OpenAI just crossed a threshold that will force a reckoning. With 230 million people asking ChatGPT for health advice every week, the company has built medical infrastructure operating in a regulatory void—deliberately, and brilliantly. ChatGPT Health arrived this month alongside Anthropic's Claude for Healthcare, marking the moment tech companies stopped asking permission to enter medicine and started seeking forgiveness later. The question isn't whether regulators will respond. It's when, and whether enterprises built on that arbitrage will survive.

The timing tells you everything. OpenAI announced ChatGPT Health and the clinically-focused ChatGPT for Healthcare on consecutive days. Same technology. Different regulatory postures. The consumer version explicitly says it's not intended for diagnosis or treatment—a legal shield that lets it skip FDA oversight entirely. The enterprise version gets HIPAA compliance and medical device protections. Users looking at both products often can't tell which is which, according to Robert Hart's reporting at The Verge. That's not accidental.

This is regulatory arbitrage in real time. Anthropic is doing the same thing with Claude for Healthcare, positioning it as HIPAA-ready while sidestepping the medical device classification that would trigger clinical trials, FDA premarket review, and post-market surveillance. Both companies know they're operating in a temporary window. The question is how long it stays open.

The math is stunning. 230 million people weekly asking ChatGPT health questions puts it in the same user league as established telehealth platforms—Teladoc, Amwell, MDLive combined don't hit those numbers. But those platforms operate under medical device regulations. They maintain liability insurance. Their algorithms face scrutiny. OpenAI? It has terms of service and a privacy policy. When OpenAI CEO Sam Altman brought a cancer patient on stage to discuss how ChatGPT helped her "make sense of her diagnosis," that's marketed medical value. The legal argument that this somehow isn't a medical device gets thinner every time OpenAI proves how good it is at medicine.

Sara Gerke, law professor at University of Illinois Urbana-Champaign, told The Verge the manufacturer's stated intended use is "a key factor in medical device classification"—meaning the disclaimer carries legal weight with regulators. But as Hannah van Kolfschooten, a digital health law researcher at University of Basel, notes: "When a system feels personalized and has this aura of authority, medical disclaimers will not necessarily challenge people's trust in the system." The gap between what the terms of service say and what users actually believe they're getting is the inflection point.

Consider the liability cascade. OpenAI explicitly encrypts health data and promises not to use it for training. But as Carmel Shachar, assistant clinical professor at Harvard Law School, explained: "There's very limited protection. Some of it is their word, but they could always go back and change their privacy practices." There's no federal privacy law protecting health data in AI systems. Most states haven't enacted comprehensive privacy statutes. What protects users is corporate goodwill and terms of service—both perfectly legal to change unilaterally. The moment a data breach hits, or OpenAI decides to monetize that dataset, the regulatory hammer drops.

Then there's the accuracy problem. A man developed a rare condition after ChatGPT told him to replace salt with sodium bromide when asked about reducing sodium intake. Google's AI Overviews wrongly advised pancreatic cancer patients to avoid high-fat foods—the opposite of medical guidance. These aren't edge cases. They're predictable failure modes of systems confidently generating plausible-sounding wrong answers in high-stakes domains. OpenAI claims ChatGPT passes medical licensing exams and outperforms doctors at diagnosis. It also confidently kills people. Both things are true. When regulators see the harm documentation reach critical mass, the device classification becomes inevitable.

The window closing means timeline matters. Enterprises piloting ChatGPT for healthcare workflows now have maybe 12-18 months before this gets serious. The FDA isn't moving at startup speed—it typically takes 2-3 years from notification to enforcement action. But that changes if there's a high-profile adverse event. Right now, Gartner's compliance threshold modeling suggests enterprise healthcare AI deployment hits regulatory inflection when adoption crosses 10% of covered entities (hospitals, health systems, ambulatory networks with >50 providers). The US has roughly 6,000 hospitals and 130,000 physicians. OpenAI's tools are already in use at multiple health systems for administrative workflows. That number grows exponentially in the next quarters.

What makes this different from previous tech regulatory cycles is speed and scale. It took social media a decade to face real regulation. Autonomous vehicles are still negotiating with states. But healthcare regulation already exists. The framework is mature. OpenAI isn't operating in a vacuum—it's operating in a space where every competitor is already regulated. The classification gap is a temporary inefficiency, not a permanent feature.

The real inflection comes when the first major health system gets sued because a patient relied on advice from ChatGPT Health and suffered documented harm. The defense—"it's not a medical device, just a tool"—collapses instantly in discovery. Then every state attorney general launches investigation. Then Congress notices. Then liability insurance becomes impossible to get without FDA clearance. That's when the cost of operating in this gray zone exceeds the benefits. OpenAI knows this. That's why they built ChatGPT for Healthcare with better safeguards. That's why they're making the consumer version feel safe now—building trust before the framework tightens. It's smart strategy. It's also the playbook for every tech company that operated in regulatory gray zones until they couldn't.

OpenAI's healthcare push represents a calculated regulatory arbitrage moment: build scale and user trust while operating in a classification gap that won't last. For enterprises considering ChatGPT Health integration, the question is timing. Move now to extract efficiency gains before compliance overhead arrives, or wait and adopt when frameworks solidify. For regulators, the window to act before harm documentation forces their hand is closing—probably within 12-18 months. For builders: governance frameworks designed now for healthcare AI become table stakes once device classification arrives. The transition from 'AI for health' to 'healthcare AI regulation' isn't coming. It's already here, and the lag time is what everyone's racing against.