TL;DR
If your team works near protected health information (PHI), the questions that matter for adopting Claude Code are concrete and answerable from Anthropic's own documentation: Does Anthropic train on your prompts? How long is data kept? What does Zero Data Retention actually turn off? How is data encrypted? Where do transcripts live on disk, and how do you control them? What telemetry leaves the machine, and how do you stop it?
This guide answers those questions from the published Claude Code data-usage, Zero Data Retention, and security docs. It does not establish HIPAA compliance and does not claim Claude Code is "HIPAA certified."
This is not legal or compliance advice.
Whether any tool can lawfully process PHI depends on your contracts (including any Business Associate Agreement), your configuration, and your obligations under HIPAA. Consult official HHS HIPAA guidance and your own compliance and legal team before processing PHI with Claude Code or any AI tool. Nothing below is a representation that Claude Code is HIPAA compliant.
Key points (all grounded in Claude Code docs):
- Under commercial terms (Team, Enterprise, API), Anthropic does not train generative models on Claude Code code or prompts unless you opt in.
- Standard commercial retention is 30 days; Zero Data Retention (ZDR) is available only to qualified Claude for Enterprise accounts and must be enabled by Anthropic.
- Data is encrypted in transit via TLS 1.2+; encryption at rest depends on your model provider.
- Claude Code stores transcripts locally in plaintext for 30 days by default, controllable with
cleanupPeriodDays.
Why "HIPAA mapping" is the wrong frame here
HIPAA safeguards are legal obligations on covered entities and business associates—they are satisfied by contracts, policies, risk analyses, and your overall environment, not by a single developer tool. A documentation tool cannot "be HIPAA compliant" on its own. What a tool can do is give you verifiable, documented data-handling controls that your compliance program can build on.
So this guide does the verifiable part: it catalogs the data controls Claude Code actually documents and points to where each is described. Treat HIPAA only as the general reason these controls matter ("teams handling PHI must minimize data exposure and retention")—and take the legal mapping to HHS guidance and your compliance team.
Claude Code data controls reference
Every row below traces to the official Claude Code documentation. Use it as the starting checklist for a PHI-sensitive review.
| Control |
What it does |
Where it's documented |
| Commercial no-training policy |
Under Team, Enterprise, API, and Gov terms, Anthropic does not train generative models on code or prompts sent to Claude Code, unless the customer opts in (e.g., Development Partner Program). |
Data usage → Data training policy |
| Consumer training choice |
On Free/Pro/Max, data may be used to train future models when the setting is on; changeable anytime in privacy settings. |
Data usage → Data training policy |
| Standard retention (commercial) |
Team, Enterprise, and API: 30-day retention period. |
Data usage → Data retention |
| Consumer retention |
30 days if training is off; 5 years if the training setting is on. |
Data usage → Data retention |
/feedback retention |
Transcripts shared via /feedback are retained for 5 years; transcripts shared via the session-quality follow-up are retained up to 6 months. |
Data usage → Feedback / Data retention |
| Zero Data Retention (ZDR) |
Prompts and responses processed in real time and not stored after the response returns (except where required by law or to address misuse). Available only to qualified Claude for Enterprise accounts; enabled per-organization by Anthropic. |
Zero data retention |
| Encryption in transit |
All prompts and outputs encrypted in transit via TLS 1.2+. |
Data usage → Local data flow |
| Encryption at rest |
Provider-dependent: Anthropic API uses AES-256 disk encryption; Bedrock AES-256 (AWS-managed, CMK via KMS); Vertex AI Google-managed keys (CMEK available); Foundry routes to Anthropic AES-256. |
Data usage → Local data flow table |
| Local transcript storage |
Session transcripts stored locally in plaintext under ~/.claude/projects/ for 30 days by default to enable resumption. |
Data usage → Data retention (local caching) |
cleanupPeriodDays |
Adjusts how long local transcripts are kept before cleanup. |
Data usage → Data retention |
| Telemetry opt-out |
Operational metrics (latency, reliability, usage—no code or file paths) sent by default on the Anthropic API; disable with DISABLE_TELEMETRY. |
Data usage → Telemetry services |
| Error-reporting opt-out |
Sentry error logging on by default on the Anthropic API; disable with DISABLE_ERROR_REPORTING. |
Data usage → Telemetry services |
| Feedback opt-out |
Disable the /feedback command with DISABLE_FEEDBACK_COMMAND=1; disable session-quality surveys with CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY=1. |
Data usage → Feedback / surveys |
| Nonessential-traffic kill switch |
CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC opts out of all non-essential traffic at once (does not affect the WebFetch safety check). |
Data usage → Default behaviors |
| Provider defaults |
On Bedrock, Vertex, Foundry, and Claude Platform on AWS, error reporting, telemetry, and bug reporting are off by default. |
Data usage → Default behaviors by API provider |
| Permission-based architecture |
Read-only by default; modifying actions require explicit approval; read-only commands like ls, cat, git status run without a prompt. |
Security → Permission-based architecture |
| Write-access restriction |
Claude Code can only write within the startup folder and subfolders; parent-directory writes need explicit permission. |
Security → Built-in protections |
| Sandboxing |
/sandbox provides filesystem and network isolation for Bash commands. |
Security → Built-in protections |
| Secure credential storage |
API keys/tokens stored in the macOS Keychain when available; protected by file permissions on Windows and Linux. |
Security → Privacy safeguards |
| Network-command approval |
Web-fetching commands such as curl/wget are not auto-approved; can be blocked via permissions.deny. |
Security → Protect against prompt injection |
| Trust verification |
First-time codebases and new MCP servers require trust verification. |
Security → Additional safeguards |
| Managed settings / OTel auditing |
Organizations enforce standards via managed settings; activity can be monitored through OpenTelemetry metrics. |
Security → Team security |
Data training policy: what commercial terms guarantee
Per the data-usage docs, commercial users—Team, Enterprise, API, third-party platforms, and Claude Gov—are covered by a policy where Anthropic does not train generative models using code or prompts sent to Claude Code under commercial terms, unless the customer explicitly opts in (for example, via the Development Partner Program, which an org admin must enable and which is first-party API only).
Consumer plans (Free, Pro, Max) are different: data may be used to improve future models when the setting is on, including when Claude Code is used from those accounts. For PHI-sensitive work, that distinction is decisive—account type drives both training and retention behavior.
Retention windows
From the same docs:
- Commercial (Team, Enterprise, API): standard 30-day retention.
- Consumer: 30 days if training is off; 5 years if the training setting is on.
/feedback transcripts: retained for 5 years.
- Session-quality follow-up transcripts (only if you select "Yes"): retained up to 6 months.
- Local caching: transcripts kept locally in plaintext under
~/.claude/projects/ for 30 days by default, adjustable with cleanupPeriodDays.
Zero Data Retention (ZDR)
The Zero Data Retention docs describe ZDR precisely:
- What it is: prompts and model responses are processed in real time and not stored by Anthropic after the response returns, except where required by law or to combat misuse.
- Who qualifies: available only to qualified accounts on Claude for Enterprise. It is not part of the standard Enterprise plan and cannot be enabled from admin settings—Anthropic enables it per-organization after confirming eligibility (contact sales/your account team). It does not auto-apply to newly created organizations.
- What it disables: features that require storing prompts or completions are turned off at the backend, including Claude Code on the web, Cloud sessions from the Desktop app, and
/feedback submission.
- What it does not cover: chat on claude.ai, Cowork, analytics metadata (account emails, usage stats), user/seat management data, and third-party integrations/MCP servers—these follow standard retention.
- Model caveat: some models that require retention are unavailable under ZDR (e.g., Claude Fable 5); the
best alias resolves to Opus for ZDR organizations.
- Policy-violation exception: flagged sessions may have inputs/outputs retained up to 2 years.
For Bedrock, Vertex AI, or Foundry deployments, ZDR on Claude for Enterprise does not apply—those platforms' own retention policies govern.
Encryption
Per the data-usage docs, all prompts and outputs are encrypted in transit via TLS 1.2+, and Claude Code is compatible with most popular VPNs and LLM proxies. Encryption at rest depends on the model provider:
- Anthropic API: infrastructure-level disk encryption (AES-256); enable ZDR for no server-side persistence.
- Amazon Bedrock: AES-256 with AWS-managed keys; customer-managed keys via AWS KMS.
- Google Cloud Vertex AI: Google-managed keys; CMEK available.
- Microsoft Foundry: routes to Anthropic infrastructure with AES-256 disk encryption.
Local transcripts and on-disk data
This is often the most overlooked exposure point for PHI-sensitive teams. The docs state Claude Code clients store session transcripts locally in plaintext under ~/.claude/projects/ for 30 days by default to support session resumption. Control retention with the cleanupPeriodDays setting, and apply your own disk-level protections (full-disk encryption, access controls) to those paths. If prompts or pasted content could contain PHI, the local cache must be part of your data-handling plan.
