Does using ChatGPT or Claude destroy attorney-client privilege?

Using consumer-tier AI (ChatGPT free/Plus or Claude.ai without an Enterprise plan) can waive privilege for any information you input. A 2026 SDNY ruling in United States v. Heppner held that typing attorney communications into Claude constituted a third-party disclosure that destroyed privilege. Enterprise tiers with a signed BAA provide contractual protections, but they are not a substitute for attorney judgment about what to input.

What does ABA Formal Opinion 512 require for attorney AI use?

ABA Formal Opinion 512 (July 2024) identifies three primary Model Rules: Rule 1.1 (competence: you must understand the AI tool you are using), Rule 1.6 (confidentiality: all client information remains protected regardless of the tool), and Rule 5.3 (supervision: you must supervise AI output as you would a non-attorney assistant). The practical requirement is human review of every AI output before it is used in a filing or client communication.

Is Claude Enterprise or ChatGPT Enterprise safe for client data?

Both provide a Business Associate Agreement (BAA) and data processing terms that prevent your inputs from being used for model training. Claude Enterprise includes a HIPAA-ready plan with click-to-accept BAA. ChatGPT Enterprise provides equivalent protections. Consumer tiers (Claude Team, ChatGPT Team, free accounts) do not include a BAA and should not receive identifiable client information. Enterprise does not mean zero risk; it means the vendor has contractual obligations around your data.

What client information should I never paste into AI?

Never input A-numbers (Alien Registration Numbers), passport numbers, Social Security numbers, dates of birth combined with country of origin, or full client names combined with case-specific facts into any consumer-tier AI. On Enterprise tier with a BAA, these identifiers are contractually protected but should still be omitted when the task does not require them. The anonymize-then-process workflow produces equally good output with less exposure.

What is the anonymize-then-process workflow?

Replace identifying information in the document you are analyzing with placeholders ([BENEFICIARY], [EMPLOYER], [FIELD]) before sending it to the AI. Run the AI task. Then re-insert the real identifiers in your editing step. This workflow works for every prompt category: evidence analysis, expert letter drafting, petition narrative sections, and RFE responses. The AI output quality does not degrade with anonymized input.

Do I need to disclose AI use to my immigration clients?

ABA Formal Opinion 512 discusses disclosure but does not impose a blanket requirement to inform clients of every tool used in their representation. State bar guidance varies. The more cautious practice (consistent with ABA Rule 1.4 on communication) is to include AI use in your engagement letter as a general technology disclosure, similar to how you would disclose use of a legal research database.

Is Claude Teams plan covered by a BAA?

No. Claude Team plan does not include a BAA. Anthropic offers HIPAA-ready Enterprise plans with a BAA as a separate offering from the standard Team plan. The same applies to ChatGPT: Team tier does not provide a BAA. Only Enterprise tier for both platforms includes the contractual protections relevant to attorney-client confidentiality.

What happened in United States v. Heppner?

In a 2026 SDNY case before Judge Jed Rakoff, a CEO facing fraud charges typed details from attorney communications into Claude and generated 31 defense strategy documents. When the government seized his devices, these documents were found. Judge Rakoff held they were not protected by attorney-client privilege or work product doctrine: Claude is not an attorney, users have no reasonable privacy expectation with a third-party AI platform, and the tool disclaims providing legal advice. All 31 documents were discoverable.

AI in Legal Practice

AI Confidentiality for Immigration Attorneys: The Practical Setup

Use AI in your immigration practice without risking privilege: ABA Opinion 512 requirements, Enterprise tier configuration, and a safe anonymization workflow for client data.

June 5, 2026·11 min read

What This Guide Covers

A 2026 federal court ruling (United States v. Heppner, SDNY) held that typing attorney communications into a consumer AI platform destroys privilege. ABA Formal Opinion 512 (July 2024) identifies three specific Model Rules governing attorney AI use. This guide covers what the opinion actually requires, how to configure Claude Enterprise and ChatGPT Enterprise for client work, what identifiers to exclude, and a safe anonymization workflow that works for every petition task.

In 2026, a CEO facing federal fraud charges typed details from his attorney's communications into Claude. He generated 31 defense strategy documents. The government seized them. Judge Jed Rakoff of the Southern District of New York ruled they were discoverable in full.

His reasoning: Claude is "plainly not an attorney." Using a third-party AI platform eliminates the reasonable expectation of privacy that privilege requires. The 31 documents went to prosecutors.

That case was about a defendant, not a lawyer. But the mechanism applies in reverse. An attorney who inputs client information into a consumer AI platform has arguably made a third-party disclosure. Whether that waives privilege depends on what was input, what tier of service was used, and whether a BAA was in place.

This is not hypothetical risk. It is the current litigation posture on AI and privilege. The practical answer is not to avoid AI. It is to understand exactly which tier of service provides contractual protection and what the remaining risk is after that.

