Is HubSpot HIPAA Compliant?
HubSpot is HIPAA compliant for a limited number of features provided that covered entities or business associates subscribe to an enterprise plan and activate the necessary sensitive data settings. Once the data settings have been activated, HubSpot’s Business Associate Agreement is also activated.
Prior to June 2024, the only way in which covered entities and business associates could use the HubSpot Customer Relationship Manager (CRM) in compliance with HIPAA was to install a HIPAA compliant plugin that isolated Protected Health Information (PHI) from HubSpot. The alternative was to not use the platform to collect, store, process, or transmit PHI.
In June 2024, HubSpot announced that some features would now support HIPAA compliance under “public beta”. The announcement is unlikely to be a gamechanger for many covered entities and business associates because it is necessary to subscribe to an enterprise plan to qualify for a Business Associate Agreement, and this requirement will likely price many out of the market.
In addition, the list of supported features is limited, and some features do not have the same capabilities when handling sensitive data as they have when handling non-sensitive data. However, it is still early days. HubSpot may add further features, increase their capabilities, and/or extend support for HIPAA compliance to less expensive plans.
Which HubSpot Features Support HIPAA Compliance?
The list of features that covered entities and business associates can use with PHI appears in Section 3 of HubSpot’s “Sensitive Data Terms”. At present, the list consists of CRM Object Properties (*), CRM Objects API, CRM Attachments (only if added to records manually), List Creation, Workflows, Search, Integrations, Forms, and Forms Submission Authenticated API.
(*) Although HubSpot now supports HIPAA compliant CRM Object Properties, it is not possible to use data entered into the Properties as Personalization Tokens. This means it is not possible to – for example – autofill names and email addresses on marketing emails. It is also not possible to copy or export Properties to sandbox testing environments.
While it is possible to draw reports from sensitive data, the reports are limited to dashboard reports, single object reports, and attribution reports. There is no HIPAA support at all for analytics reporting (including the Custom Report Builder), customer journey reporting, and Snowflake Data Sharing – which limits the use of the CRM platform for data analyses.
Note: The “public beta” period ended on September 17, 2024. The HubSpot features listed above became generally available to enterprise plan subscribers as did CRM Activities (notes, emails, calls, tasks, and meetings). Although call logs are permitted, call recordings and transcripts that include PHI are not permitted sensitive data under the terms of use.
Instructions for Making HubSpot HIPAA Compliant
Support for HIPAA compliance is still in the early days and the instructions for making HubSpot HIPAA compliant are likely to change. HIPAA covered entities and business associates interested in using supported features are advised to refer to the HubSpot Knowledge Base for up-to-date instructions on how to make HubSpot HIPAA compliant.
At the present time (October 2024), the process for making HubSpot HIPAA compliant consists of three stages:
- Click on the “Privacy and Consent” button in the “Settings” menu and then click on “Configure Sensitive Data Settings”.
- Click on the type of information to be stored (“Health/Medical Data”) and identify the organization as a HIPAA covered entity or business associate.
- Read and accept the HubSpot Sensitive Data Beta Terms, and click “Turn On Sensitive Data Settings”. Clicking this button automatically activates the Business Associate Agreement.
Thereafter, whenever a new CRM Object Property is created, the options will exist to indicate that data collected, stored, processed, or transmitted by the Property is sensitive data and qualifies as PHI. It is important that procedures are put in places to ensure these options are checked when creating new CRM Object Properties to avoid disclosures of PHI to features of the HubSpot platform that are not covered by the Business Associate Agreement.
Considerations Before Switching to HubSpot from Another CRM
Now that HubSpot is HIPAA compliant, it may be tempting for some covered entities and business associates to switch from another CRM that does not support HIPAA compliance (i.e., Zapier) or one that is more expensive (i.e. Salesforce). Before doing so, it is recommended to seek advice from a compliance professional with experience of CRMs to discuss the objectives of using a CRM and how you might accomplish the objectives with a HubSpot HIPAA compliant CRM.
It is also important to train members of the workforce on the conditions of using HubSpot to create, receive, maintain, or transmit PHI – particularly the conditions related to identifying sensitive data and only processing Permitted Sensitive Data within the Covered Services. It may also be necessary to implement policies and procedures to access PHI from the HubSpot CRM to respond to patent access requests and support disclosures required by law.