available only to qualified Claude for Enterprise accounts and must be enabled by Anthropic.
- Data is encrypted in transit via TLS 1.2+; encryption at rest depends on your model provider.
- Claude Code stores transcripts locally in plaintext for 30 days by default, controllable with `cleanupPeriodDays`.

## Why "HIPAA mapping" is the wrong frame here

HIPAA safeguards are legal obligations on *covered entities and business associates*—they are satisfied by contracts, policies, risk analyses, and your overall environment, not by a single developer tool. A documentation tool cannot "be HIPAA compliant" on its own. What a tool *can* do is give you verifiable, documented data-handling controls that your compliance program can build on.

So this guide does the verifiable part: it catalogs the data controls Claude Code actually documents and points to where each is described. Treat HIPAA only as the general reason these controls matter ("teams handling PHI must minimize data exposure and retention")—and take the legal mapping to HHS guidance and your compliance team.

## Claude Code data controls reference

Every row below traces to the official Claude Code documentation. Use it as the starting checklist for a PHI-sensitive review.

| Control | What it does | Where it's documented |
| --- | --- | --- |
| Commercial no-training policy | Under Team, Enterprise, API, and Gov terms, Anthropic does not train generative models on code or prompts sent to Claude Code, unless the customer opts in (e.g., Development Partner Program). | [Data usage → Data training policy](https://code.claude.com/docs/en/data-usage) |
| Consumer training choice | On Free/Pro/Max, data may be used to train future models when the setting is on; changeable anytime in privacy settings. | [Data usage → Data training policy](https://code.claude.com/docs/en/data-usage) |
| Standard retention (commercial) | Team, Enterprise, and API: 30-day retention period. | [Data usage → Data retention](https://code.claude.com/docs/en/data-usage) |
| Consumer retention | 30 days if training is off; 5 years if the training setting is on. | [Data usage → Data retention](https://code.claude.com/docs/en/data-usage) |
| `/feedback` retention | Transcripts shared via `/feedback` are retained for 5 years; transcripts shared via the session-quality follow-up are retained up to 6 months. | [Data usage → Feedback / Data retention](https://code.claude.com/docs/en/data-usage) |
| Zero Data Retention (ZDR) | Prompts and responses processed in real time and not stored after the response returns (except where required by law or to address misuse). Available only to qualified Claude for Enterprise accounts; enabled per-organization by Anthropic. | [Zero data retention](https://code.claude.com/docs/en/zero-data-retention) |
| Encryption in transit | All prompts and outputs encrypted in transit via TLS 1.2+. | [Data usage → Local data flow](https://code.claude.com/docs/en/data-usage) |
| Encryption at rest | Provider-dependent: Anthropic API uses AES-256 disk encryption; Bedrock AES-256 (AWS-managed, CMK via KMS); Vertex AI Google-managed keys (CMEK available); Foundry routes to Anthropic AES-256. | [Data usage → Local data flow table](https://code.claude.com/docs/en/data-usage) |
| Local transcript storage | Session transcripts stored locally in plaintext under `~/.claude/projects/` for 30 days by default to enable resumption. | [Data usage → Data retention (local caching)](https://code.claude.com/docs/en/data-usage) |
| `cleanupPeriodDays` | Adjusts how long local transcripts are kept before cleanup. | [Data usage → Data retention](https://code.claude.com/docs/en/data-usage) |
| Telemetry opt-out | Operational metrics (latency, reliability, usage—no code or file paths) sent by default on the Anthropic API; disable with `DISABLE_TELEMETRY`. | [Data usage → Telemetry services](https://code.claude.com/docs/en/data-usage) |
| Error-reporting opt-out | Sentry error logging on by default on the Anthropic API; disable with `DISABLE_ERROR_REPORTING`. | [Data usage → Telemetry services](https://code.claude.com/docs/en/data-usage) |
| Feedback opt-out | Disable the `/feedback` command with `DISABLE_FEEDBACK_COMMAND=1`; disable session-quality surveys with `CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY=1`. | [Data usage → Feedback / surveys](https://code.claude.com/docs/en/data-usage) |
| Nonessential-traffic kill switch | `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC` opts out of all non-essential traffic at once (does not affect the WebFetch safety check). | [Data usage → Default behaviors](https://code.claude.com/docs/en/data-usage) |
| Provider defaults | On Bedrock, Vertex, Foundry, and Claude Platform on AWS, error reporting, telemetry, and bug reporting are off by default. | [Data usage → Default behaviors by API provider](https://code.claude.com/docs/en/data-usage) |
| Permission-based architecture | Read-only by default; modifying actions require explicit approval; read-only commands like `ls`, `cat`, `git status` run without a prompt. | [Security → Permission-based architecture](https://code.claude.com/docs/en/security) |
| Write-access restriction | Claude Code can only write within the startup folder and subfolders; parent-directory writes need explicit permission. | [Security → Built-in protections](https://code.claude.com/docs/en/security) |
| Sandboxing | `/sandbox` provides filesystem and network isolation for Bash commands. | [Security → Built-in protections](https://code.claude.com/docs/en/security) |
| Secure credential storage | API keys/tokens stored in the macOS Keychain when available; protected by file permissions on Windows and Linux. | [Security → Privacy safeguards](https://code.claude.com/docs/en/security) |
| Network-command approval | Web-fetching commands such as `curl`/`wget` are not auto-approved; can be blocked via `permissions.deny`. | [Security → Protect against prompt injection](https://code.claude.com/docs/en/security) |
| Trust verification | First-time codebases and new MCP servers require trust verification. | [Security → Additional safeguards](https://code.claude.com/docs/en/security) |
| Managed settings / OTel auditing | Organizations enforce standards via managed settings; activity can be monitored through OpenTelemetry metrics. | [Security → Team security](https://code.claude.com/docs/en/security) |

