Is HubSpot CRM HIPAA Compliant? What You Need to Know

Short answer: HubSpot can support HIPAA compliance, but only when you use its Enterprise-tier capabilities, enable the right HIPAA compliance configuration, and have a Business Associate Agreement (BAA) in place. Standard plans alone aren’t sufficient for Protected Health Information (PHI). HubSpot now signs a BAA with qualifying Enterprise customers and provides platform controls designed to help you handle PHI responsibly. ([hubspot.com](https://www.hubspot.com/products/crm/healthcare))

Standard HubSpot Plans and HIPAA Limitations

If you’re on Free, Starter, or Professional, you should not store PHI in HubSpot. The features required for HIPAA-aligned use—like Sensitive Data encryption, audit logging tied to sensitive fields, and property-level access controls—are gated to Enterprise subscriptions. HubSpot’s Sensitive Data Terms (which govern PHI handling) only apply when you explicitly enable the Sensitive Data feature in your account. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?_hsmi=263470463))

Practically, this means that until you upgrade to an Enterprise plan and turn on Sensitive Data, HubSpot is a great system for marketing and operations—but not for collecting, storing, or transmitting PHI. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?_hsmi=263470463))

Enterprise Plan Features for Healthcare

On Enterprise, you can create Sensitive Data and Highly Sensitive Data properties that add application‑layer encryption, restrict field access at the user/team level, and generate audit logging for changes to those fields. Highly Sensitive Data supports click‑to‑decrypt for authorized users, adding another safeguard beyond encryption in transit and at rest. These controls are central to a HIPAA‑capable CRM setup. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?_hsmi=263470463))

HubSpot also documents where Sensitive Data can be safely used across the platform, including CRM properties and activities, lists, workflows, search, reporting, supported integrations, forms and form submissions via authenticated API, and attachments added directly to CRM records. Understanding this supported surface area helps you design compliant processes end‑to‑end. ([hubspot.com](https://www.hubspot.com/products/sensitive-data?lang=en))

Business Associate Agreement Requirements

To obtain a BAA with HubSpot, you must have an Enterprise subscription and enable Sensitive Data in Security settings. During setup, you’ll select Health/Medical Data, confirm that you’re a HIPAA covered entity or business associate, and then review and accept the Sensitive Data Terms and the BAA. Once Sensitive Data is turned on, the selection is persistent. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?_hsmi=263470463))

HubSpot’s BAA is incorporated by reference as Annex I to the Sensitive Data Terms and is available to Enterprise customers for review. Acceptance of those terms binds the HIPAA‑compliant Enterprise contract for covered services. ([legal.hubspot.com](https://legal.hubspot.com/hubfs/HubSpot%20BAA%204Feb2025%20PDF.pdf?utm_source=openai))

Sensitive Data Handling Tools

Core safeguards you configure

• Application‑layer Sensitive Data encryption (in addition to encryption at rest and in transit).
• Field‑level permissions to control who can view or edit PHI; click‑to‑decrypt for Highly Sensitive Data values.
• Comprehensive audit logging to monitor access and changes to sensitive properties.
• A built‑in scanner to flag unsecured sensitive information and guide remediation.

Attachments linked to records (for example, via notes, one‑to‑one emails, or forms) get extra protection once Sensitive Data is enabled; previews in certain notifications are hidden by default to reduce accidental exposure. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?_hsmi=263470463))

Identity, access, and operational hygiene

• Require SSO and 2FA, enforce inactive session timeouts, and perform regular super‑admin access reviews.
• Use audit logging and centralized permissions reviews to confirm least‑privilege access over time.
• Restrict who can build workflows and integrations that touch sensitive properties.