Model Rules

ABA Opinion 512: 1.1, 1.6, 5.3

2026

Heppner ruling

SDNY: privilege waived in consumer AI

Enterprise only

BAA available

Not on Team or consumer tiers

ABA Formal Opinion 512: What It Actually Requires

ABA Formal Opinion 512 was issued July 29, 2024. It is the first ABA ethics opinion specifically addressing attorney use of generative AI tools. A detailed analysis by UNC Law Library summarizes the practical implications for each covered Model Rule.

The opinion focuses on three Model Rules.

Model Rule 1.1 (Competence). You must understand the tool you are using well enough to deploy it competently. This does not mean you need to understand transformer architectures. It means you understand what the tool can and cannot do, how it fails, and how to detect when it produces unreliable output. For immigration work: you must know that AI models hallucinate citations, will occasionally state facts with more certainty than the evidence supports, and produce plausible-sounding legal arguments that may not survive scrutiny.

Model Rule 1.6 (Confidentiality). The duty of confidentiality covers "all information relating to the representation of a client, regardless of its source." Using an AI tool does not create a carve-out. If client information is input into a tool that uses it for training or exposes it to third parties, you have potentially violated Rule 1.6. The practical implication: only input client-identifying information into tools with a signed BAA and zero-training-use terms.

Model Rule 5.3 (Supervision of Non-Attorney Assistance). AI output must be supervised as you would supervise a paralegal. This means a human attorney reviews every AI-generated paragraph before it appears in a filing or client communication. The opinion specifically requires a "human in the loop": AI as a drafting tool, not a filing tool.

Opinion 512 Does Not Prohibit AI Use

The opinion establishes requirements for responsible use. It does not prohibit AI tools. Attorneys who set up compliant workflows and review AI output are fully within the ethical framework. Attorneys who skip review or use consumer tools for client work are exposed.

The three rules below map to specific failure points in an AI workflow: Rule 1.1 applies when you use an AI tool you do not understand well enough to supervise its output; Rule 1.6 applies when you input client identifiers into a non-BAA tool; Rule 5.3 applies when staff members use AI without adequate supervision.

ABA Model Rules 1.1 1.6 5.3 attorney AI use confidentiality framework — Three Model Rules govern attorney AI use. Rule 1.6 is the one with direct exposure risk: every client identifier you input into a non-BAA tool is a potential disclosure.

The Tier Problem: Consumer vs. Enterprise

The single most common mistake immigration attorneys make with AI is using the wrong tier of service for client work.

Both Claude.ai and ChatGPT have multiple tiers. The distinction that matters for attorney use is whether the tier includes a Business Associate Agreement (BAA) and whether inputs are excluded from model training.

Claude.ai:

Free and Pro tiers: no BAA, Anthropic may use inputs to improve models
Claude Team: no BAA. This is where most attorneys get this wrong. Team tier looks "business" but does not provide a BAA.
Claude Enterprise (with HIPAA-ready plan): BAA included, click-to-accept in the setup flow; inputs not used for training; zero data retention options available

ChatGPT:

Free, Plus, and Pro: no BAA
ChatGPT Team: no BAA
ChatGPT Enterprise: BAA available, data not used for training, controls over data retention

The practical rule: if the subscription shows "Team" in its name, it does not have a BAA. Enterprise tier is the threshold for client work.

The Heppner case involved consumer-tier Claude. Had the defendant's attorneys been using Claude Enterprise with a BAA, the analysis might have looked different (not necessarily favorable, but different). The third-party disclosure argument weakens when there is a contractual data processing relationship.

Configuring Claude Enterprise for Client Work

Claude Enterprise's HIPAA-ready plan is the tier relevant to immigration attorneys. Setup involves:

Start an Enterprise agreement with Anthropic through the enterprise sales channel. This triggers the BAA acceptance flow.
Accept the BAA during the Enterprise setup. Note: if your organization signed a BAA for Claude API access before December 2, 2025, that agreement covers API usage only and does not extend to the Enterprise chat interface. You need a separate BAA for the Enterprise plan.
Create a Project for EB-1A or O-1A work. Add your system prompt (see the prompt library guide for a recommended system prompt template).
Set data retention controls according to your firm's needs. The HIPAA-ready plan includes options for zero data retention. Confirm this with your account team.
Review data processing terms before uploading documents. The Enterprise terms specify how Anthropic handles uploaded files, retention periods, and deletion processes.

Cost: Claude Enterprise is priced by seat, typically starting around $60/seat/month for standard configurations. The HIPAA-ready add-on may require a separate enablement step. Confirm with your account team during setup.

Projects Are the Right Structure for Immigration Work

Claude Projects let you maintain a persistent system prompt and context across conversations. Create one project per client matter, or one project per petition type (EB-1A, O-1A). Store the legal context, criteria list, and output format instructions in the project system prompt. Task conversations then inherit this context without requiring you to re-enter it each time.

