Is Perplexity AI HIPAA compliant? (2025 update)

Perplexity AI is an AI-powered research and answer engine for individuals and enterprises, offering real-time, cited insights and enterprise controls. With Perplexity Enterprise, organizations get SOC 2 Type II–audited security plus stated GDPR and HIPAA compliance; based on Perplexity’s own materials, Perplexity can be HIPAA compliant for Enterprise customers. 

Is Perplexity AI HIPAA compliant? Yes, Perplexity can be HIPAA compliant, but only when an Enterprise customer executes a Business Associate Agreement (BAA). 

Will Perplexity AI sign a business associate agreement (BAA)?

Yes. Perplexity’s Enterprise Terms explicitly condition PHI use on an executed BAA: “Customer may not use the Services to…process any information that includes or constitutes ‘Protected Health Information’…unless Customer and Perplexity have executed a Business Associate Agreement.” Review the Enterprise Terms here. 

What does the Perplexity AI BAA cover?

Perplexity does not publish a standalone BAA form publicly, but the Enterprise Terms and Data Processing Addendum (DPA) outline privacy and security controls that apply when Perplexity acts as a processor for business services. 

The Enterprise Terms require a BAA for PHI, and the DPA describes how Perplexity processes personal data only on customer instructions, maintains confidentiality, does not sell or share data, and notifies customers of certain government or regulator requests where permitted. Relevant language includes:

• “Customer may not…process…PHI…unless…[the parties] have executed a Business Associate Agreement.” 
• Perplexity will “only process Personal Data on documented instructions from Customer…[and] require that each employee…is subject to an appropriate duty of confidentiality.” 
• Perplexity shall not “Sell or Share Personal Data” and will notify the customer of law enforcement or regulator requests “to the extent permitted by law.” 

In practice, Perplexity’s enterprise materials also highlight security posture (SOC 2 Type II) and state GDPR and HIPAA compliance for Enterprise, which aligns with the BAA/DPA framework. 

What does the Perplexity AI BAA exclude?

Perplexity’s Enterprise Terms make it clear, no PHI may be used on the service without an executed BAA. The Enterprise Terms also specify they apply only to Perplexity Enterprise Pro (not the free site, Pro, API, or other products), which means those non-enterprise offerings are not covered for PHI unless governed by a separate agreement. Quote: the Enterprise Terms “apply only to Perplexity Enterprise Pro…not…Perplexity’s API, Perplexity’s website and the Perplexity ProShop feature.” 

Conclusion

Perplexity may be HIPAA compliant, but only for Enterprise customers who execute a BAA. Free/consumer offerings and other products are not appropriate for PHI absent a signed BAA and applicable enterprise terms. 

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQS

What is a business associate agreement?

A BAA is a legally binding contract establishing a relationship between a HIPAA-covered entity and its business associate to ensure proper protection of PHI.

What is HIPAA?

HIPAA sets national standards for protecting the privacy and security of PHI and for securely exchanging electronic health information. Violations can lead to significant penalties.

Who does HIPAA apply to?

HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates that handle PHI on their behalf.