Is HubSpot HIPAA Compliant? What Healthcare Marketers Need to Know

Healthcare marketing often involves emails, appointment reminders, and follow-ups that touch sensitive patient data. That creates real risk if your systems are not set up to protect Protected Health Information (PHI).

In 2024, HubSpot introduced sensitive data tools and support for Business Associate Agreements (BAAs), making it possible to configure parts of the platform for HIPAA-compliant use.

Even with these updates, compliance is not automatic. You still need the right setup, an Enterprise plan, and strict controls to use HubSpot safely in a healthcare environment.

What HIPAA Compliance Means for Healthcare Marketing

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to protect sensitive patient health information from being disclosed without a patient’s knowledge or consent. In the context of marketing, this means that every automated email, lead capture form, and analytics script must adhere to strict national standards for data privacy and security.

The most critical concept for marketers to master is Protected Health Information (PHI). Many marketing teams mistakenly believe PHI only refers to clinical records or diagnoses. However, under HIPAA, PHI is any individually identifiable information that relates to a person’s past, present, or future health condition, the provision of healthcare, or payment for those services.

PHI is often created by combining data points: For example, an email address or an IP address is not PHI on its own, but the moment it is linked to a specific condition, page visit, or appointment request, it becomes protected data. This includes 18 specific identifiers such as names, geographic data smaller than a state, phone numbers, and device identifiers.

The stakes of ignoring these compliances are exceptionally high. Beyond the average data breach cost of $7.42 million in the healthcare industry, organizations face tiered financial penalties for violations that can reach millions of dollars annually. Ultimately, however, the greatest risk is the loss of patient trust.

Is HubSpot HIPAA Compliant and What Changed?

HubSpot is HIPAA compliant, but only when you configure it correctly. You can use HubSpot to handle PHI if you’re on eligible plans, enable sensitive data features, and sign a Business Associate Agreement. Without those steps, the platform is not compliant by default, so using it like a standard CRM would not meet HIPAA requirements.

What Changed in 2024

• HIPAA support introduced: HubSpot officially entered the healthcare space with features designed to support HIPAA requirements.
• Sensitive data tools added: You can now store and manage PHI with encryption, access controls, and audit logs inside the CRM.
• BAA availability built in: HubSpot now offers a Business Associate Agreement when you enable HIPAA-related settings.
• Expanded Smart CRM capabilities: The platform can now handle regulated data across marketing, sales, and service workflows.
• Controlled access and permissions: You can limit who sees sensitive data, reducing risk across teams.

Despite these advancements, it is crucial to understand that HubSpot is not universally HIPAA compliant across all its versions.

What HubSpot Allows and Restricts Under HIPAA

You need to understand the limits of HubSpot’s HIPAA support, since compliance only applies to specific covered services listed in the Business Associate Agreement and only when sensitive data settings are enabled on an Enterprise account. You also need to separate what data can be stored from how it can be used. Not all PHI can be used in automation or workflows, even if it is stored securely.

Permitted Uses: Core CRM and Data Management

HubSpot primarily functions as a secure repository for Protected Health Information within its core CRM architecture. The BAA permits the collection, storage, and internal management of sensitive data through specific tools:

• CRM Object Properties: You are allowed to store PHI in properties for contacts, companies, deals, and tickets, provided these fields are manually flagged as "sensitive" or "highly sensitive".
• Data Ingestion and Organization: The BAA covers data brought in via manual entry, imports, and authenticated API calls. Once inside, this data can be used to build lists and power internal workflows that update records or create tasks for staff.
• Basic Reporting and Search: You can perform searches and build single-object reports, attribution reports, and dashboards using sensitive properties.
• CRM Activities and Attachments: BAA includes CRM Activities and sensitive attachments added manually through notes, emails, and forms.

Strict Restrictions: Marketing Outreach and Advanced Analytics

Many features that are standard in non-healthcare marketing are expressly excluded from the BAA to prevent accidental impermissible disclosures.

• The Personalization Barrier: Sensitive properties cannot be used as personalization tokens in emails. For example, you cannot automatically pull a patient’s specific health condition or treatment detail into an email subject line or body, as this would transmit PHI through non-covered email infrastructure.
• Advanced Analytical Tools: While basic reports are allowed, the Custom Report Builder, Customer Journey Reports, and Data Sets are currently excluded from the BAA. Similarly, Snowflake Data Sharing is not a covered service.
• Communication and AI Features: HubSpot does not extend HIPAA protection to its chatbots, live chat, or playbooks. While call logs can be stored, the platform strictly prohibits storing call recordings or transcripts that contain PHI. Additionally, sensitive data cannot be used to train HubSpot’s machine learning models.
• Development Environments: PHI is prohibited from being synced into Sandboxes, meaning testing must be conducted with de-identified or "dummy" data.

The Integration Exception

It is a common misconception that HubSpot's BAA covers every tool connected to the CRM. Every third-party integration, such as Shopify, WhatsApp, or standard SMS tools, must independently be HIPAA-compliant and have its own BAA with your organization. Using a non-compliant integration to move data out of HubSpot can invalidate your compliance chain and lead to significant regulatory exposure.

Where HubSpot Works in Healthcare and Where It Doesn’t

You can safely use HubSpot to manage healthcare operations provided your organization meets the strict prerequisite threshold: You must be on an Enterprise-tier plan, have manually activated the Sensitive Data Settings, and have a signed BAA in place. Once these conditions are met, the platform is suitable for several core functions:

• Centralized Patient Relationship Management: You can use HubSpot as a secure repository for Protected Health Information within core CRM objects, such as contact, company, and deal properties, provided those fields are specifically flagged as sensitive.
• Internal Operational Automation: HubSpot is effective for building internal workflows that do not transmit data externally. For example, you can automate record updates, create internal tasks for staff, or trigger alerts for care coordinators based on patient status changes.
• Secure Inbound Lead Capture: You can use HubSpot’s forms and authenticated APIs to securely collect patient information, symptoms, or appointment requests. These submissions are protected under the BAA as long as the data is routed into sensitive properties.
• De-identified Marketing Outreach: Organizations can still use HubSpot for traditional digital marketing, such as general health awareness campaigns or educational sequences, as long as the data remains de-identified. If you are not using PHI, such as targeting users based on general interests rather than a specific diagnosis, you can use the platform's broader marketing suite.

