Healthcare organizations can use HubSpot while maintaining HIPAA compliance, but only if the platform is configured correctly and Protected Health Information (PHI) is handled appropriately. For many organizations, the safest approach is to keep PHI out of HubSpot and use it only for customer relationship management, marketing, sales, and service data.
Keeping PHI separate from your CRM helps reduce compliance risks, limits unnecessary exposure of sensitive patient information, and makes it easier to meet HIPAA's minimum necessary standard. When PHI is required, it should be stored only with HubSpot's supported HIPAA features or in a dedicated HIPAA-compliant healthcare system.
This article explains what HIPAA compliance means for HubSpot users, what data is safe to store, how to prevent PHI from entering your CRM, and the best practices for keeping your HubSpot portal PHI-free.
HIPAA compliance means using the platform in a way that protects Protected Health Information and meets the administrative, technical, and physical safeguards required by the Health Insurance Portability and Accountability Act (HIPAA).
HubSpot can support HIPAA compliance, but it is not HIPAA compliant by default. Your organization must configure the platform correctly and follow HIPAA requirements in how you collect, store, access, and share PHI.
For most HubSpot users, HIPAA compliance involves four key responsibilities:
Simply purchasing HubSpot or storing patient information in the CRM does not automatically satisfy HIPAA requirements. Compliance depends on your organization's policies, user permissions, employee training, data handling procedures, and ongoing security practices in addition to the platform's technical safeguards.
Even though HubSpot now offers HIPAA-supported features for eligible Enterprise customers, storing PHI unnecessarily increases your compliance obligations and the risk of data exposure. Here are the main reasons to avoid storing PHI in HubSpot:
HIPAA coverage applies only to specific Enterprise features included in HubSpot's Sensitive Data terms. Popular tools such as chatbots, live chat, call recordings, some analytics, personalization tokens, and sandbox environments either have restrictions or are excluded from HIPAA coverage. Accidentally using PHI in these tools can create a compliance issue.
If PHI is entered into unsupported properties, emails, notes, attachments, workflows, or third-party integrations, your organization could violate HIPAA. Following the "minimum necessary" principle reduces the chance of exposing sensitive patient information.
Many HubSpot portals connect to scheduling tools, marketing apps, customer support platforms, and analytics software. If any connected application is not HIPAA compliant or does not have a BAA, PHI may be exposed outside your protected environment.
Once PHI is stored in HubSpot, administrators must configure Sensitive Data settings, classify PHI fields, manage user permissions, enforce multifactor authentication, monitor audit logs, and regularly review access. These safeguards help protect patient information but also add ongoing compliance responsibilities.
For many healthcare organizations, a better practice is to store PHI only in a dedicated HIPAA-compliant system, such as an EHR, and synchronize only the minimum non-sensitive data needed for marketing, sales, or customer relationship management into HubSpot. This reduces your compliance scope and helps protect patient privacy.
If you're not using HubSpot's HIPAA-supported features, you should store only non-sensitive customer and business information. Examples of data you can safely store in a standard HubSpot portal include:
|
Safe to Store |
Examples |
|
Contact information |
Name, business email address, phone number, company, job title |
|
Company information |
Organization name, industry, company size, website, location |
|
Sales data |
Deal stage, pipeline status, quotes, products purchased, contract dates |
|
Marketing engagement |
Email opens, clicks, form submissions, page views, content downloads, event registrations |
|
Customer relationship data |
Lifecycle stage, lead status, customer segment, account owner, communication preferences |
|
Support information |
Ticket status, issue category, service history, satisfaction scores (without medical details) |
Unless you've enabled HubSpot's Sensitive Data features, signed a Business Associate Agreement, and configured your portal for HIPAA support, you should avoid storing information such as:
This information is considered PHI under HIPAA and requires additional safeguards. Learn more about what you should and shouldn’t automate in HubSpot for HIPAA compliance.
Start by identifying every place data enters HubSpot, including forms, chatflows and live chat, meeting schedulers, imports, integrations, and manual CRM updates.
Remove any fields that ask for medical conditions, diagnoses, treatment details, insurance information, or other PHI. Collect only the information needed for sales and marketing activities.
Your forms should request only non-sensitive information, such as name, email address, phone number, company, job title, and reason for contacting your business.
Avoid open-ended text fields that encourage visitors to describe symptoms, medical history, or treatment needs. If detailed health information is required, direct users to a secure patient portal or HIPAA-compliant intake system instead.
Train employees to avoid entering PHI into:
Reference a patient or case using an internal identifier when appropriate and store medical information only in your designated healthcare system.