## Data training policy: what commercial terms guarantee

Per the [data-usage docs](https://code.claude.com/docs/en/data-usage), commercial users—Team, Enterprise, API, third-party platforms, and Claude Gov—are covered by a policy where **Anthropic does not train generative models using code or prompts sent to Claude Code under commercial terms**, unless the customer explicitly opts in (for example, via the Development Partner Program, which an org admin must enable and which is first-party API only).

Consumer plans (Free, Pro, Max) are different: data may be used to improve future models when the setting is on, including when Claude Code is used from those accounts. For PHI-sensitive work, that distinction is decisive—account type drives both training and retention behavior.

## Retention windows

From the same docs:

- **Commercial (Team, Enterprise, API):** standard 30-day retention.
- **Consumer:** 30 days if training is off; 5 years if the training setting is on.
- **`/feedback` transcripts:** retained for 5 years.
- **Session-quality follow-up transcripts (only if you select "Yes"):** retained up to 6 months.
- **Local caching:** transcripts kept locally in plaintext under `~/.claude/projects/` for 30 days by default, adjustable with `cleanupPeriodDays`.

## Zero Data Retention (ZDR)

The [Zero Data Retention docs](https://code.claude.com/docs/en/zero-data-retention) describe ZDR precisely:

- **What it is:** prompts and model responses are processed in real time and **not stored** by Anthropic after the response returns, except where required by law or to combat misuse.
- **Who qualifies:** available only to **qualified accounts on Claude for Enterprise**. It is *not* part of the standard Enterprise plan and *cannot* be enabled from admin settings—Anthropic enables it per-organization after confirming eligibility (contact sales/your account team). It does not auto-apply to newly created organizations.
- **What it disables:** features that require storing prompts or completions are turned off at the backend, including **Claude Code on the web**, **Cloud sessions** from the Desktop app, and **`/feedback`** submission.
- **What it does not cover:** chat on claude.ai, Cowork, analytics metadata (account emails, usage stats), user/seat management data, and third-party integrations/MCP servers—these follow standard retention.
- **Model caveat:** some models that require retention are unavailable under ZDR (e.g., Claude Fable 5); the `best` alias resolves to Opus for ZDR organizations.
- **Policy-violation exception:** flagged sessions may have inputs/outputs retained up to 2 years.

