Is HubSpot HIPAA Compliant? What You Need to Know Before Storing PHI in HubSpot

Understand HubSpot’s HIPAA Compliance Features

Short answer: HubSpot can be used in a HIPAA-compliant manner only when you have a signed Business Associate Agreement and you limit Protected Health Information (PHI) to the services explicitly covered in that agreement. The platform provides technical controls, but compliance ultimately depends on how you configure and use it.

If you are a HIPAA-covered entity or a business associate, treat compliance as a shared-responsibility model. HubSpot provides security features such as encryption, role-based access, auditability, and Sensitive Data Settings on eligible accounts. You are responsible for process controls like access governance, user training, and data minimization.

Plan eligibility matters. Enterprise Plan Compliance is commonly required to access advanced permissioning, logging, and Sensitive Data Settings that support PHI Data Privacy Controls. Confirm your plan’s capabilities before you ingest any PHI.

Key principles to anchor your program

• Minimum necessary: store only the data elements you truly need in HubSpot.
• Data classification: tag PHI versus non-PHI and keep them separated in properties, pipelines, and workflows.
• Configuration first: enable Sensitive Data Settings and strict permissions before any PHI import or integration.
• Contract-first: never store PHI without a fully executed Business Associate Agreement.

Configure Sensitive Data Settings

Sensitive Data Settings help you apply tighter PHI Data Privacy Controls across records, properties, and exports. Activate them before any data flows so you can prevent accidental exposure through forms, exports, emails, or integrations.

Step-by-step configuration (recommended path)

1. Identify PHI scope: decide which data elements are PHI and which can remain de-identified (for example, use patient IDs instead of names where possible).
2. Create PHI-dedicated properties: use clear labels (e.g., “PHI—Diagnosis Code”) and avoid reusing general-purpose fields. Disable unnecessary searchability and history where feasible.
3. Restrict property access: on eligible tiers, set view/edit permissions to the smallest set of roles or teams. Deny “Export” and “Edit property settings” to most users.
4. Enable Sensitive Data Settings: turn on the account-level controls to add warnings, limit risky actions, and enforce privacy guardrails around PHI-handling screens and tools.
5. Harden forms and inboxes: remove PHI fields from public forms and chat; route sensitive inquiries to secure channels managed under your BAA.
6. Lock down email logging and sync: disable auto-logging of emails that may carry PHI; use approved secure-messaging workflows instead of standard marketing or sales emails.
7. Control integrations: restrict API credentials, rotate keys, and limit scopes so only approved systems can touch PHI.
8. Retention and deletion: define time-bound retention rules and use automated deletion for stale PHI.
9. Monitoring: review export logs, access logs, and workflow changes for anomalies.

Operational guardrails that reduce risk

• Use separate pipelines or custom objects for PHI and limit cross-object automation.
• Add on-screen warnings and team playbooks to remind users what not to enter as free text.
• Employ data-loss prevention (DLP) scanning on endpoints and email to catch PHI before it leaves your perimeter.

Business Associate Agreement Requirements

A Business Associate Agreement defines exactly how HubSpot (your business associate) will protect PHI and which services you are permitted to use with that data. Without a signed BAA, do not store or process PHI in HubSpot.

What to verify in your BAA

• Covered services: the precise Hubs, tools, and features that may handle PHI.
• Permitted uses and disclosures: how PHI can be processed within the platform.
• Breach notification and timelines: how and when incidents are reported.
• Subprocessors: who else may handle PHI and under what controls.
• Data return/destruction: procedures when you terminate the agreement.
• Security obligations: encryption, access controls, logging, and training expectations.

How to enter into a BAA with HubSpot

1. Confirm eligibility: Enterprise Plan Compliance is often required for BAA availability.
2. Request the BAA: work through your account representative or procurement process.
3. Review the scope: align the BAA with your data flows; exclude nonessential PHI.
4. Execute and document: store the fully signed BAA and version it in your compliance repository.
5. Operationalize: immediately enable Sensitive Data Settings and restrict features to those covered by the BAA.

Covered and Excluded Services

Your executed BAA is the single source of truth for what’s “in scope.” Assume a feature is excluded unless it is explicitly listed as covered.

Commonly covered (confirm in your BAA)

• Core CRM records and custom properties tied to PHI, with tight permissions.
• Workflow automation that does not transmit PHI to non-covered destinations.
• Secure file storage or notes used by restricted teams, if expressly included.

