HubSpot is not HIPAA compliant and cannot be used to create, collect, store, or transmit protected health information by a HIPAA covered entity or by a business associate providing a service to or on behalf of a HIPAA covered entity. However, covered entities and business associates can use the HubSpot platform for some sales. marketing, and service delivery activities depending on how the platform is configured.
The reason for HubSpot not being HIPAA compliant is that Section 2.9 of HubSpot`s Terms of Service states: “The subscription service is not designed to comply with industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA). You may not use the subscription service where your communications would be subject to such laws.”
Because of this clause HubSpot will not sign a Business Associate Agreement. This does not mean covered entities and businesses associates cannot use the platform for some sales, marketing, and service delivery activities because HIPAA only covers Protected Health Information (PHI) and a Business Associate Agreement is only necessary if HubSpot creates, collects, stores, or transmits PHI on behalf of a covered entity or business associate.
What is PHI?
The first thing covered entities and business associates need to be aware of is what is PHI. Some sources claim it is the 18 HIPAA identifiers that need to be removed from a designated record set before any remaining PHI is considered de-identified. This is not the case. PHI is individually identifiable health information that relates to an individual’s health condition, treatment for the health condition, or payment for the treatment, and any identifying information stored in the same designated record set.
Therefore, if a covered entity or business associate collects the name and email address of a prospect, their vehicle license number, and their IP address, none of this information is PHI because it does not relate to an individual’s past, present, or future health condition, treatment for the health condition, or payment for the treatment – even though some sources might consider these four identifiers to be PHI.
How Healthcare Providers Can Use HubSpot
Once it is clear what information can be created, collected, stored, or transmitted on the HubSpot platform – and what information cannot – covered entities and business associates can configure HubSpot’s CRM to only collect information not covered by HIPAA – for example, by creating custom properties to control what information is collected from prospects.
In theory, it is possible to extract the information collected by HubSpot and send it to an EHR or set up an integration between HubSpot and an EHR. However, to use information collected and transmitted by HubSpot in this way, it will be necessary to configure the integration to be one-way to prevent PHI from the EHR being returned to the HubSpot database contrary to HubSpot’s Terms of Service.
Is it Possible to Use the Privacy Protection Exception?
Under §164.522(b) of the Privacy Rule, individuals have the right to request that communications containing PHI are sent via a channel of their choice. Covered healthcare providers are required to comply with all reasonable requests and, if a “lead” has been acquired via the HubSpot platform, it would seem unreasonable to deny a request to receive communications via HubSpot.
In this scenario, it is not advisable to agree to communicate via HubSpot. Not only might HubSpot consider it a violation of its Terms of Service; but, as communications sent via HubSpot are usually transmitted via email, there is no reason why it would not be possible to communicate directly via email – provided the prospect is warned of the risks of communicating by unencrypted email.
Is HubSpot HIPAA Compliant? Conclusion
While HubSpot cannot be used in compliance with HIPAA, it does not mean covered entities and business associates cannot use the platform for sales, marketing, and service delivery. However, if used for any of these purposes, it is important the platform is configured not to collect PHI and that any communications involving PHI are sent outside of the platform. Covered entities and business associates who are unsure about using HubSpot without violating HIPAA should seek professional compliance advice.