For Bedrock, Vertex AI, or Foundry deployments, ZDR on Claude for Enterprise does not apply—those platforms' own retention policies govern.

## Encryption

Per the data-usage docs, **all prompts and outputs are encrypted in transit via TLS 1.2+**, and Claude Code is compatible with most popular VPNs and LLM proxies. **Encryption at rest depends on the model provider:**

- **Anthropic API:** infrastructure-level disk encryption (AES-256); enable ZDR for no server-side persistence.
- **Amazon Bedrock:** AES-256 with AWS-managed keys; customer-managed keys via AWS KMS.
- **Google Cloud Vertex AI:** Google-managed keys; CMEK available.
- **Microsoft Foundry:** routes to Anthropic infrastructure with AES-256 disk encryption.

## Local transcripts and on-disk data

This is often the most overlooked exposure point for PHI-sensitive teams. The docs state Claude Code clients **store session transcripts locally in plaintext** under `~/.claude/projects/` for 30 days by default to support session resumption. Control retention with the `cleanupPeriodDays` setting, and apply your own disk-level protections (full-disk encryption, access controls) to those paths. If prompts or pasted content could contain PHI, the local cache must be part of your data-handling plan.

## Telemetry, error reporting, and feedback

On the Anthropic API, several non-essential flows are **on by default** and send data off-machine:

- **Telemetry** (operational metrics only—no code or file paths): `DISABLE_TELEMETRY` to opt out.
- **Sentry error reporting:** `DISABLE_ERROR_REPORTING` to opt out.
- **`/feedback`** (sends conversation history, including code, to Anthropic): `DISABLE_FEEDBACK_COMMAND=1` to opt out.
- **Session-quality surveys:** `CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY=1` to opt out.

A single switch, `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC`, opts out of all non-essential traffic at once (it does not affect the WebFetch domain safety check, which has its own `skipWebFetchPreflight` opt-out). On Bedrock, Vertex, Foundry, and Claude Platform on AWS, error reporting, telemetry, and bug reporting are **off by default**. All of these variables can be committed to `settings.json` to enforce them across a team.

## Network, proxy, and credentials

- Claude Code works with most popular VPNs and LLM proxies (data-usage docs).
- API keys and tokens are stored in the **macOS Keychain** when available, and protected by file permissions on Windows and Linux ([Security → credential management](https://code.claude.com/docs/en/security)).
- Web-fetching commands (`curl`, `wget`) are not auto-approved and can be blocked entirely via `permissions.deny`.
- For Claude Code on the web, outbound traffic routes through a security proxy with audit logging, GitHub credentials never enter the sandbox, and each session runs in an isolated, auto-terminated VM with branch-restricted pushes.

## Access controls and the security model

From the [security docs](https://code.claude.com/docs/en/security):

- **Permission-based architecture:** read-only by default; modifying actions require explicit approval.
- **Write-access restriction:** writes confined to the startup folder and subfolders.
- **Sandboxing:** `/sandbox` adds filesystem and network isolation for Bash commands.
- **Prompt-injection safeguards:** context-aware analysis, input sanitization, isolated web-fetch context, command-injection detection, fail-closed matching, and trust verification for new codebases and MCP servers.
- **Org enforcement:** managed settings enforce standards across a team; OpenTelemetry metrics enable activity monitoring and auditing; `ConfigChange` hooks can audit or block settings changes mid-session.
- **Compliance artifacts:** SOC 2 Type 2 and ISO 27001 are available via the Anthropic Trust Center (linked from the security docs).