Commonly excluded (treat as out of scope by default)

• Bulk marketing email, ad audiences, and social posting tools.
• Chat, voice calling, call recording, and bot transcripts.
• Website analytics, tracking beacons, and behavioral ad features.
• Generative AI features and beta tools not listed in the BAA.
• Third-party marketplace apps or connectors without their own BAA.

Safe-by-design patterns

• Keep clinical data in your EHR; sync only the minimum identifiers to HubSpot.
• Use pseudonymous keys (e.g., patient ID) instead of names or free-text diagnoses.
• Strip PHI from page views, chat, and marketing activities.

Integrate HubSpot with Healthcare Systems

Healthcare Software Integration should minimize PHI in HubSpot and protect every hop. Choose integration methods that can sign a BAA and enforce least privilege across services.

Architecture options

• HIPAA-eligible iPaaS: use an integration platform that will execute a BAA and provide audit trails, retries, and DLP.
• Custom API gateway: proxy all calls through your gateway to perform tokenization, field-level redaction, and request signing.
• Event-driven sync: publish de-identified events to HubSpot, and resolve identities in your secure systems.

Data minimization techniques

• Tokenize or hash identifiers before they reach HubSpot where feasible.
• Send links that reveal no PHI; require authenticated portals for detail viewing.
• Map only necessary fields; avoid free-text notes and attachments containing PHI.

Testing and validation

• Use synthetic data in sandboxes; never seed test environments with PHI.
• Run integration threat models and table-top incident drills.
• Continuously monitor API usage and exports for anomalies.

Comply with HubSpot's Terms of Service

Your use must align with HubSpot’s Terms of Service and Acceptable Use Policy in addition to your BAA. If the Terms prohibit storing sensitive data without a BAA, treat that as a hard stop.

Practical guardrails

• Do not upload PHI unless and until your BAA is fully executed and in effect.
• Honor opt-in rules and avoid including PHI in subject lines, snippets, or templates.
• Vet every marketplace app, connector, and export destination for BAA coverage.

Ensure Secure PHI Storage Practices

Strong technical controls turn policy into practice. Combine HubSpot’s security features with organizational safeguards to protect PHI end to end.

Access and identity

• Enforce SSO and MFA; disable basic auth where not needed.
• Apply least-privilege roles; restrict “Export,” “Bulk delete,” and “Integrations.”
• Segment by team and record ownership; log and review privileged activity.

Encryption and data handling

• Rely on encryption in transit and at rest; add gateway encryption or tokenization for high-risk fields.
• Block PHI in public forms, chatbots, and marketing assets.
• Use templated playbooks that steer users away from free-text PHI.

Monitoring, retention, and response

• Monitor exports, API calls, and permission changes; alert on anomalies.
• Set retention schedules and automate deletion for stale PHI.
• Maintain an incident response plan aligned to your BAA’s notification timelines.

Conclusion

HubSpot can fit into a HIPAA-compliant architecture when you have a signed Business Associate Agreement, limit PHI to covered services, enable Sensitive Data Settings, and operate with strict PHI Data Privacy Controls. Design for Enterprise Plan Compliance where needed, minimize PHI at every step, and integrate with healthcare systems using de-identified or tokenized data wherever possible.

FAQs

What services are covered under HubSpot’s HIPAA compliance?

Your executed Business Associate Agreement lists the covered services. Treat anything not expressly listed as excluded by default. Confirm the exact Hubs, features, and data flows that may handle Protected Health Information.

How do I activate sensitive data settings in HubSpot?

From Settings, locate the privacy/security area for Sensitive Data Settings (availability varies by plan). Enable the controls, then restrict PHI properties, disable risky exports, harden forms and email logging, and validate permissions before importing any PHI.

Can I store all types of PHI in HubSpot?

No. Store only the minimum necessary PHI, and only within the services explicitly covered by your BAA. Avoid free-text PHI, clinical notes, and attachments unless your agreement and configuration specifically allow them.

What steps are needed to enter into a BAA with HubSpot?

Verify plan eligibility (often Enterprise), request the Business Associate Agreement through your account channel, review scope with legal and security, sign the BAA, and immediately operationalize it by enabling Sensitive Data Settings, restricting access, and documenting your PHI handling procedures.