Is HubSpot HIPAA Compliant? BAAs, Risks, and Safer Workarounds

Check out the new compliance progress tracker

Product Pricing Demo Video Free HIPAA Training
LATEST
video thumbnail
Admin Dashboard Walkthrough Jake guides you step-by-step through the process of achieving HIPAA compliance
Ready to get started? Book a demo with our team
Talk to an expert
Blog HIPAA Is HubSpot HIPAA Compliant? BAAs, Risks, and Safer Workarounds

Is HubSpot HIPAA Compliant? BAAs, Risks, and Safer Workarounds

Kevin Henry

HIPAA

August 02, 2025

6 minutes read
Share this article
Is HubSpot HIPAA Compliant? BAAs, Risks, and Safer Workarounds

You can use HubSpot in a HIPAA-aligned way, but only for clearly defined “covered services” and only after you turn on Sensitive Data settings, accept the Sensitive Data Terms, and have a Business Associate Agreement (BAA) in place. Out of the box, HubSpot is not HIPAA compliant; you must configure it to handle Protected Health Information (PHI) safely and narrowly. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?utm_source=openai))

HubSpot's HIPAA Compliance Status

HubSpot currently supports HIPAA use cases on Enterprise editions by allowing you to store and process Protected Health Information (PHI) within specific tools. When you enable Sensitive Data and identify as a HIPAA covered entity or business associate, HubSpot presents the applicable Sensitive Data Terms and—if you selected HIPAA—its BAA for acceptance. This enables Enterprise Plan Compliance for designated features without making the entire platform universally HIPAA compliant. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?utm_source=openai))

Practically, this means you must keep PHI inside supported features and properties, apply least-privilege access, and avoid tools that are explicitly excluded. These steps help you meet obligations under the HIPAA Privacy Rule and HIPAA Security Rule while using HubSpot’s CRM. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))

Understanding Business Associate Agreements

A Business Associate Agreement defines how HubSpot, as a business associate, may create, receive, maintain, or transmit PHI on your behalf. HubSpot’s BAA is scoped: it applies only to PHI processed via the Sensitive Data Covered Services and only after you have enabled Sensitive Data and accepted the terms. Treat the BAA as guardrails—not a blanket permission to put PHI anywhere in your portal. ([legal.hubspot.com](https://legal.hubspot.com/services/hubspot-services-descriptions))

Your responsibilities under the HIPAA Privacy Rule and HIPAA Security Rule remain. You must configure role-based access, auditing, retention, and incident response, and you must ensure Third-Party Application Compliance whenever PHI leaves HubSpot for other systems. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))

Covered Services Under HubSpot's BAA

Core covered capabilities (Sensitive Data)

  • CRM object properties and the Properties/Object APIs (create, import, export, and manual updates).
  • Lists, workflows, and search using Sensitive Data properties.
  • Reporting with Sensitive Data (reporting is not available for Highly Sensitive Data such as full SSNs).
  • Forms and the forms submissions authenticated API for collecting PHI.
  • CRM attachments added to records (e.g., via notes, calls, tasks, 1:1 email, forms, sensitive file properties).
  • Integrations built against supported scopes for Sensitive Data. ([legal.hubspot.com](https://legal.hubspot.com/services/hubspot-services-descriptions))

Additional covered items you should know

  • CRM activities (notes, calls, tasks, 1:1 email, meetings) with Sensitive Data.
  • Call recordings and conversation intelligence.
  • HubSpot Breeze Assistant features are listed among covered services; evaluate each assistant’s function before using PHI. ([legal.hubspot.com](https://legal.hubspot.com/services/hubspot-services-descriptions))

Important nuance: some capabilities (lists, workflows, search, reporting) are supported for Sensitive Data but not for Highly Sensitive Data. Confirm your data category and keep Highly Sensitive Data out of tools that do not support it. ([legal.hubspot.com](https://legal.hubspot.com/services/hubspot-services-descriptions))

Excluded Features and Limitations

Even with Enterprise Plan Compliance and a signed BAA, certain tools cannot handle PHI. Sensitive Data is not supported in chatbots, personalization tokens, playbooks, or sandboxes. Do not place PHI in these areas, and avoid injecting PHI into marketing personalization. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))

Other practical limits include: you cannot toggle a property’s sensitivity after creation; calculation/rollup and some system properties cannot store Sensitive Data; and you cannot require unique values on Sensitive Data fields. If you flag your account for HIPAA data, data-center migration is restricted. Accounts with Sensitive Data enabled cannot act as a source for data mirroring in multi-account management. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?utm_source=openai))

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Ensuring HIPAA-Compliant Integrations

Integrations extend your workflow but can also expand risk. When you sync PHI to a third-party app, that vendor becomes a downstream business associate and must sign a BAA. HubSpot’s terms note that Customer Data processed by Third-Party Products is hosted under those parties’ policies, so you must verify Third-Party Application Compliance independently. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))

