Vendor documentation review

Is HubSpot HIPAA Compliant? (2026 Verdict)

Conditionally

HubSpot permits PHI in specific Enterprise Sensitive Data services after the customer accepts its BAA, with important feature and field limits.

Last verified:

At a glance

BAA available
Yes
Plan required
Enterprise edition with Sensitive Data enabled
Configuration required
Accept the BAA, enable Sensitive Data, flag the right fields, restrict users, and stay within the covered-service list.
Category
Email Marketing
Official site
Visit HubSpot

What HubSpot says officially

HubSpot’s Product and Services Catalog says Enterprise edition customers may enable Sensitive Data. It lists PHI as a permitted type, but notes that PHI is not available in every area and requires the customer to accept the Business Associate Agreement in account configuration.

The catalog names covered functionality within Smart CRM, Marketing Hub, Sales Hub, Content Hub, and Data Hub. Supported uses include specially flagged custom properties and specified forms, CRM activities, files, integrations, workflows, and other listed features, with different limits for highly sensitive data. The current Sensitive Data Terms incorporate the HubSpot BAA .

This is a conditional path tied to Enterprise, account activation, field configuration, and the published service list. It is not a general promise for every HubSpot area or lower plan.

What this means for a medical practice

A CRM can combine contact identity, form submissions, email, site activity, call notes, meetings, lists, reports, automation, and advertising data. Even if one property is marked sensitive, a workflow may copy its value into an unprotected email, integration, or free-text field.

The practice should define what belongs in HubSpot at all. Clinical records often belong in the EHR, while HubSpot may support a narrower relationship or communication workflow. Field-level classification, permissions, exports, and automation reviews are necessary to maintain that boundary.

Naming conventions help enforce it. Clearly label approved sensitive properties and prohibit staff from recreating the same information in general notes or duplicate fields. Audit saved views and reports as well, because access to a filtered list can reveal condition-based membership even when individual values are hidden.

A HIPAAconscious medical website must also account for HubSpot forms, tracking code, chat, and embedded features separately. Our healthcare marketing guidance supports useful outreach without copying diagnoses into campaign segmentation or ad audiences.

How to use it safely

  1. Contract for an Enterprise edition that includes the hubs and features the practice intends to use.
  2. Enable Sensitive Data, accept HubSpot’s BAA in the account, and retain the effective terms.
  3. Compare every intended feature with HubSpot’s current Sensitive Data covered-services list.
  4. Mark the appropriate custom properties as sensitive and prevent PHI from being copied into ordinary properties, URLs, subject lines, or unsupported tools.
  5. Use managed identities, minimum permissions, multifactor authentication, export controls, and prompt offboarding.
  6. Review forms, email, calling, files, AI, tracking, workflows, reports, ads, and integrations as distinct data paths.
  7. Keep the EHR as the clinical system of record unless the practice’s design and contracts expressly say otherwise.
  8. Test fictional contacts through forms, automations, emails, exports, integrations, retention, and deletion.

Compliant alternatives

Constant Contact offers a much narrower BAA-backed outreach path that excludes sensitive PHI. Microsoft 365 provides covered productivity and email services under its BAA but does not replace a configured CRM automation platform.

Bottom line

HubSpot supports PHI only through Enterprise Sensitive Data, an accepted BAA, and named covered services. Treat every field and feature as scoped: configure sensitive properties, restrict access, and stop automations or integrations from moving PHI into unsupported areas.

Frequently asked questions

Does HubSpot offer a Business Associate Agreement?

Yes. Enterprise customers can accept HubSpot's BAA when enabling Sensitive Data for PHI in account configuration.

Can PHI go anywhere in HubSpot after the BAA?

No. HubSpot publishes a covered-services list and says PHI is not available in all areas, so data must stay inside supported features and appropriately flagged properties.

Which HubSpot plan can enable PHI Sensitive Data?

HubSpot's current product catalog limits Sensitive Data enablement to Enterprise edition subscriptions.

HIPAA-friendly alternatives

A practical second look

Not sure what your website and tools are doing with patient data?

Request a done-for-you review.

Request a review