Review every connected application to ensure it only synchronizes the data needed for CRM and marketing. Exclude medical records, diagnoses, treatment information, and other PHI from synchronization whenever possible.
Many accidental HIPAA issues occur when integrations automatically copy sensitive information into HubSpot.
Even if you don't intend to store PHI, limit who can import contacts, create custom properties, edit forms, connect integrations, and export CRM data. Strong role-based permissions help prevent accidental collection or exposure of sensitive information.
If your organization must store PHI in HubSpot, first:
If your objective is to avoid storing PHI altogether, you typically don't need to enable these settings because no protected health information should enter your CRM.
Depending on your organization's needs, PHI is typically stored in one of the following systems:
An EHR or EMR is the primary location for storing patient health information, including medical histories, diagnoses, medications, treatment plans, lab results, and clinical notes. These systems are built for healthcare workflows and are designed to support HIPAA compliance through robust security controls and audit capabilities.
Learn how HubSpot integrates with major EHR platforms in this guide.
Patient portals provide a secure way for patients to complete forms, access medical records, review test results, schedule appointments, and communicate with healthcare providers. The portal securely connects to the organization's EHR rather than exposing sensitive information through a CRM or email.
Organizations often use secure document repositories to store consent forms, referrals, insurance documents, imaging files, and other healthcare records. These systems include encryption, permission controls, version history, and audit trails to help protect sensitive information.
Larger healthcare organizations may use integrated healthcare information systems that combine EHRs, billing, scheduling, laboratory systems, and other clinical applications. These platforms are designed to securely store and exchange PHI across departments while maintaining appropriate access controls.
For many healthcare organizations, HubSpot works best as the customer relationship management (CRM) layer, while the EHR remains the system of record for PHI.
|
Store in HubSpot |
Store in EHR or HIPAA-compliant system |
|
Contact information |
Medical history |
|
Marketing preferences |
Diagnoses |
|
Sales pipeline |
Treatment plans |
|
Appointment requests (without clinical details) |
Lab results |
|
Marketing engagement |
Clinical notes |
|
Customer service interactions (without PHI) |
Insurance and billing records containing PHI |
This separation helps marketing, sales, and service teams to work in HubSpot without routinely accessing sensitive medical information.
Most HIPAA violations happen because of human error, poor processes, or improper handling of PHI, not because the software itself fails. In fact, many reported breaches are linked to employee mistakes and noncompliance with HIPAA requirements.
Here are some of the most common mistakes to avoid:
Even if your organization has a BAA, not every HubSpot tool is covered for HIPAA use. Entering PHI into emails, notes, attachments, chat conversations, or unsupported integrations can create compliance issues if those features are not designed to handle protected data.
HIPAA's "minimum necessary" standard requires organizations to use and disclose only the amount of PHI needed for a specific purpose. Asking patients to provide diagnoses, treatment details, or insurance information in marketing forms or CRM records often creates unnecessary compliance risk.
Allowing all users to view, edit, or export records containing PHI increases the risk of unauthorized access. Access should be limited based on job responsibilities, with role-based permissions and regular access reviews.
Employees who are unaware of HIPAA requirements may accidentally enter PHI into CRM notes, upload medical documents, email sensitive information, or disclose patient data without authorization. Regular HIPAA training is an important administrative safeguard.
Integrations that sync data between HubSpot and other applications can unintentionally transfer PHI into systems that are not covered by a BAA or lack appropriate security controls. Every connected application that handles PHI should be evaluated for HIPAA compliance.
HIPAA requires organizations to protect electronic PHI through administrative, technical, and physical safeguards. Weak passwords, missing multifactor authentication, poor access controls, inadequate encryption, and a lack of audit logging can all increase the risk of a data breach.
Sending patient information to the wrong recipient, discussing PHI with unauthorized individuals, or disclosing more information than necessary can violate the HIPAA Privacy Rule. Organizations should establish clear procedures for when and how PHI may be shared.
To help you avoid these common mistakes, we've created a guide with seven ways to better protect PHI in HubSpot.
Keeping PHI out of your CRM whenever possible reduces compliance risk and helps your teams to manage marketing, sales, and customer relationships without exposing sensitive patient data.
If your organization needs to store PHI in HubSpot, use the platform's HIPAA-supported features, execute a BAA, and apply the required security controls. Otherwise, keep PHI in your EHR or another HIPAA-compliant system and sync only the non-sensitive data your teams need.
Campaign Creators help healthcare organizations configure HubSpot to support compliance goals without adding unnecessary risk. If you want to build a secure CRM that supports your marketing and sales efforts, our team can help you create a HubSpot environment that fits your workflows and HIPAA requirements.