Is HubSpot HIPAA Compliant—and Will It Sign a BAA? Here’s What You Need to Know

HubSpot's HIPAA Compliance Status

Short answer: HubSpot is not a HIPAA-compliant repository for Protected Health Information (PHI) and generally does not sign a Business Associate Agreement (BAA) for its core marketing, sales, or service products. Without a BAA, you cannot use HubSpot to create, receive, maintain, or transmit PHI under HIPAA Compliance Standards.

You can still use HubSpot for healthcare marketing and operations—as long as you keep PHI out of the platform. Treat HubSpot as a system for de-identified audiences, anonymous analytics, and high-level engagement signals, not as a clinical or patient record system.

• BAA is required whenever a vendor handles PHI as a business associate.
• No BAA means HubSpot should not store or process PHI, even temporarily.
• Use HubSpot for non-PHI marketing and engagement workflows only.

Terms of Service Restrictions

HubSpot’s Terms of Service and product documentation typically prohibit uploading “Sensitive Information,” which includes PHI. This prohibition covers all product surfaces—CRM properties, email, forms, chat transcripts, file uploads, notes, tickets, and custom objects.

Your organization remains responsible for Sensitive Data Handling. If a user types PHI into any free-text field, attaches a medical document, or pastes a diagnosis into a ticket, you may trigger a compliance violation because HubSpot’s role would shift into a de facto business associate without a BAA.

• Do not collect symptoms, treatment details, diagnoses, lab results, policy numbers, or appointment specifics tied to an identifiable person.
• Block PHI in forms, chat, and email replies with filters, disclaimers, and data loss prevention (DLP) rules.
• Train staff to avoid entering PHI anywhere inside HubSpot.

Sensitive Data Handling Guidelines

Define what counts as PHI

PHI is any individually identifiable health information relating to a person’s past, present, or future health status, provision of care, or payment—when linked to identifiers (name, email, phone, IP, device ID, etc.). If the data can reasonably identify a person and reveals health context, treat it as PHI.

Practical rules for using HubSpot safely

• Collect only marketing-safe data points (e.g., general interests, consent preferences, content downloads) without health context.
• De-identify at the source with tokens or pseudonymous IDs; map PHI only in a HIPAA-compliant system that signs a BAA.
• Strip PHI from URLs, UTM parameters, and hidden fields; never pass condition names, appointment details, or claim numbers.
• Turn off or limit tracking on patient portals and intake flows; present clear notices and consent for analytics and advertising.
• Establish retention, access, and DLP controls; quarantine or auto-delete messages that appear to include PHI.

HIPAA Compliance Features Overview

HubSpot includes robust Security Controls—role-based access, SSO/SAML, audit logging, encryption in transit and at rest, and granular permissions. These align with elements of the HIPAA Security Rule’s technical safeguards but do not make the platform HIPAA compliant without a BAA.

• Identity and access: SSO/SAML, two-factor authentication, role and team permissions, partitioning of records and content.
• Monitoring and logging: activity logs, user history, and asset revision trails to support investigations and change tracking.
• Data protection: TLS for data in transit, encryption at rest, and backup/restore procedures for continuity.
• Governance: approval workflows, content controls, and export permissions to minimize unauthorized sharing.

Use these features to protect non-PHI data and tighten your security posture. They are valuable controls, but they are not a substitute for a Business Associate Agreement.

Third-Party Integrations for HIPAA Compliance

No integration can convert HubSpot into a HIPAA-compliant system. However, you can design architectures that keep PHI in HIPAA-compliant services that do sign a BAA, while passing only non-PHI signals into HubSpot for marketing operations.

Design patterns that reduce risk

• Intake forms and telehealth portals: capture PHI in a HIPAA-compliant system; send only anonymous or de-identified campaign metrics to HubSpot.
• iPaaS/ETL with BAA: route PHI to an EHR or secure data warehouse; emit sanitized events (e.g., “qualified lead” flag) to HubSpot without health details.
• Email and ads: suppress personalization that implies a diagnosis; avoid dynamic content based on conditions or treatments.
• Support channels: keep patient conversations in a HIPAA-compliant help desk; sync ticket status or generic tags to HubSpot without PHI.

Common pitfalls to avoid

• Free-text CRM fields, chat widgets, and support notes capturing PHI.
• Attachments (images, lab reports) uploaded to HubSpot file storage.
• Calendar invites or sequences containing appointment details tied to an individual.
• UTM parameters or page titles exposing conditions or procedures.

HubSpot's Security Measures

HubSpot publishes mature, enterprise-grade security practices focused on confidentiality, integrity, and availability. These controls are excellent for general SaaS hardening, but they do not change the PHI restriction without a BAA.

• Encryption: TLS for data in transit; strong encryption at rest.
• Access security: SSO/SAML, MFA, user provisioning, least-privilege roles, and field-level permissions.
• Operational security: vulnerability management, logging, incident response, backups, and disaster recovery testing.
• Privacy tooling: consent management, data export/delete workflows, and configurable retention for non-PHI data.

HubSpot's Compliance Certifications and Data Processing Agreements

HubSpot typically maintains certifications and reports such as SOC 2 Type II and ISO frameworks, demonstrating controls over security and availability. These attestations help evaluate vendor Security Controls but are not the same as HIPAA compliance.

For privacy and international transfers, HubSpot offers a Data Processing Agreement (DPA) with standard contractual clauses and Data Residency Requirements options (such as hosting certain data in the US or EU). A DPA governs personal data processing under privacy laws; a BAA governs PHI under HIPAA. A DPA does not permit storing PHI in HubSpot.

Key takeaways

• HubSpot does not function as a HIPAA-compliant system for PHI because it does not sign a Business Associate Agreement for core hubs.
• Use HubSpot only for non-PHI data; keep PHI in HIPAA-compliant systems that do sign a BAA.
• Security features, certifications, a DPA, and data residency options are valuable—but they are not substitutes for a BAA.

FAQs

Does HubSpot sign a Business Associate Agreement for HIPAA compliance?

No. HubSpot generally does not sign a Business Associate Agreement for its core products. Without a BAA, you must not use HubSpot to handle Protected Health Information. If your risk posture requires BAAs, limit HubSpot to non-PHI workflows and keep PHI in systems that do sign BAAs.

Is it safe to store PHI in HubSpot?

No. Even with strong security features, storing PHI in HubSpot violates HIPAA requirements without a BAA. Keep PHI out of CRM properties, emails, forms, chat, notes, attachments, tickets, and custom objects. Use de-identification, suppression, and DLP to prevent accidental PHI ingestion.

What HIPAA compliance features does HubSpot offer?

HubSpot offers enterprise-grade security—SSO/SAML, role-based access, audit logging, encryption, and governance tools—that support good security hygiene. These align with aspects of HIPAA’s technical safeguards but do not make HubSpot HIPAA compliant because there is no BAA and PHI is prohibited.

Can third-party tools make HubSpot HIPAA compliant?

No. Third-party tools cannot convert HubSpot into a HIPAA-compliant system. They can, however, help you capture PHI elsewhere under a BAA and share only de-identified or aggregate data with HubSpot, ensuring Sensitive Data Handling remains within HIPAA boundaries.