These Enterprise governance controls help you operationalize HIPAA requirements in day‑to‑day CRM use. ([hubspot.com](https://www.hubspot.com/security-and-compliance))

Data Hosting and Regional Compliance

HubSpot hosts accounts on AWS in the United States (East/West), European Union (Germany), Canada, and Australia, with replication for resilience inside the chosen region. Paid accounts can request a migration to a different region; however, once you indicate you store HIPAA data, migrations are not permitted. Plan your data residency up front if HIPAA or other regional rules apply. ([knowledge.hubspot.com](https://knowledge.hubspot.com/account-security/hubspot-cloud-infrastructure-and-data-hosting-frequently-asked-questions?hss_channel=lis-O575k2cDBB))

In limited scenarios, some processing can occur outside your hosting region (for example, with certain subprocessors, analytics, or support), all governed by HubSpot’s documented privacy and transfer mechanisms. Review these allowances with your compliance team to align with your policies. ([knowledge.hubspot.com](https://knowledge.hubspot.com/account-security/hubspot-cloud-infrastructure-and-data-hosting-frequently-asked-questions?hss_channel=lis-O575k2cDBB))

Restricted Features in HIPAA Mode

When Sensitive Data is enabled, certain tools are not supported for PHI to prevent exposure pathways. Notably, chatbots, personalization tokens, playbooks, and sandboxes do not support Sensitive Data. Some workflow actions and triggers are restricted when they reference sensitive fields. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?_hsmi=263470463))

• Multi‑account data mirroring: accounts with Sensitive Data cannot serve as a source for mirroring to other portals.
• Files tool: do not store PHI in the general Files tool; protected attachments must be linked directly to CRM records or sensitive file properties.
• AI usage: HubSpot’s AI (“Breeze”) is restricted from using Sensitive Data property values; avoid placing PHI in prompts.
• Data integrations: Snowflake Data Share for HIPAA is supported only in AWS US_EAST_1 and AWS EU_CENTRAL_1.

These restrictions reduce the risk of unauthorized PHI exposure while keeping regulated workflows within supported surfaces. ([knowledge.hubspot.com](https://knowledge.hubspot.com/account-security/sensitive-data-in-hubspot-tools?is_listing=false))

Accessing HubSpot Compliance Resources

Your team can self‑serve official documentation covering security posture, Sensitive Data behavior, identity controls, and governance in HubSpot’s Security & Compliance materials and Trust Center. Pair these with the step‑by‑step Knowledge Base articles on enabling Sensitive Data and using it safely across tools. ([hubspot.com](https://www.hubspot.com/security-and-compliance))

Conclusion

HubSpot CRM can be part of a HIPAA‑compliant stack when—and only when—you use an Enterprise plan, enable the HIPAA compliance configuration, and execute a BAA. Lean on Sensitive Data encryption, audit logging, access controls, and documented data residency to keep PHI within supported boundaries.

FAQs.

Does HubSpot offer HIPAA-compliant plans?

Yes. HubSpot supports HIPAA‑compliant data handling for qualifying Enterprise customers who enable Sensitive Data and accept a BAA. Standard plans by themselves are not sufficient for handling PHI. ([hubspot.com](https://www.hubspot.com/products/crm/healthcare))

What is required to sign a BAA with HubSpot?

You’ll need an Enterprise subscription. In Security settings, enable Sensitive Data, select Health/Medical Data, confirm your HIPAA status, and accept the Sensitive Data Terms and the BAA (incorporated as Annex I). ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?_hsmi=263470463))

Which features are restricted under HIPAA compliance?

With Sensitive Data turned on, chatbots, personalization tokens, playbooks, and sandboxes don’t support PHI. Workflow actions that copy or reference sensitive fields are limited, and source account data mirroring is blocked. Follow the attachments and AI usage rules to avoid accidental exposure. ([knowledge.hubspot.com](https://knowledge.hubspot.com/account-security/sensitive-data-in-hubspot-tools?is_listing=false))

How does HubSpot handle data hosting for HIPAA customers?

Accounts are hosted in regional AWS data centers (US, EU, Canada, Australia) with in‑region replication. After you designate HIPAA data, region migrations aren’t allowed; some narrowly defined processing outside the region may occur under documented safeguards. ([knowledge.hubspot.com](https://knowledge.hubspot.com/account-security/hubspot-cloud-infrastructure-and-data-hosting-frequently-asked-questions?hss_channel=lis-O575k2cDBB))