Enterprise
Cursor Enterprise HIPAA BAA: Eligibility, Scope & Configuration
Cursor offers a HIPAA Business Associate Agreement (BAA) on the Enterprise plan for covered entities and business associates. A signed BAA is required before any protected health information (PHI) enters Cursor. The agreement comes with an Implementation and Configuration Guide that details eligible services, eligible models and customer-configured controls.
On this page
Who can get a HIPAA BAA from Cursor?
HIPAA BAAs are available on the Enterprise plan to organizations that are covered entities or business associates under HIPAA. If you are a healthcare provider, health plan or healthcare clearinghouse — or a vendor who handles PHI on their behalf — you can request a BAA as part of your Enterprise agreement.
Do not route protected health information through Cursor until a signed BAA is in place. The BAA does not backdate, and using PHI before signing puts your organization at risk.
What does the Cursor BAA cover?
The BAA covers Eligible Services and Eligible Models defined in the HIPAA Implementation and Configuration Guide, which ships as part of the agreement. The guide is the authoritative list; not every Cursor product, configuration or workflow qualifies automatically.
- Eligible Services: the specific Cursor product surfaces where PHI is permitted.
- Eligible Models: the subset of available AI models covered by the BAA.
- Required controls: the Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code., zero data retention and other settings your org must enable.
- Customer responsibilities: what your team must configure and instruct users to do.
Your BAA with Cursor covers Cursor's services only. Third-party services and integrations you connect to Cursor — MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. servers, external APIs, ticketing systems — are not covered by Cursor's BAA. Your organization is responsible for assessing those separately.
What must we configure before using PHI?
The Implementation and Configuration Guide specifies required controls for BAA-covered use. These typically include enforcing Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. org-wide, enabling zero data retention for Eligible Models and restricting access to BAA-covered services to the users who need them. Your team — not Cursor — is responsible for applying these settings correctly.
- 1Request and countersign the BAA through your Enterprise agreement.
- 2Read the HIPAA Implementation and Configuration Guide delivered with the BAA.
- 3Enforce Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. and zero data retention on all Eligible Models.
- 4Restrict BAA-covered workflows to the team members and models listed as eligible.
- 5Train users on PHI handling responsibilities before rollout.
How do we request a HIPAA BAA?
Contact Cursor sales at cursor.com/contact-sales to start an Enterprise agreement and request the BAA. The Implementation and Configuration Guide is available to customers with an active Enterprise agreement; the Trust Center at trust.cursor.com has Cursor's SOC 2 Type II report and compliance documentation you can use during security review.
What does a signed BAA not guarantee?
A BAA establishes the legal framework for handling PHI with Cursor; it does not make every product configuration safe for PHI by default. Your organization remains responsible for configuring Cursor in accordance with the BAA, following the Implementation Guide, and instructing users on their obligations under HIPAA.
- Configuration
- Enable required controls per the Implementation Guide before routing any PHI.
- Scope
- Route PHI only through Eligible Services and Eligible Models listed in the guide.
- Third parties
- Assess and cover any integrations you connect to Cursor separately.
- User training
- Instruct users on PHI handling; the BAA does not substitute for internal policy.
Frequently asked questions
Is the Cursor HIPAA BAA available on the Teams plan?
No. The HIPAA BAA is available on the Enterprise plan only. Contact Cursor sales to start an Enterprise agreement.
Can we use any Cursor model with a BAA in place?
Only Eligible Models listed in the HIPAA Implementation and Configuration Guide are covered by the BAA. Using PHI with models not on that list falls outside the agreement's scope.
Where do we find Cursor's SOC 2 report for security review?
Cursor's SOC 2 Type II report is available on request through trust.cursor.com. Share that URL with your security team; it also links to Cursor's compliance and data governance documentation.
What happens if a team member sends PHI through a non-eligible model?
That usage falls outside the BAA. Your organization is responsible for restricting access to Eligible Models and training users accordingly — Cursor's platform does not technically prevent PHI from entering non-eligible models.
Sources & last verified
- Cursor - HIPAA Business Associate Agreements
- Cursor - Privacy and Data Governance
- Cursor - Trust Center
- Cursor - Enterprise
Cursor ships frequently. Facts verified against primary sources on June 25, 2026.