HubSpot is a popular customer relations management (CRM) platform that offers customers several services including sales and marketing. But is HubSpot HIPAA compliant? Below we examine if HubSpot is a HIPAA compliant solution.
HubSpot HIPAA Compliance and Business Associate Agreements
Usually when looking at a software provider’s HIPAA compliance, we examine the security measures that they have in place to secure protected health information (PHI). But instead of wasting time looking into whether or not HubSpot offers data security protection, which it does, let’s cut to the chase.
One of the most important aspects of determining if a software provider is HIPAA compliant is their willingness to sign a business associate agreement (BAA). This is because software providers are considered business associates under HIPAA as they create, receive, transmit, store, or maintain PHI on behalf of their clients. A BAA must be signed between healthcare organizations and their business associates before the healthcare organization is permitted to share PHI with them.
In HubSpot’s Customer Terms of Service, they state, “You may not use the Subscription Service if you are legally prohibited from receiving or using the Subscription Service under the laws of the country in which you are resident or from which you access or use the Subscription Service. The Subscription Service is not designed to comply with industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or the Federal Information Security Management Act (FISMA), so you may not use the Subscription Service where your communications would be subject to such laws.”
Making HubSpot Comply with HIPAA
Advice from some sources say that you can use HubSpot and be HIPAA compliant, as long as you aren’t collecting PHI. As in, once someone targeted by a marketing campaign becomes a patient, their information must be deleted from HubSpot, and moved over to another CRM that is HIPAA compliant. Others advise that you can use a CRM extension to make the use of HubSpot with PHI HIPAA compliant, but the extension is essentially an external system.
Although both of these solutions may make the use of HubSpot HIPAA compliant, they are both complex and prone to user error. As such, it is our advice that instead of forcing HubSpot to be HIPAA compliant through these complex tasks, you should use a CRM that is inherently HIPAA compliant. This way you don’t need to worry about forgetting to delete PHI from your CRM or using an extension to make your CRM HIPAA compliant.
Is HubSpot HIPAA Compliant?
Is HubSpot HIPAA compliant? No, HubSpot is not HIPAA compliant. Even though HubSpot offers the security measures necessary to protect PHI, they clearly state on their website that they are not a HIPAA compliant solution. This is because they do not currently sign BAAs with their clients. It is therefore recommended that healthcare organizations choose a different CRM that is HIPAA compliant.