## A practical pre-adoption checklist for PHI-sensitive teams

1. **Confirm account type.** Use commercial terms (Team/Enterprise/API) so the no-training policy applies; avoid consumer plans for any work that could touch PHI.
2. **Decide on ZDR.** If your risk posture requires no server-side persistence, pursue ZDR on Claude for Enterprise through your account team, and accept the disabled features (web, cloud sessions, `/feedback`).
3. **Pin telemetry opt-outs in `settings.json`.** Set `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC` (or the granular variables) so no non-essential data leaves the machine.
4. **Manage local transcripts.** Set an appropriate `cleanupPeriodDays`, and ensure `~/.claude/projects/` sits on encrypted, access-controlled storage.
5. **Lock down the security model.** Use managed settings, sandboxing, and `permissions.deny` for network commands; monitor via OpenTelemetry.
6. **Do the legal work separately.** Map controls above to your HIPAA obligations with your compliance/legal team and current HHS guidance—this guide does not do that for you.

## Frequently asked questions

**Is Claude Code "HIPAA compliant" or "HIPAA certified"?**
The Claude Code docs do not make that claim, and neither does this guide. Compliance depends on your contracts, configuration, and obligations—consult your compliance/legal team and HHS guidance.

**Does Anthropic train on my prompts?**
Under commercial terms (Team, Enterprise, API), no—unless you opt in (e.g., Development Partner Program). On consumer plans, data may be used to train future models when the setting is on.

**What is kept, and for how long?**
Commercial standard retention is 30 days; consumer is 30 days or 5 years depending on the training setting; `/feedback` transcripts 5 years; local transcripts 30 days by default (`cleanupPeriodDays`).

**How do I stop data from leaving my machine?**
Set `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC` (or the granular `DISABLE_TELEMETRY`, `DISABLE_ERROR_REPORTING`, `DISABLE_FEEDBACK_COMMAND`, `CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY` variables). Note prompts/outputs still flow to your model provider over TLS to get responses.

**What does Zero Data Retention turn off?**
At minimum: Claude Code on the web, Desktop cloud sessions, and `/feedback`. It also limits model availability and excludes analytics metadata, claude.ai chat, and third-party integrations.

_Last reviewed: June 2026. All claims sourced from the official Claude Code data-usage, Zero Data Retention, and security documentation._

About this resource

TL;DR

If your team works near protected health information (PHI), the questions that matter for adopting Claude Code are concrete and answerable from Anthropic's own documentation: Does Anthropic train on your prompts? How long is data kept? What does Zero Data Retention actually turn off? How is data encrypted? Where do transcripts live on disk, and how do you control them? What telemetry leaves the machine, and how do you stop it?

This guide answers those questions from the published Claude Code data-usage, Zero Data Retention, and security docs. It does not establish HIPAA compliance and does not claim Claude Code is "HIPAA certified."

This is not legal or compliance advice.

Whether any tool can lawfully process PHI depends on your contracts (including any Business Associate Agreement), your configuration, and your obligations under HIPAA. Consult official HHS HIPAA guidance and your own compliance and legal team before processing PHI with Claude Code or any AI tool. Nothing below is a representation that Claude Code is HIPAA compliant.

Key points (all grounded in Claude Code docs):

  • Under commercial terms (Team, Enterprise, API), Anthropic does not train generative models on Claude Code code or prompts unless you opt in.
  • Standard commercial retention is 30 days; Zero Data Retention (ZDR) is available only to qualified Claude for Enterprise accounts and must be enabled by Anthropic.
  • Data is encrypted in transit via TLS 1.2+; encryption at rest depends on your model provider.
  • Claude Code stores transcripts locally in plaintext for 30 days by default, controllable with cleanupPeriodDays.

Why "HIPAA mapping" is the wrong frame here

HIPAA safeguards are legal obligations on covered entities and business associates—they are satisfied by contracts, policies, risk analyses, and your overall environment, not by a single developer tool. A documentation tool cannot "be HIPAA compliant" on its own. What a tool can do is give you verifiable, documented data-handling controls that your compliance program can build on.

