HIPAA & BAA · CRM
Is HubSpot HIPAA compliant?
Conditionally. HubSpot will enter a BAA, but only on Enterprise tiers and only once a super-admin turns on the HIPAA-protected sensitive-data settings.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Enterprise tiers only; BAA is entered into automatically when a super-admin activates the sensitive-data / Health-Medical settings. Free, Starter, and Professional are not eligible.
- Official source: HubSpot Knowledge Base — Store Sensitive Data — https://knowledge.hubspot.com/properties/store-sensitive-data (verified 2026-06)
How to use HubSpot in a HIPAA-compliant way
- Use an Enterprise-tier HubSpot subscription (Free/Starter/Professional are not eligible).
- Have a super-administrator open Privacy and Consent settings and activate sensitive-data handling.
- Select the Health/Medical Data option and identify the org as a HIPAA covered entity or business associate, which triggers the BAA by reference.
- Keep PHI only in supported features (CRM properties/objects, activities, lists, workflows, forms).
- Avoid unsupported features for PHI, including reporting/analytics tools and personalization tokens.
Important caveats
- Reporting/Analytics tools (Custom Report Builder, Customer Journey Reports, Data Sets) are NOT covered by the BAA.
- You cannot use protected properties as personalization tokens (e.g., auto-inserting a patient name).
- Sensitive-data settings must be explicitly enabled; the BAA does not apply by default.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring HubSpot correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with HubSpot.
Frequently asked questions
Does HubSpot sign a BAA?
On specific plans. Enterprise tiers only; BAA is entered into automatically when a super-admin activates the sensitive-data / Health-Medical settings. Free, Starter, and Professional are not eligible. A signed BAA is required before any PHI is involved.
Is HubSpot HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when HubSpot offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using HubSpot with PHI?
Reporting/Analytics tools (Custom Report Builder, Customer Journey Reports, Data Sets) are NOT covered by the BAA.
