What HubSpot says officially
HubSpot’s Product and Services Catalog says Enterprise edition customers may enable Sensitive Data. It lists PHI as a permitted type, but notes that PHI is not available in every area and requires the customer to accept the Business Associate Agreement in account configuration.
The catalog names covered functionality within Smart CRM, Marketing Hub, Sales Hub, Content Hub, and Data Hub. Supported uses include specially flagged custom properties and specified forms, CRM activities, files, integrations, workflows, and other listed features, with different limits for highly sensitive data. The current Sensitive Data Terms incorporate the HubSpot BAA .
This is a conditional path tied to Enterprise, account activation, field configuration, and the published service list. It is not a general promise for every HubSpot area or lower plan.
What this means for a medical practice
A CRM can combine contact identity, form submissions, email, site activity, call notes, meetings, lists, reports, automation, and advertising data. Even if one property is marked sensitive, a workflow may copy its value into an unprotected email, integration, or free-text field.
The practice should define what belongs in HubSpot at all. Clinical records often belong in the EHR, while HubSpot may support a narrower relationship or communication workflow. Field-level classification, permissions, exports, and automation reviews are necessary to maintain that boundary.
Naming conventions help enforce it. Clearly label approved sensitive properties and prohibit staff from recreating the same information in general notes or duplicate fields. Audit saved views and reports as well, because access to a filtered list can reveal condition-based membership even when individual values are hidden.
A HIPAAconscious medical website must also account for HubSpot forms, tracking code, chat, and embedded features separately. Our healthcare marketing guidance supports useful outreach without copying diagnoses into campaign segmentation or ad audiences.
How to use it safely
- Contract for an Enterprise edition that includes the hubs and features the practice intends to use.
- Enable Sensitive Data, accept HubSpot’s BAA in the account, and retain the effective terms.
- Compare every intended feature with HubSpot’s current Sensitive Data covered-services list.
- Mark the appropriate custom properties as sensitive and prevent PHI from being copied into ordinary properties, URLs, subject lines, or unsupported tools.
- Use managed identities, minimum permissions, multifactor authentication, export controls, and prompt offboarding.
- Review forms, email, calling, files, AI, tracking, workflows, reports, ads, and integrations as distinct data paths.
- Keep the EHR as the clinical system of record unless the practice’s design and contracts expressly say otherwise.
- Test fictional contacts through forms, automations, emails, exports, integrations, retention, and deletion.
Compliant alternatives
Constant Contact offers a much narrower BAA-backed outreach path that excludes sensitive PHI. Microsoft 365 provides covered productivity and email services under its BAA but does not replace a configured CRM automation platform.
Bottom line
HubSpot supports PHI only through Enterprise Sensitive Data, an accepted BAA, and named covered services. Treat every field and feature as scoped: configure sensitive properties, restrict access, and stop automations or integrations from moving PHI into unsupported areas.