So this guide does the verifiable part: it catalogs the data controls Claude Code actually documents and points to where each is described. Treat HIPAA only as the general reason these controls matter ("teams handling PHI must minimize data exposure and retention")—and take the legal mapping to HHS guidance and your compliance team.

Claude Code data controls reference

Every row below traces to the official Claude Code documentation. Use it as the starting checklist for a PHI-sensitive review.

Control What it does Where it's documented
Commercial no-training policy Under Team, Enterprise, API, and Gov terms, Anthropic does not train generative models on code or prompts sent to Claude Code, unless the customer opts in (e.g., Development Partner Program). Data usage → Data training policy
Consumer training choice On Free/Pro/Max, data may be used to train future models when the setting is on; changeable anytime in privacy settings. Data usage → Data training policy
Standard retention (commercial) Team, Enterprise, and API: 30-day retention period. Data usage → Data retention
Consumer retention 30 days if training is off; 5 years if the training setting is on. Data usage → Data retention
/feedback retention Transcripts shared via /feedback are retained for 5 years; transcripts shared via the session-quality follow-up are retained up to 6 months. Data usage → Feedback / Data retention
Zero Data Retention (ZDR) Prompts and responses processed in real time and not stored after the response returns (except where required by law or to address misuse). Available only to qualified Claude for Enterprise accounts; enabled per-organization by Anthropic. Zero data retention
Encryption in transit All prompts and outputs encrypted in transit via TLS 1.2+. Data usage → Local data flow
Encryption at rest Provider-dependent: Anthropic API uses AES-256 disk encryption; Bedrock AES-256 (AWS-managed, CMK via KMS); Vertex AI Google-managed keys (CMEK available); Foundry routes to Anthropic AES-256. Data usage → Local data flow table
Local transcript storage Session transcripts stored locally in plaintext under ~/.claude/projects/ for 30 days by default to enable resumption. Data usage → Data retention (local caching)
cleanupPeriodDays Adjusts how long local transcripts are kept before cleanup. Data usage → Data retention
Telemetry opt-out Operational metrics (latency, reliability, usage—no code or file paths) sent by default on the Anthropic API; disable with DISABLE_TELEMETRY. Data usage → Telemetry services
Error-reporting opt-out Sentry error logging on by default on the Anthropic API; disable with DISABLE_ERROR_REPORTING. Data usage → Telemetry services
Feedback opt-out Disable the /feedback command with DISABLE_FEEDBACK_COMMAND=1; disable session-quality surveys with CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY=1. Data usage → Feedback / surveys
Nonessential-traffic kill switch CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC opts out of all non-essential traffic at once (does not affect the WebFetch safety check). Data usage → Default behaviors
Provider defaults On Bedrock, Vertex, Foundry, and Claude Platform on AWS, error reporting, telemetry, and bug reporting are off by default. Data usage → Default behaviors by API provider
Permission-based architecture Read-only by default; modifying actions require explicit approval; read-only commands like ls, cat, git status run without a prompt. Security → Permission-based architecture
Write-access restriction Claude Code can only write within the startup folder and subfolders; parent-directory writes need explicit permission. Security → Built-in protections
Sandboxing /sandbox provides filesystem and network isolation for Bash commands. Security → Built-in protections
Secure credential storage API keys/tokens stored in the macOS Keychain when available; protected by file permissions on Windows and Linux. Security → Privacy safeguards
Network-command approval Web-fetching commands such as curl/wget are not auto-approved; can be blocked via permissions.deny. Security → Protect against prompt injection
Trust verification First-time codebases and new MCP servers require trust verification. Security → Additional safeguards
Managed settings / OTel auditing Organizations enforce standards via managed settings; activity can be monitored through OpenTelemetry metrics. Security → Team security

Data training policy: what commercial terms guarantee

Per the data-usage docs, commercial users—Team, Enterprise, API, third-party platforms, and Claude Gov—are covered by a policy where Anthropic does not train generative models using code or prompts sent to Claude Code under commercial terms, unless the customer explicitly opts in (for example, via the Development Partner Program, which an org admin must enable and which is first-party API only).

