HIPAA and Perplexity Services: What Healthcare Organizations Need to Know

Perplexity AI can support HIPAA workflows, but only under specific enterprise contracts. Here is what the compliance picture actually looks like.

As AI-powered tools become embedded in clinical and operational healthcare workflows, a pressing question emerges for security teams and compliance officers: can these platforms legally handle Protected Health Information?

Perplexity AI, the search-and-answer engine that has rapidly gained traction across industries, is now squarely in that conversation. After reviewing Perplexity’s own enterprise terms, its published security posture, third-party compliance analyses, and broader regulatory context, here is where things stand in March 2026.

The Short Answer: Enterprise Only, With a BAA

Perplexity’s consumer products, including its free tier, Pro subscription, and standard API access, are not HIPAA compliant. The company’s Enterprise Terms of Service explicitly prohibit customers from using the platform to create, receive, maintain, transmit, or otherwise process Protected Health Information unless a Business Associate Agreement has been executed between the customer and Perplexity.

This is not unusual in the AI industry. Most generative AI vendors draw a hard line between consumer and enterprise tiers when it comes to regulated data. What matters is whether the enterprise offering actually delivers the controls and contractual coverage that HIPAA demands.

What Perplexity Enterprise Offers

Perplexity’s Enterprise Pro and its agentic product, Comet for Enterprise, advertise SOC 2 Type II certification, along with stated GDPR and HIPAA compliance. The company completed a 2025 HIPAA Gap Assessment and holds a CAIQlite cloud security certification.

SOC 2 Type II is an organizational controls audit. It evaluates processes around availability, confidentiality, integrity, and privacy. It does not, however, constitute a technical penetration test or a line-by-line code audit. As heyData, a European privacy consultancy, has noted, the existence of SOC 2 certification is a positive indicator but does not replace independent technical due diligence.

Perplexity’s Data Processing Addendum outlines that the company processes personal data only on documented customer instructions, maintains confidentiality obligations for employees, and does not sell or share customer data. The DPA also commits Perplexity to notifying customers of government or regulator requests where legally permitted.

The BAA Framework

Perplexity does not publish a standalone BAA template. Instead, the BAA is negotiated as part of the enterprise onboarding process. Based on the Enterprise Terms and DPA, the BAA framework covers protection of PHI, confidentiality obligations, processing restrictions, data sharing prohibitions, and breach notification requirements.

For healthcare organizations evaluating Perplexity, the critical step is engaging the company’s sales team to negotiate and execute a BAA that specifically covers the intended PHI workflows. Without that signed agreement, any use of Perplexity involving identifiable patient data is a compliance violation waiting to happen.

The Broader AI-HIPAA Landscape

Perplexity is not operating in a vacuum. The intersection of generative AI and healthcare privacy law is one of the fastest-moving areas in compliance right now.

A September 2025 analysis from The National Law Review highlighted that AI chatbots are increasingly used in clinical environments for ICD-10 coding, medical note generation, and appointment scheduling. But the same features that make these tools efficient, including automated data processing and natural language understanding, also introduce disclosure risks when PHI is involved.

The numbers are sobering. Research cited by Sprypt found that nearly half of healthcare organizations using generative AI have no formal approval process for AI adoption, and only 31 percent actively monitor these systems. HIPAA violation fines can reach 1.5 million dollars per incident.

The FDA has also signaled a regulatory shift, recommending that black-box AI models designed to replace physician decision-making be treated as medical devices, subjecting them to an entirely different governance framework.

What This Means for Security Leaders

If you are a CISO, compliance officer, or IT leader at a covered entity evaluating Perplexity, here is the practical framework:

1. Do not use consumer or Pro tiers for any workflow involving PHI. The terms explicitly prohibit it.

2. Engage Perplexity’s enterprise sales team to discuss BAA availability for your specific use case and region.

3. Do not treat SOC 2 Type II as a substitute for your own technical security assessment. It validates organizational controls, not application-layer security.

4. Establish internal governance for AI adoption. If your organization lacks an approval process for deploying generative AI tools in clinical or operational settings, build one before procurement.

5. Monitor the regulatory landscape. The FDA’s evolving stance on AI-as-medical-device and HHS enforcement trends will shape what is permissible in the coming months.

Bottom Line

Perplexity AI can be part of a HIPAA-compliant technology stack, but only under its Enterprise offering with an executed BAA. The consumer and API products are off-limits for PHI. For healthcare organizations, the compliance burden does not end with a vendor contract. It requires internal governance, technical validation, and continuous monitoring.

The AI tools are getting better. The question is whether healthcare security programs are keeping pace.

---

Rory J. Bernier writes about information security, AI governance, and emerging technology risk. Connect on LinkedIn or follow @rorycrave on X.