Is HubSpot HIPAA Compliant? What You Need to Know (BAA, PHI, and Safe Workflows)

HubSpot's HIPAA Compliance Status

Short answer: HubSpot can participate in HIPAA-regulated programs only when your organization executes a Business Associate Agreement (BAA) with HubSpot and enables the platform’s Sensitive Data Settings. Without that configuration, you must not store or process Protected Health Information (PHI) in HubSpot.

“Compliant” here means the specific services listed in your BAA operate under HIPAA safeguards and PHI Handling Restrictions. Even with a BAA, many marketing and communications features remain out of scope for PHI, so you should design Safe Workflows that keep PHI isolated and de‑identified where possible.

Practically, treat HubSpot as PHI‑limited: use it to manage relationships and processes while routing clinical details, diagnoses, or treatment data to systems purpose‑built for HIPAA. Confirm the covered service schedule attached to your BAA before onboarding any data.

Activation of Sensitive Data Settings

1. Execute the BAA: Work with HubSpot to sign a Business Associate Agreement that lists covered services and permitted uses of PHI.
2. Enable the feature: Request activation of Sensitive Data Settings at the account level, then complete your initial Sensitive Data Configuration.
3. Classify data: Create properties reserved for PHI and flag them as sensitive; remove PHI from free‑text fields and general notes.
4. Lock down access: Enforce SSO and MFA, assign least‑privilege roles, restrict exports, and enable IP allowlisting for admins.
5. Constrain automation: Update workflows so they never email, display, or broadcast PHI; prohibit tokens containing PHI in messages or tasks.
6. Turn on monitoring: Configure Data Access Auditing, review logs for view/edit/download events, and set alerts for anomalous behavior.
7. Validate and train: Run test cases against your PHI Handling Restrictions and train users on what can and cannot be stored or sent.

Covered Services Under BAA

The authoritative scope is the service schedule attached to your Business Associate Agreement. In practice, organizations typically rely on the following categories when PHI is permitted:

• Secure storage of sensitive properties on core CRM objects (for example, contacts, companies, deals, or tickets).
• Identity and access management features such as SSO, MFA, role‑based permissions, and administrative controls.
• Data Access Auditing, including logs of user access, changes, and exports for in‑scope data.
• Inbound data ingestion via secure APIs and controlled imports that keep PHI within covered services.
• Internal‑only automation that updates records or creates tasks without transmitting or exposing PHI externally.
• Data lifecycle tools for retention, deletion, and legal hold aligned to your HIPAA policies.

Excluded Services from BAA

Unless your BAA explicitly states otherwise, treat the following as out of scope for PHI and design alternatives that keep identifiers de‑identified:

• Marketing email, bulk sends, sequences, and other one‑to‑many communications.
• Ads audiences, tracking pixels, and retargeting features.
• Live chat, chatbots, conversations inbox, and support transcripts.
• Calling, call recording, and conversation transcription features.
• Sales email logging/forwarding, meeting links that could reveal PHI, and calendar descriptions.
• Public CMS personalization, website tokens, and content that might display PHI.
• Web forms that directly collect PHI, and general file storage for attachments containing PHI.
• Analytics exports and syncs that move PHI to tools without a BAA or to excluded services.

Third-Party Integrations

Integrations are often where HIPAA risk concentrates. Any system that receives PHI from HubSpot must also be governed by a BAA and configured to honor your PHI Handling Restrictions.

• Prefer HIPAA-Compliant Integrations with signed BAAs and documented security programs.
• Map only the minimum necessary fields; tokenize or pseudonymize identifiers wherever possible.
• Limit scopes and events; prevent PHI from syncing into marketing, analytics, or messaging tools.
• Use middleware or a data vault to store PHI, passing only non‑identifiable IDs back to HubSpot.
• Maintain data flow diagrams, review vendors’ subprocessors, and test integrations for leakage.

Data Encryption and Access Controls

Encryption Protocols

Expect transport encryption with modern TLS (e.g., TLS 1.2+) and strong at‑rest encryption such as AES‑256 within covered services. Confirm specific Encryption Protocols and key management responsibilities in your BAA and security documentation.

Access Controls

Enforce least‑privilege roles, SSO, and MFA; apply field‑level restrictions to sensitive properties; and prevent exports except for approved administrators. Use IP allowlisting, short session timeouts, and device hygiene requirements for elevated users.

Data Access Auditing

Enable detailed logging for view, edit, export, and deletion events on PHI. Review logs routinely, alert on anomalies, and retain records long enough to support investigations and regulatory inquiries.

Ongoing Compliance Responsibilities

A BAA does not make you “compliant” by itself. HIPAA requires administrative, technical, and physical safeguards that your organization must continuously operate and document.

• Perform risk analysis and gap remediation; update policies for data classification and minimum necessary use.
• Train users on Sensitive Data Configuration, Safe Workflows, and acceptable use of properties and automation.
• Maintain BAAs with all vendors handling PHI; verify incident response, breach notification, and subcontractor controls.
• Implement DLP, retention schedules, and secure disposal; review access regularly and remove dormant accounts.
• Conduct periodic audits of workflows, reports, and integrations to ensure PHI never reaches excluded services.

Conclusion

HubSpot can fit into a HIPAA program when bounded by a Business Associate Agreement, tight PHI Handling Restrictions, and well‑designed Safe Workflows. Activate Sensitive Data Settings, minimize PHI in the platform, and govern integrations to keep regulated data confined to covered services.

FAQs.

What services does HubSpot cover under its HIPAA BAA?

Coverage is limited to the services listed in your executed BAA. Organizations typically rely on core CRM data storage for sensitive properties, identity and access controls, Data Access Auditing, selected internal workflows, and secure APIs. Marketing and data‑sharing features are generally excluded unless expressly stated.

How are sensitive data settings activated in HubSpot?

Work with HubSpot to execute a Business Associate Agreement and request activation of Sensitive Data Settings. Then complete your Sensitive Data Configuration by flagging PHI properties as sensitive, tightening permissions, constraining workflows, and turning on monitoring and auditing.

Can third-party integrations affect HubSpot's HIPAA compliance?

Yes. Any integration that receives PHI must have a BAA, restrict scopes and mappings, and prevent PHI from flowing into excluded services. A single noncompliant connector can break your compliance chain, so validate vendors and test data flows regularly.

What are the limitations on using PHI with HubSpot workflows?

Workflows should never email, display, export, or broadcast PHI. Limit them to internal updates, tasks, or escalations; avoid tokens containing PHI; and ensure webhooks or actions never post PHI to endpoints or apps without a BAA. Keep automation narrowly scoped to the minimum necessary.