Consumer plans (Free, Pro, Max) are different: data may be used to improve future models when the setting is on, including when Claude Code is used from those accounts. For PHI-sensitive work, that distinction is decisive—account type drives both training and retention behavior.

Retention windows

From the same docs:

  • Commercial (Team, Enterprise, API): standard 30-day retention.
  • Consumer: 30 days if training is off; 5 years if the training setting is on.
  • /feedback transcripts: retained for 5 years.
  • Session-quality follow-up transcripts (only if you select "Yes"): retained up to 6 months.
  • Local caching: transcripts kept locally in plaintext under ~/.claude/projects/ for 30 days by default, adjustable with cleanupPeriodDays.

Zero Data Retention (ZDR)

The Zero Data Retention docs describe ZDR precisely:

  • What it is: prompts and model responses are processed in real time and not stored by Anthropic after the response returns, except where required by law or to combat misuse.
  • Who qualifies: available only to qualified accounts on Claude for Enterprise. It is not part of the standard Enterprise plan and cannot be enabled from admin settings—Anthropic enables it per-organization after confirming eligibility (contact sales/your account team). It does not auto-apply to newly created organizations.
  • What it disables: features that require storing prompts or completions are turned off at the backend, including Claude Code on the web, Cloud sessions from the Desktop app, and /feedback submission.
  • What it does not cover: chat on claude.ai, Cowork, analytics metadata (account emails, usage stats), user/seat management data, and third-party integrations/MCP servers—these follow standard retention.
  • Model caveat: some models that require retention are unavailable under ZDR (e.g., Claude Fable 5); the best alias resolves to Opus for ZDR organizations.
  • Policy-violation exception: flagged sessions may have inputs/outputs retained up to 2 years.

For Bedrock, Vertex AI, or Foundry deployments, ZDR on Claude for Enterprise does not apply—those platforms' own retention policies govern.

Encryption

Per the data-usage docs, all prompts and outputs are encrypted in transit via TLS 1.2+, and Claude Code is compatible with most popular VPNs and LLM proxies. Encryption at rest depends on the model provider:

  • Anthropic API: infrastructure-level disk encryption (AES-256); enable ZDR for no server-side persistence.
  • Amazon Bedrock: AES-256 with AWS-managed keys; customer-managed keys via AWS KMS.
  • Google Cloud Vertex AI: Google-managed keys; CMEK available.
  • Microsoft Foundry: routes to Anthropic infrastructure with AES-256 disk encryption.

Local transcripts and on-disk data

This is often the most overlooked exposure point for PHI-sensitive teams. The docs state Claude Code clients store session transcripts locally in plaintext under ~/.claude/projects/ for 30 days by default to support session resumption. Control retention with the cleanupPeriodDays setting, and apply your own disk-level protections (full-disk encryption, access controls) to those paths. If prompts or pasted content could contain PHI, the local cache must be part of your data-handling plan.

Telemetry, error reporting, and feedback

On the Anthropic API, several non-essential flows are on by default and send data off-machine:

  • Telemetry (operational metrics only—no code or file paths): DISABLE_TELEMETRY to opt out.
  • Sentry error reporting: DISABLE_ERROR_REPORTING to opt out.
  • /feedback (sends conversation history, including code, to Anthropic): DISABLE_FEEDBACK_COMMAND=1 to opt out.
  • Session-quality surveys: CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY=1 to opt out.

