Is HubSpot HIPAA compliant?
HubSpot is HIPAA compliant for specific covered services which can be used to collect, store, process, and transmit Protected Health Information subject to covered entities subscribing to an enterprise account and agreeing to the terms of HubSpot’s Business Associate Agreement. In addition, any apps integrated with HubSpot must also be HIPAA compliant.
In June 2024, HubSpot announced the launch of sensitive data tools that can be configured to support HIPAA compliance for specific “covered services”. The company also announced it will (automatically) enter into a Business Associate Agreement with customers that identify as HIPAA covered entities or business associates when activating the sensitive data settings.
While the announcement is good news for customers that have long been requesting a HIPAA compliant version of the CRM, covered entities are reminded that only specific services are covered by the Business Associate Agreement. Furthermore, configuring the covered services to make HubSpot HIPAA compliant can be difficult for administrators unfamiliar with the platform.
Which Services are Covered by the HubSpot BAA?
At the time of publication, the HIPAA compliant version of HubSpot is in “public beta”. Consequently, the following list of services covered by the HubSpot Business Associate Agreement (BAA) is subject to change. It is also important to note that the services listed below are only covered in enterprise subscriptions.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- CRM Object Properties, including manual update, import, export and Properties API
- CRM Objects API
- List creation
- Workflows
- Search
- Reports – limited to Dashboards, single object reports, and attribution reports
- Integrations
- Forms
- Form Submissions Authenticated API
- CRM Attachments added to Records manually, via Notes, Email Form and Sensitive File Properties
At present, Reporting Analytics (including Custom Report Builder), Customer Journey Reports, Data Sets, and Snowflake Data Sharing are not covered by the HubSpot BAA. It is also not possible to export “properties” as personalization tokens (i.e., automatically insert a patient’s name into an email). Future changes or additions to the covered services will be included in HubSpot’s “Sensitive Data Terms”.
UPDATE October 2024. In September 2024, support for HIPAA compliance changed from public beta to generally available and CRM Activities was added to the list of supported services. However, while it is now possible to store call logs in the HubSpot CRM, it is not permitted to store call recordings or call transcripts that include PHI.
How to Make HubSpot HIPAA Compliant
The process for making HubSpot HIPAA compliant consists of three steps. A user with super-administrator permissions must activate the HIPAA-protected sensitive data settings via the “Privacy and Consent” tab. They must then check the “Health/Medical Data” checkbox when asked “What type of information will you store?” and the checkbox that identifies the organization as a HIPAA covered entity or business associate.
Note: Activating the HIPAA-protected sensitive data settings also automatically activates the HubSpot BAA.
Thereafter, whenever a new “property” is created (a “property” is a field in which information is stored about a contact), the checkboxes indicating that the data is sensitive and that it is Protected Health Information must be checked. It is important to note that these steps cannot be reversed; so – before creating new properties – it is important to understand what is considered Protected Health Information under HIPAA and ensure all applicable members of the workforce receive training on how to use HubSpot in compliance with HIPAA..
The Challenges of Using HubSpot in Compliance with HIPAA
The challenges of using HubSpot in compliance with HIPAA are that there are several opportunities to misconfigure the covered services and either fail to allocate PHI as sensitive data, or over-protect data that does not qualify as PHI. In the first instance, the failure to allocate PHI as sensitive data could result in an impermissible disclosure, while over-protecting data will exclude it from services not covered by the HubSpot BAA.
It can also be a challenge to ensure that any apps integrated with HubSpot CRM are also HIPAA compliant and that separate Business Associate Agreements are entered into with the app vendors. For example, it would be permissible to integrate Google Workspace services with covered functionality (provided the services are not used with personalization tokens), but not popular ecommerce and communication tools such as Shopify or WhatsApp.
To help resolve these challenges, or to get help with making HubSpot HIPAA compliant, covered entities and business associates that are existing HubSpot enterprise customers are advised to reach out to their Customer Success Managers. Covered entities and business associates on other HubSpot plans – or who are not yet HubSpot customers – should seek independent advice from a compliance professional with CRM experience.