The Danger Zone for HubSpot in healthcare often involves its most popular marketing automation features. Even with a BAA, there are several scenarios where using the platform will result in a compliance violation:

• Lower-Tier Subscriptions: You cannot use HubSpot to store or transmit PHI if you are on a Free, Starter, or Professional plan. These tiers do not support HIPAA features or the BAA, and any entry of PHI into these portals is a direct violation of HubSpot’s Terms of Service.
• Advanced Analytics and Journey Tracking: You cannot use PHI within HubSpot’s Custom Report Builder, Customer Journey Reports, or Data Sets. These analytical tools often pull data into environments that are not covered by the BAA, making them off-limits for sensitive health data.
• Interactive and AI-Powered Tools: HubSpot strictly excludes chatbots, live chat, and call recordings from its HIPAA-protected services. Any conversation that involves a patient disclosing health details through these channels is considered an impermissible disclosure.
• Non-Compliant Third-Party Integrations: You cannot use HubSpot to pass PHI to any third-party app that does not have its own independent BAA with your organization.

Because of these limitations, it helps to work with a certified HubSpot Elite Solutions Partner that understands both the platform and HIPAA requirements.

How to Set Up HubSpot for HIPAA Compliance

Setting up HubSpot for HIPAA compliance starts with meeting the right prerequisites before any configuration takes place.

Prerequisites and the Business Associate Agreement

Your organization must be subscribed to a HubSpot Enterprise-tier plan. Lower-tier subscriptions, such as Free, Starter, or Professional, do not support the security infrastructure required for HIPAA and are legally prohibited from storing Protected Health Information.

In a departure from many legacy software providers, HubSpot does not require a lengthy manual contract negotiation for its BAA. Instead, the BAA is automatically executed when an administrator with super-admin permissions identifies the organization as a HIPAA-covered entity within the sensitive data settings. This agreement establishes the legal framework for how HubSpot receives, maintains, and protects your PHI, but it only covers the specific covered services listed in the agreement, such as the core CRM, list creation, and certain internal workflows.

Step-by-Step Platform Activation

To activate the HIPAA-protected environment, an administrator must navigate to the Security tab within Settings and locate the Sensitive Data section.

1. Click "Configure sensitive data settings" and select the "Health/Medical Data" checkbox to signal the type of information you intend to store.

1. You must then explicitly check the box confirming that your organization is a HIPAA-covered entity or business associate.
2. Upon reviewing and accepting the Sensitive Data Terms and the BAA, you can turn on the settings. It is important to note that once these settings are enabled, they cannot be reversed, making pre-implementation planning essential.

Configuring HIPAA-Compliant Properties

Once the portal is activated, you must manually classify the data fields that will hold sensitive information. HubSpot does not automatically know which fields contain PHI. You must create or edit CRM object properties and flag them as "Sensitive" or "Highly Sensitive".

Within the property settings, you must check the box labeled "Yes, this data contains Protected Health Information (PHI)". This action triggers application-layer encryption for those specific fields, ensuring an extra level of protection beyond standard encryption at rest.

Organizations must be cautious: If PHI was accidentally stored in a non-sensitive property before this setup, that data must be deleted and re-imported into a newly created sensitive property, as HubSpot cannot retroactively apply these protections to existing fields.

How to Stay HIPAA Compliant When Using HubSpot

These practices help reduce the risk of exposing PHI and keep your setup aligned with HIPAA requirements:

1. You must have a signed BAA with every vendor in your stack that handles PHI, including your CRM, email platforms, and form builders.
2. Every connector or integration that touches patient data requires its own independent BAA and security review.
3. You need specific, informed, and signed authorization before using PHI for marketing or disclosing it to non-BAA vendors.
4. Limit the use and disclosure of PHI to the minimum required to achieve a specific marketing or operational goal.
5. Within HubSpot, you must flag properties as “Sensitive” or “Highly Sensitive” to trigger application-layer encryption and proper safeguards.
6. Require Multi-Factor Authentication (MFA), Single Sign-On (SSO), and role-based permissions to prevent unauthorized access.
7. Activate audit logging to track who viewed, edited, or exported PHI, and perform regular reviews.
8. Do not store PHI in notes or unclassified fields, and avoid using it in personalization tokens, email content, or automated workflows.
9. Disable tracking pixels on sensitive pages and use server-side tracking to limit exposure of identifiers like IP addresses.
10. Conduct regular HIPAA training and never use real PHI in sandboxes or testing environments. Use de-identified data instead.

Even with these controls in place, compliance depends on how your system is configured and maintained over time. Working with a compliance specialist can help you validate your setup and avoid gaps as your use of the platform grows.

Your Next Step Toward a Compliant Setup

HIPAA is not something you configure once and move on from. It requires constant attention to how data is collected, stored, accessed, and shared across every part of your system. Small missteps like an overlooked integration or an unclassified field can expose sensitive information and create serious risk.

That is why relying on internal guesswork often falls short. In practice, getting this right means treating compliance as an ongoing operational standard, not a feature you switch on. That is also where working with the right partner makes a difference.

At Campaign Creators, we help organizations design and implement HubSpot environments that align with HIPAA from the ground up.