A single switch, CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC, opts out of all non-essential traffic at once (it does not affect the WebFetch domain safety check, which has its own skipWebFetchPreflight opt-out). On Bedrock, Vertex, Foundry, and Claude Platform on AWS, error reporting, telemetry, and bug reporting are off by default. All of these variables can be committed to settings.json to enforce them across a team.

Network, proxy, and credentials

  • Claude Code works with most popular VPNs and LLM proxies (data-usage docs).
  • API keys and tokens are stored in the macOS Keychain when available, and protected by file permissions on Windows and Linux (Security → credential management).
  • Web-fetching commands (curl, wget) are not auto-approved and can be blocked entirely via permissions.deny.
  • For Claude Code on the web, outbound traffic routes through a security proxy with audit logging, GitHub credentials never enter the sandbox, and each session runs in an isolated, auto-terminated VM with branch-restricted pushes.

Access controls and the security model

From the security docs:

  • Permission-based architecture: read-only by default; modifying actions require explicit approval.
  • Write-access restriction: writes confined to the startup folder and subfolders.
  • Sandboxing: /sandbox adds filesystem and network isolation for Bash commands.
  • Prompt-injection safeguards: context-aware analysis, input sanitization, isolated web-fetch context, command-injection detection, fail-closed matching, and trust verification for new codebases and MCP servers.
  • Org enforcement: managed settings enforce standards across a team; OpenTelemetry metrics enable activity monitoring and auditing; ConfigChange hooks can audit or block settings changes mid-session.
  • Compliance artifacts: SOC 2 Type 2 and ISO 27001 are available via the Anthropic Trust Center (linked from the security docs).

A practical pre-adoption checklist for PHI-sensitive teams

  1. Confirm account type. Use commercial terms (Team/Enterprise/API) so the no-training policy applies; avoid consumer plans for any work that could touch PHI.
  2. Decide on ZDR. If your risk posture requires no server-side persistence, pursue ZDR on Claude for Enterprise through your account team, and accept the disabled features (web, cloud sessions, /feedback).
  3. Pin telemetry opt-outs in settings.json. Set CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC (or the granular variables) so no non-essential data leaves the machine.
  4. Manage local transcripts. Set an appropriate cleanupPeriodDays, and ensure ~/.claude/projects/ sits on encrypted, access-controlled storage.
  5. Lock down the security model. Use managed settings, sandboxing, and permissions.deny for network commands; monitor via OpenTelemetry.
  6. Do the legal work separately. Map controls above to your HIPAA obligations with your compliance/legal team and current HHS guidance—this guide does not do that for you.

Frequently asked questions

Is Claude Code "HIPAA compliant" or "HIPAA certified"? The Claude Code docs do not make that claim, and neither does this guide. Compliance depends on your contracts, configuration, and obligations—consult your compliance/legal team and HHS guidance.

Does Anthropic train on my prompts? Under commercial terms (Team, Enterprise, API), no—unless you opt in (e.g., Development Partner Program). On consumer plans, data may be used to train future models when the setting is on.

What is kept, and for how long? Commercial standard retention is 30 days; consumer is 30 days or 5 years depending on the training setting; /feedback transcripts 5 years; local transcripts 30 days by default (cleanupPeriodDays).

How do I stop data from leaving my machine? Set CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC (or the granular DISABLE_TELEMETRY, DISABLE_ERROR_REPORTING, DISABLE_FEEDBACK_COMMAND, CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY variables). Note prompts/outputs still flow to your model provider over TLS to get responses.

What does Zero Data Retention turn off? At minimum: Claude Code on the web, Desktop cloud sessions, and /feedback. It also limits model availability and excludes analytics metadata, claude.ai chat, and third-party integrations.

Last reviewed: June 2026. All claims sourced from the official Claude Code data-usage, Zero Data Retention, and security documentation.

Source citations

Add this badge to your README

Show that Using Claude Code in Healthcare and PHI-Sensitive Environments is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/guides/healthcare-hipaa-guide.svg)](https://heyclau.de/entry/guides/healthcare-hipaa-guide)

How it compares

Using Claude Code in Healthcare and PHI-Sensitive Environments side by side with 2 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

2 trust signals differ across this comparison (Source provenance, Submitter).