Telemetry, error reporting, and feedback
On the Anthropic API, several non-essential flows are on by default and send data off-machine:
- Telemetry (operational metrics only—no code or file paths):
DISABLE_TELEMETRY to opt out.
- Sentry error reporting:
DISABLE_ERROR_REPORTING to opt out.
/feedback (sends conversation history, including code, to Anthropic): DISABLE_FEEDBACK_COMMAND=1 to opt out.
- Session-quality surveys:
CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY=1 to opt out.
A single switch, CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC, opts out of all non-essential traffic at once (it does not affect the WebFetch domain safety check, which has its own skipWebFetchPreflight opt-out). On Bedrock, Vertex, Foundry, and Claude Platform on AWS, error reporting, telemetry, and bug reporting are off by default. All of these variables can be committed to settings.json to enforce them across a team.
Network, proxy, and credentials
- Claude Code works with most popular VPNs and LLM proxies (data-usage docs).
- API keys and tokens are stored in the macOS Keychain when available, and protected by file permissions on Windows and Linux (Security → credential management).
- Web-fetching commands (
curl, wget) are not auto-approved and can be blocked entirely via permissions.deny.
- For Claude Code on the web, outbound traffic routes through a security proxy with audit logging, GitHub credentials never enter the sandbox, and each session runs in an isolated, auto-terminated VM with branch-restricted pushes.
Access controls and the security model
From the security docs:
- Permission-based architecture: read-only by default; modifying actions require explicit approval.
- Write-access restriction: writes confined to the startup folder and subfolders.
- Sandboxing:
/sandbox adds filesystem and network isolation for Bash commands.
- Prompt-injection safeguards: context-aware analysis, input sanitization, isolated web-fetch context, command-injection detection, fail-closed matching, and trust verification for new codebases and MCP servers.
- Org enforcement: managed settings enforce standards across a team; OpenTelemetry metrics enable activity monitoring and auditing;
ConfigChange hooks can audit or block settings changes mid-session.
- Compliance artifacts: SOC 2 Type 2 and ISO 27001 are available via the Anthropic Trust Center (linked from the security docs).
A practical pre-adoption checklist for PHI-sensitive teams
- Confirm account type. Use commercial terms (Team/Enterprise/API) so the no-training policy applies; avoid consumer plans for any work that could touch PHI.
- Decide on ZDR. If your risk posture requires no server-side persistence, pursue ZDR on Claude for Enterprise through your account team, and accept the disabled features (web, cloud sessions,
/feedback).
- Pin telemetry opt-outs in
settings.json. Set CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC (or the granular variables) so no non-essential data leaves the machine.
- Manage local transcripts. Set an appropriate
cleanupPeriodDays, and ensure ~/.claude/projects/ sits on encrypted, access-controlled storage.
- Lock down the security model. Use managed settings, sandboxing, and
permissions.deny for network commands; monitor via OpenTelemetry.
- Do the legal work separately. Map controls above to your HIPAA obligations with your compliance/legal team and current HHS guidance—this guide does not do that for you.
Frequently asked questions
Is Claude Code "HIPAA compliant" or "HIPAA certified"?
The Claude Code docs do not make that claim, and neither does this guide. Compliance depends on your contracts, configuration, and obligations—consult your compliance/legal team and HHS guidance.
Does Anthropic train on my prompts?
Under commercial terms (Team, Enterprise, API), no—unless you opt in (e.g., Development Partner Program). On consumer plans, data may be used to train future models when the setting is on.
What is kept, and for how long?
Commercial standard retention is 30 days; consumer is 30 days or 5 years depending on the training setting; /feedback transcripts 5 years; local transcripts 30 days by default (cleanupPeriodDays).
How do I stop data from leaving my machine?
Set CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC (or the granular DISABLE_TELEMETRY, DISABLE_ERROR_REPORTING, DISABLE_FEEDBACK_COMMAND, CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY variables). Note prompts/outputs still flow to your model provider over TLS to get responses.
What does Zero Data Retention turn off?
At minimum: Claude Code on the web, Desktop cloud sessions, and /feedback. It also limits model availability and excludes analytics metadata, claude.ai chat, and third-party integrations.
Last reviewed: June 2026. All claims sourced from the official Claude Code data-usage, Zero Data Retention, and security documentation.