HubSpot HIPAA Compliance: How to Protect PHI Without Slowing Growth
Healthcare companies need customer data to support marketing, sales, onboarding, customer success, and support. At the same time, they must protect...
A HubSpot Elite Solutions Partner built to help organizations unify strategy, systems, and execution. We design HubSpot systems that scale.
See how we've solved complex HubSpot challenges across migrations, integrations, CMS, automation, and optimization.
Join a team building smarter HubSpot systems. We value strategic thinkers who move proactively, care about quality, and want to do meaningful work.
7 min read
Campaign Creators
:
07/08/26
Before storing protected health information (PHI) in HubSpot, organizations need to understand where sensitive data will live, who can access it, and how information moves across connected systems.
A HubSpot HIPAA compliance risk assessment helps identify potential gaps before they create security or compliance issues. This process includes mapping PHI storage requirements, reviewing security settings, validating user permissions, and auditing integrations connected to your CRM.
The assessment should also define a remediation plan that documents risks, assigns corrective actions, and establishes ongoing reviews. As your HubSpot environment changes through new users, workflows, integrations, and data processes, regular assessments help maintain alignment with HIPAA requirements.
Before assessing HubSpot for HIPAA compliance, you need a clear picture of your current CRM setup, data flows, users, and security requirements. You should determine where PHI exists, who can access it, and whether your processes meet HIPAA requirements.

Key items to prepare:
Document how information moves between HubSpot and systems like:
Any connected system that receives PHI can affect your compliance responsibilities.
Prepare documentation covering:
Check existing workflows before enabling PHI storage. Some HubSpot features and automation use cases have restrictions when handling sensitive health data, so teams need to confirm where PHI can safely appear.
Review every location where protected health information may appear inside HubSpot, including:
PHI can appear outside dedicated fields when users enter patient information into open text areas or upload files.
After finding where PHI exists, determine whether each piece of information is necessary for your teams. Review:
Limiting unnecessary PHI storage reduces the amount of sensitive information your organization needs to secure and monitor.
Identify who can view, edit, export, or transfer PHI within HubSpot. This includes reviewing:
Every user and system with access to PHI creates a potential point of exposure, so permissions should match actual business needs.
Use your findings to classify HubSpot data based on sensitivity:
This creates a clear inventory of PHI storage needs, exposure risks, and the HubSpot security settings required before handling healthcare data at scale.
Start by checking HubSpot’s security recommendations and confirming that users have only the access required for their roles.
Navigation path: Settings ⚙️ → Account Management → Security → Permissions tab
Review:
Then review individual user access:
Navigation path: Settings ⚙️ → Users & Teams → Select User → Permissions

Check:
This reduces unnecessary access to sensitive information and keeps PHI visibility limited to approved users.
Before storing PHI, confirm HubSpot’s Sensitive Data tools are enabled and configured correctly.
Navigation path: Settings ⚙️ → Security → Sensitive Data tab

Review:
For individual PHI fields:
Navigation path: Settings ⚙️ → Properties → Select/Create Property → Sensitive Data tab

Confirm properties containing PHI are properly classified and protected with the right access controls.
After configuring security settings, review how users and connected systems interact with your HubSpot data.
Navigation path: Settings ⚙️ → Account Management → Security
Review:
Ongoing monitoring helps identify permission changes, unusual activity, or new exposure risks as your HubSpot environment grows.
Review any HubSpot workflows that use properties containing PHI. Check:
Pay close attention to actions that transfer information into other HubSpot tools or external applications. Avoid exposing PHI through automated emails, notifications, task descriptions, or copied fields unless those processes have been reviewed for HIPAA compliance.
Go to: Settings → Integrations → Connected Apps
Review every third-party application connected to your HubSpot account. Check:
Any external system that receives PHI from HubSpot should be included in your HIPAA compliance review.
Create a data flow inventory showing:
Avoid placing PHI in areas that are harder to control or audit, such as general notes, comments, task descriptions, or unnecessary free-text fields. Keep PHI stored only in approved sensitive data properties with appropriate permissions.
Learn more from this article: Can You Use HubSpot Chatbots in Healthcare?
After completing your HubSpot HIPAA compliance review, document every security, configuration, and data handling gap you discover. A remediation plan creates a clear record of what needs to change, who owns each action, and how your organization will reduce PHI-related risks over time.
Record each issue found during your HubSpot audit and organize findings by risk area. Include:
Prioritize remediation based on how much the gap could affect the confidentiality, integrity, or availability of PHI.
High-priority fixes usually include:
HubSpot provides controls such as sensitive data properties, audit logging, encryption, and field-level permissions, but these need to be configured correctly for your organization’s compliance requirements.
Turn each identified gap into a documented action plan. Track:
Keep records of completed fixes, security decisions, configuration changes, and ongoing reviews. HIPAA compliance is not a one-time HubSpot setup task. Your remediation plan should become part of a continuous review process as your CRM data, integrations, users, and workflows change.
Recommended reading: How to Structure HubSpot Data Without Storing PHI

Reassess your HubSpot portal whenever changes could affect how PHI is stored, accessed, or shared. HIPAA compliance is not a one-time setup because new users, workflows, integrations, and data processes can introduce new risks over time.
Review your HubSpot access controls when:
Confirm that only approved users can view or edit PHI and review audit logs for sensitive data activity.
Perform another review when you:
Verify that PHI remains within approved tools and that external systems meet your compliance requirements.
Set a recurring schedule to review:
Regular reviews help keep your HubSpot configuration aligned with HIPAA requirements as your CRM setup evolves. Continue improving your HIPAA compliance efforts by learning the 10 PHI mistakes healthcare organizations should avoid.
A HubSpot HIPAA compliance risk assessment helps your organization understand where PHI exists, how it moves through your CRM, and what security gaps need to be resolved before storing sensitive health information. Reviewing your data processes, permissions, workflows, and integrations creates a stronger foundation for managing PHI responsibly.
If your organization needs support preparing HubSpot for HIPAA compliance, having the right technical and operational guidance can help you identify risks, configure security controls, and build processes that align with your compliance requirements.
Campaign Creators help organizations optimize and configure HubSpot portals for complex business needs, including healthcare teams that need stronger CRM structure, data management processes, and secure system workflows.
No. HubSpot can support HIPAA compliance, but your organization must configure Sensitive Data settings, accept the required agreements, and manage PHI correctly.
Yes. Organizations handling HIPAA-covered data need the appropriate Business Associate Agreement requirements completed before storing PHI in HubSpot.
No. HIPAA support depends on specific HubSpot features and configurations, so organizations should confirm where PHI can safely be stored and processed.
Your organization should identify where the PHI exists, restrict access, document the issue, and determine the required corrective actions.
Yes. Reducing unnecessary PHI storage limits the amount of sensitive information your organization needs to secure, monitor, and manage.
Healthcare companies need customer data to support marketing, sales, onboarding, customer success, and support. At the same time, they must protect...
Healthcare organizations can use HubSpot while maintaining HIPAA compliance, but only if the platform is configured correctly and Protected Health...
Protected health information (PHI) can become exposed in HubSpot in more ways than many healthcare organizations realize. Common mistakes, such as...