Field

The Claude Code data-handling controls that matter for teams working near PHI: no-training commercial policy, retention windows, Zero Data Retention, encryption, local transcript handling, telemetry opt-outs, and security model.

Open dossier

How to deploy Claude Code in a security- and compliance-sensitive financial-services environment, using its documented data-handling, ZDR, network, IAM, and sandboxing controls.

Open dossier

Enterprise guide to zero data retention planning for Claude Code: contractual ZDR scope, logging boundaries, MCP data paths, and verification checkpoints.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verified
Source provenanceDiffersSource-backedSource-backedSubmission linkedSource submission
SubmitterDifferskiannidev
Install riskReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy
Brand
Categoryguidesguidesguides
Sourcesource-backedsource-backedsource-backed
AuthorJSONboredJSONboredkiannidev
Added2025-10-272025-10-272026-06-14
Platforms
Claude Code
Claude Code
Claude Code
Source repo
Safety notesClaude Code stores session transcripts locally in plaintext under `~/.claude/projects/` for 30 days by default; tune retention with `cleanupPeriodDays`. Telemetry, error reporting, and `/feedback` send data off-machine on the Anthropic API by default; disable with `DISABLE_TELEMETRY`, `DISABLE_ERROR_REPORTING`, `DISABLE_FEEDBACK_COMMAND`, or `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC`. Zero Data Retention is not part of the standard Enterprise plan—it requires separate Anthropic enablement and disables features such as Claude Code on the web and `/feedback`.Claude Code runs agentic Bash and file edits in your environment; it requests permission for non-read-only actions, but you are responsible for reviewing proposed commands and code before approval. In regulated environments, run it in sandboxed or containerized contexts and avoid granting blanket allowlists.ZDR policy does not eliminate local repository risk—developers can still commit secrets; pair ZDR with secret scanning and MCP review. Third-party MCP servers may retain data outside Claude Code ZDR guarantees; block or review them explicitly. Do not assume analytics dashboards are ZDR-compatible without verifying their data collection scope.
Privacy notesPHI-sensitive: transcripts saved locally in plaintext may contain prompt and file content; control them via `cleanupPeriodDays` and disk-level protections. Under commercial terms (Team/Enterprise/API) Anthropic does not train models on Claude Code prompts unless you opt in to the Development Partner Program; consumer plans may be used for training when the setting is on. `/feedback` transcripts are retained for up to 5 years; standard commercial retention is 30 days; consumer retention is 30 days or 5 years depending on the training setting.Financial-data prompts and outputs leave the machine over TLS to your model provider. Standard commercial retention is 30 days; Zero Data Retention is a separate per-org enablement. Transcripts also cache locally in plaintext under ~/.claude/projects/. Confirm provider, retention, and telemetry settings first.Document which subsystems may temporarily process prompts for abuse prevention versus training exclusions under ZDR. Map cross-border data flows if developers connect from multiple regions. Maintain records of ZDR verification dates and responsible owners for audits.
Prerequisites
  • Confirm your account type (Free/Pro/Max vs. Team/Enterprise/API), since data-training and retention behavior differ by type.
  • Engage your compliance/legal team and review HHS HIPAA guidance before processing any PHI; this guide does not establish HIPAA compliance.
  • Identify your model provider (Anthropic API, Bedrock, Vertex AI, or Foundry), since encryption-at-rest and default telemetry differ by provider.
— none listed
  • Enterprise agreement terms or security questionnaire requiring zero data retention alignment.
  • [object Object]
  • Legal, security, and platform engineering stakeholders for sign-off.
  • Test tenant or pilot group to validate retention behavior before broad rollout.
Install
Config
Citations
ClaimUnclaimedUnclaimedUnclaimed
Open 3 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.