Is HubSpot HIPAA compliant?
No. In fact, HubSpot’s terms of service prohibit the capture, storage, or transfer of PHI within the Hubspot platform.
Hubspot’s terms of service explicitly forbids the storage or processing of sensitive health or financial information.
Furthermore, HubSpot will not enter into a BAA with a Covered Entity.
Some organizations employ the use of a separate CRM extension and some best practices in order to fulfill the requirements of HIPAA while using Hubspot. However, any passage of PHI through the HubSpot platform – even when collected by a third party extension – is a violation of HubSpot’s Terms of Service. The company’s terms of service prohibits Covered Entities and Business Associates from using HubSpot to collect, receive, store, or transmit PHI through the platform.
We cover more on this CRM extension further in the article.
The challenge with finding HIPAA-compliant software
For most businesses in healthcare, HIPAA compliance is non-negotiable. However, a lot of businesses are surprised to learn that the largest CRM vendors are not HIPAA-compliant.
While the HubSpot platform is not HIPAA compliant, your business can be HIPAA-compliant while using HubSpot. We cover how below.
A basic overview of major CRM vendors and HIPAA compliance
Salesforce CRM | Hubspot CRM | FreeAgent CRM |
|---|---|---|
Salesforce requires that you deal with a third-party BAA provider as well as purchase “Shield” premium services at 20-30% additional cost on your subscription. | HubSpot’s terms of service prohibit the capture, storage, or transfer of PHI within the Hubspot platform. Furthermore, HubSpot will not enter into a BAA with a Covered Entity. | Native HIPAA Compliance without the need for 3rd party vendors. No extra costs. |
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a set of standards that governs the collection, storage, and accessibility of PHI (protected health information) in the US.
Any company or business that handles or processes the PHI of US citizens must adhere to these standards. Check out the HIPAA Compliant Software Guide to learn more about HIPAA compliance requirements.
Covered Entities and Business Associates
HIPAA categorizes the groups responsible for safeguarding PHI into two broad categories — Business Associates and Covered Entities.
- Covered Entities- Covered Entities are businesses, organizations, and individuals that deal directly with patients and patient data. Some common examples include:
- Hospitals
- Clinics
- Private doctors
- Insurance providers
- Business Associates- Business Associates are businesses, organizations, and individuals that work with Covered Entities and whose work with those entities may involve access or exposure to sensitive data and PHI. Some common examples include:
- Software companies with access/exposure to PHI
- Data Processing companies with access/exposure to PHI
- Lawyers
- Accountants
Business Associate Agreements
HIPAA requires that all Covered Entities sign a Business Associate Agreement (BAA) with any business, organization, or individual who may come into contact with PHI as part of their services.
This Business Associate Agreement details the specific responsibilities and procedures for the handling of sensitive data by the parties and, as such, can differ based on the needs, capabilities, and requirements of the parties involved. That said, a BAA must include the following:
- What PHI the Business Associate will be able to access
- What safeguards — physical, technical, and administrative — will be in place to protect the PHI
- The procedures for the storage, transfer, and destruction of PHI
- The procedures to follow in the event of a data breach
- The procedures to follow when terminating the BAA
Achieving and maintaining HIPAA compliance with HubSpot: Using a CRM extension
One way to be HIPAA compliant while using HubSpot is to employ a CRM extension. There are a couple of things to consider when doing this:
- The CRM extension will have to be HIPAA compliant — This will limit the options available to you.
- The CRM extension will have to be hosted separately — All of the information captured, stored, and transferred by the CRM extension will have to be maintained separately from the HubSpot platform.
To make this work effectively, you may require several integrations for the CRM extension, increasing the cost and complexity of your tech stack significantly.
Additionally, the chance of error, whether human or technical, rises exponentially with this solution, and those errors can result in the violation of HIPAA regulations.
Some organizations employ the use of a CRM extension and some best practices in order to fulfill the requirements of HIPAA while using Hubspot. However, any passage of PHI through the HubSpot platform, even when collected by a third party extension, is still a violation of HubSpot’s Terms of Service. The company’s terms of service prohibits Covered Entities and Business Associates from using HubSpot to collect, receive, store, or transmit PHI through the platform.
Furthermore, HubSpot will not enter into a BAA with a Covered Entity.
Achieving and maintaining HIPAA compliance with HubSpot: The marketing-only approach
While it may seem like HubSpot is simply not an effective solution for businesses in healthcare, the life sciences, and med tech, Hubspot’s top-of-field marketing tools may make it worth the risk and effort for some companies.
In these instances, it is possible to use HubSpot as a marketing support tool but you will need to take steps to avoid cross-contamination of data.
First, you will need to integrate with the various digital tools you use every day, including:
- EMR systems (Electronic Medical Records)
- CRM systems (see the CRM extension section above)
- Project management software
- Patient databases
- Patient communication systems
Each of these systems will have to be categorized as either containing PHI or not containing PHI and rules will need to be put in place around who can access which tool and for what purpose.
This isn’t entirely different than managing your already existing tech stack, but the consequences of mistakes can be significantly greater and it places a lot of responsibility on your team to maintain compliance.
Next, you will have to create clear protocols around what happens when a marketing prospect becomes a patient. At the very least, their information must be removed from HubSpot and stored somewhere else (your HIPAA compliant CRM extension, for example).
Achieving and maintaining HIPAA compliance with HubSpot: In the event of a data breach
Perhaps the greatest concern with using HubSpot as part of your HIPAA compliant tech stack is what could happen in the event of a healthcare data breach.
HubSpot’s terms of service are clear — HubSpot disclaims all liability in the event of a data breach, even in cases where the breach was a result of HubSpot’s own security failings.
This can make complying with the HIPAA breach notification rule a challenge and open you up to significant fines and punishments.
FreeAgent CRM can help you achieve and maintain HIPAA compliance without all the hassles and costs
FreeAgent is the only major HIPAA-compliant CRM platform.
With FreeAgent, you get hassle-free HIPAA. That means:
- No third party BAAs
- No extra expense or hidden costs for best-in-class security including data encryption in-transit and at-rest
Beyond security and data privacy, FreeAgent CRM well-suited for the unique needs and requirements in healthcare, life sciences and medtech industries, so if you’re torn between a major CRM provider or a vertical healthcare crm, FreeAgent might be the best of both worlds.
Learn more about FreeAgent CRM for medtech or we invite you to request a demo. Our CRM experts are standing by to provide advice.
