The challenge with finding HIPAA-compliant software
For businesses in healthcare, the life sciences, and Medtech, HIPAA compliance is non-negotiable. This can make finding CRM software (customer relationship management) a real challenge.
Often times CRM software providers will claim they are HIPAA compliant, but when you dig a little deeper, you discover that they simply offer options that could be used to fulfill a few HIPAA regulations.
The problem is that using tools that only offer half-measures and workarounds will either fall short of what you need or require a lot of extra effort on the part of you and your team.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a set of standards that governs the collection, storage, and accessibility of PHI (protected health information) in the US.
Any company or business that handles or processes the PHI of US citizens must adhere to these standards. Check out our HIPAA Compliant Software Guide to learn more about HIPAA compliance requirements.
Covered Entities and Business Associates
HIPAA categorizes the groups responsible for safeguarding PHI into two broad categories — Business Associates and Covered Entities
- Covered Entities- Covered Entities are businesses, organizations, and individuals that deal directly with patients and patient data. Some common examples include:
- Private doctors
- Insurance providers
- Business Associates- Business Associates are businesses, organizations, and individuals that work with Covered Entities and whose work with those entities may involve access or exposure to sensitive data and PHI. Some common examples include:
- Software companies with access/exposure to PHI
- Data Processing companies with access/exposure to PHI
Business Associate Agreements
HIPAA requires that all Covered Entities sign a Business Associate Agreement (BAA) with any business, organization, or individual who may come into contact with PHI as part of their services.
This Business Associate Agreement details the specific responsibilities and procedures for the handling of sensitive data by the parties and, as such, can differ based on the needs, capabilities, and requirements of the parties involved. That said, a BAA must include the following:
- What PHI the Business Associate will be able to access
- What safeguards — physical, technical, and administrative — will be in place to protect the PHI
- The procedures for the storage, transfer, and destruction of PHI
- The procedures to follow in the event of a data breach
- The procedures to follow when terminating the BAA
Is HubSpot HIPAA compliant?
No. In fact, HubSpot’s terms of service prohibit the capture, storage, or transfer of PHI within the Hubspot platform.
Furthermore, HubSpot will NOT enter into a BAA with a Covered Entity.
That said, if you wish to go against the recommendations of HubSpot and use it as part of a HIPAA compliant tech stack, it is possible (though you do so at your own risk).
Through the use of a separate CRM extension and some best practices in place to avoid the cross-contamination of data, you can fulfill the requirements of HIPAA.
Achieving and maintaining HIPAA compliance with HubSpot: Using a CRM extension
One way to be HIPAA compliant while using HubSpot is to employ a CRM extension. There are a couple of things to consider when doing this:
- The CRM extension will have to be HIPAA compliant- This will limit the options available to you.
- The CRM extension will have to be hosted separately- All of the information captured, stored, and transferred by the CRM extension will have to be maintained separately from the HubSpot platform.
To make this work effectively, you may require several integrations for the CRM extension, increasing the cost and complexity of your tech stack significantly.
Additionally, the chance of error, whether human or technical, rises exponentially with this solution, and those errors can result in the violation of HIPAA regulations.
Achieving and maintaining HIPAA compliance with HubSpot: The marketing-only approach
While it may seem like HubSpot is simply not an effective solution for businesses in healthcare, the life sciences, and med tech, Hubspot’s top-of-field marketing tools may make it worth the risk and effort for some companies.
In these instances, it is possible to use HubSpot as a marketing support tool but you will need to take steps to avoid cross-contamination of data.
First, you will need to integrate with the various digital tools you use every day, including:
- EMR systems (Electronic Medical Records)
- CRM systems (see the CRM extension section above)
- Project management software
- Patient databases
- Patient communication systems
Each of these systems will have to be categorized as either containing PHI or not containing PHI and rules will need to be put in place around who can access which tool and for what purpose.
This isn’t entirely different than managing your already existing tech stack, but the consequences of mistakes can be significantly greater and it places a lot of responsibility on your team to maintain compliance.
Next, you will have to create clear protocols around what happens when a marketing prospect becomes a patient. At the very least, their information must be removed from HubSpot and stored somewhere else (your HIPAA compliant CRM extension, for example).
Achieving and maintaining HIPAA compliance with HubSpot: In the event of a data breach
Perhaps the greatest concern with using HubSpot as part of your HIPAA compliant tech stack is what could happen in the event of a data breach.
HubSpot’s terms of service are clear — HubSpot disclaims all liability in the event of a data breach, even in cases where the breach was a result of HubSpot’s own security failings.
This can make complying with the HIPAA breach notification rule a challenge and open you up to significant fines and punishments.
FreeAgent can help you achieve and maintain HIPAA compliance without all the extra work
FreeAgent is a HIPAA-compliant CRM that understands businesses’ unique needs and requirements in healthcare, the life sciences, and Medtech.
With FreeAgent you get hassle-free HIPAA. That means:
- No 3rd party BAAs
- No extra expense
- No risk
Try FreeAgent CRM today, for free, and discover why work’s better with FreeAgent on your team.