Integration safeguards

  • Use Sensitive Data–aware scopes and map PHI only to properties marked Sensitive; never map known sensitive fields to non-sensitive destinations.
  • Limit bidirectional syncs and configure least-privilege permissions for connected apps.
  • Route clinical content and detailed PHI to your patient portal or EHR; keep HubSpot for engagement metadata and operational automation.
  • Document data flows, retention, and breach notification duties with every vendor in scope. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))

Risks of Non-Compliant Features

The biggest risks come from convenience features that bypass safeguards. Examples include: adding PHI to chatbot conversations, using personalization tokens to insert PHI into emails or pages, or exporting PHI to analytics tools that lack a BAA. Each of these routes can expose identifiers and violate the “minimum necessary” standard of the HIPAA Privacy Rule. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))

Another common pitfall is assuming internal notifications are safe. If alerts, tasks, or email notifications echo PHI to unrestricted recipients or unsecured channels, they can create unauthorized disclosures under the HIPAA Security Rule. Keep notifications generic and store details inside Sensitive Data properties with strict access. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))

Best Practices for Healthcare Organizations

Safer workarounds that reduce PHI exposure

  • Partition data: store PHI only in Sensitive Data properties; use non-PHI IDs or tokens for marketing segmentation.
  • Collect PHI with HubSpot forms only after enabling Sensitive Data, and restrict who can view submissions. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))
  • Keep PHI out of chatbots, personalization, and sandboxes; validate that each agent or AI feature you use is listed among covered services. ([legal.hubspot.com](https://legal.hubspot.com/services/hubspot-services-descriptions))
  • Tighten access: apply field-level permissions, monitor audit logs, and limit exports of Sensitive Data. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))
  • Vet every integration: obtain BAAs, restrict scopes, and test that PHI never lands in a non-compliant tool. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))

Summary

HubSpot can support HIPAA programs if you confine PHI to the covered services, turn on Sensitive Data settings, accept the BAA, and avoid excluded features. Pair these controls with disciplined governance and vendor management to align with the HIPAA Privacy Rule and Security Rule across your marketing, sales, and service workflows. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?utm_source=openai))

FAQs.

What services does HubSpot's BAA cover?

The BAA applies to Sensitive Data Covered Services only. Today, that includes Sensitive Data properties and the related APIs; lists, workflows, search, and reporting (for Sensitive Data, not Highly Sensitive Data); forms and the submissions API; CRM activities and attachments; call recordings and conversation intelligence; integrations; and HubSpot Breeze Assistant features. Always confirm the latest Covered Services before processing PHI. ([legal.hubspot.com](https://legal.hubspot.com/services/hubspot-services-descriptions))

How do I activate HIPAA compliance features in HubSpot?

Use an Enterprise edition, then go to Settings > Security > Sensitive Data. Select Health/Medical Data and confirm “We are a HIPAA-covered entity or business associate,” review the Sensitive Data Terms, and accept the BAA when presented. Next, create Sensitive Data properties and apply access controls before collecting PHI. ([knowledge.hubspot.com](https://knowledge.hubspot.com/properties/store-sensitive-data?utm_source=openai))

Are AI tools included in HubSpot's HIPAA compliance?

Some are. HubSpot lists Breeze Assistant features among its Sensitive Data Covered Services, but traditional chatbots are not supported for Sensitive Data. Treat AI on a feature-by-feature basis and avoid entering PHI into any tool not explicitly covered. ([legal.hubspot.com](https://legal.hubspot.com/services/hubspot-services-descriptions))

Can third-party integrations affect HubSpot's HIPAA compliance?

Yes. When PHI flows to a third-party app, that vendor must also meet HIPAA requirements and sign a BAA. HubSpot’s terms make clear that data handled by Third-Party Products is subject to those vendors’ policies, so verify Third-Party Application Compliance, restrict scopes, and validate data mappings before syncing PHI. ([knowledge.hubspot.com](https://knowledge.hubspot.com/privacy-and-consent/sensitive-data-in-hubspot-tools?utm_source=openai))

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple
HIPAA Jul 31, 2025

Dental Compliance Training for Your Team: OSHA, HIPAA & Infection Control Made Simple

Strong dental compliance training protects patients, your team, and your practice. This guide tur...

Comparing Popular HIPAA-Compliant Telehealth Tools
HIPAA Oct 01, 2025

Comparing Popular HIPAA-Compliant Telehealth Tools

Choosing among HIPAA-compliant telehealth tools comes down to how well each platform fits your cl...

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations
HIPAA Oct 01, 2025

Top Cloud Storage Mistakes That Can Lead to HIPAA Violations

You rely on cloud storage to keep Protected Health Information (PHI) available and secure, yet a ...