Configuring ChatGPT Enterprise for Client Work

ChatGPT Enterprise setup for attorney use follows a similar pattern:

Enterprise contract through OpenAI. Not available through the consumer website. Requires direct sales engagement.
BAA execution. OpenAI provides a BAA for ChatGPT Enterprise. This is separate from any API BAA.
Admin console data controls. ChatGPT Enterprise provides an admin console where conversation history, training use, and data retention can be configured. Turn off conversation history for client work if your firm's policy requires it.
Custom GPTs (Enterprise equivalent of Claude Projects): create a custom GPT with the EB-1A legal context as the system prompt. Add instructions for output format and evidence citation.

Both platforms behave comparably once configured. Claude tends to produce longer, more structured legal argument paragraphs; ChatGPT tends to follow explicit formatting instructions more precisely. The side-by-side comparison of their EB-1A output covers the practical differences.

Anonymize client data before AI processing workflow for immigration attorneys — The anonymize-process-re-identify workflow adds two minutes per task and eliminates the identifiable client data risk entirely.

What Not to Input: The Five Identifiers to Exclude

Even on Enterprise tier, the minimum-input principle applies. If the task does not require a specific identifier, omit it. These five identifiers should be excluded unless the task specifically requires them:

1. A-numbers (Alien Registration Numbers). An A-number combined with a name and any case fact creates a uniquely identifiable record. It is never required for AI drafting tasks. The model does not need it to draft a Criterion 5 argument.

2. Passport numbers. Never required for petition drafting tasks.

3. Social Security and Tax ID numbers. Same. Remove them from any document before uploading.

4. Date of birth combined with country of origin. The combination is a direct re-identification vector. Separately, neither is typically sensitive. Combined, they create a unique identifier. Omit the combination.

5. Full name combined with case details. On Enterprise with a BAA, this is contractually protected. On any other tier, it is a disclosure. When in doubt, replace the name with [BENEFICIARY] in the prompt.

None of these exclusions degrade AI output quality. The model produces equally good legal argument text whether the beneficiary is named "Dr. Zhao Wei" or "[BENEFICIARY]."

The Anonymize → Process → Re-identify Workflow

This three-step process applies to any petition task:

Step 1: Anonymize. Before uploading a document or entering facts into a prompt, replace identifiers with placeholders:

Client name → [BENEFICIARY]
Employer → [EMPLOYER]
Specific institution names (if sensitive) → [INSTITUTION A], [INSTITUTION B]
A-number, passport number, SSN → remove entirely

Step 2: Process. Run the AI task with the anonymized input. The model produces the same quality output regardless of whether names are real or bracketed. Draft the argument, generate the briefing, analyze the RFE.

Step 3: Re-identify. In your editing step, find-and-replace the placeholders with actual names. Review the output for accuracy while reinserting the real identifiers.

This adds roughly two minutes to any task. It applies on any tier, including Enterprise, but is most important on non-BAA tiers where it may be the only protection layer.

What This Does Not Solve

Enterprise tier and anonymization reduce exposure. They do not eliminate it.

The Heppner ruling involved a consumer platform. The privilege analysis under an Enterprise agreement with a BAA has not been definitively litigated. Reasonable expectation of privacy may still be contested even with contractual protections. The safer practice is to treat the anonymize-then-process workflow as mandatory, not optional, on any tier.

State bar rules vary. California, New York, and Florida have issued guidance that supplements ABA Opinion 512 with jurisdiction-specific requirements. If your practice is primarily in one state, verify whether your state bar has issued a technology opinion that adds obligations beyond the ABA framework.

Disclosure to clients is a separate question. ABA Rule 1.4 requires adequate communication. The cautious practice is a technology disclosure in your engagement letter noting that AI drafting tools may be used in preparation of materials. This does not require per-use disclosure. It provides informed consent for the representation generally.

Setting Up: The Checklist

Before using AI for any client matter:

Confirm your subscription is Enterprise tier (not Team, not consumer)
Confirm a BAA is signed and in effect (check with account team if using Claude pre-Dec 2025 API BAA)
Turn off conversation history / training use in admin settings
Create a project or Custom GPT with your legal context system prompt
Implement the anonymize → process → re-identify workflow for any task involving client identifiers
Update your engagement letter to include an AI technology disclosure
Review ABA Formal Opinion 512 and your state bar's AI guidance once per year

For the specific prompts to run after setup, see 30 AI Prompts for Immigration Attorneys. For the tool comparison covering costs and BAA availability, see Best AI Tools for Immigration Attorneys 2026. For the broader question of whether AI output is safe to file, see Is AI Safe for Your Immigration Practice?.

Immigration Copilot is built on AWS infrastructure with attorney-client data isolation by design: documents are stored in S3 with per-organization scoping, petition generation runs through Claude on Amazon Bedrock (not through Claude.ai), and no client data is ever used for model training. The BAA question doesn't apply to a purpose-built petition drafting platform the same way it applies to general-purpose AI chat. The architecture was designed for this data type from the start.

EB1A Practice Tips

Get bimonthly guides for immigration attorneys

Criterion deep-dives, workflow tips, and USCIS updates. No spam. Unsubscribe any time.