HIPAA & BAA · CRM / marketing automation
Is Keap HIPAA compliant?
Conditionally. Keap (now part of Thryv) will sign a BAA on Pro and Max plans once you enable HIPAA Security Controls — but its email and SMS features are explicitly excluded, so PHI must not be sent through Keap emails or texts.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: Keap Pro or Max plan; enable HIPAA Security Controls and sign the BAA in Settings > Privacy & Compliance. CRM data only — email and SMS are excluded
- Official source: Keap (Thryv) — HIPAA Security Controls for Keap — https://learn.thryv.com/hc/en-us/articles/37506928781325-HIPAA-Security-Controls-for-Keap (verified 2026-06)
How to use Keap in a HIPAA-compliant way
- Use a Keap Pro or Max plan.
- Go to Settings > Privacy & Compliance and enable HIPAA Security Controls.
- Review the BAA, complete the required fields, sign it, and confirm your email.
- Keep PHI to CRM records only — use a separate HIPAA-compliant email/SMS provider for any PHI messaging.
- Confirm current terms with Thryv/Keap, since Keap is being integrated into Thryv.
Important caveats
- Email and SMS functionalities are NOT covered by the BAA and must not carry PHI.
- Without a valid BAA in effect, the Terms of Service prohibit processing PHI in Keap.
- Third-party integrations are not covered; Keap was acquired by Thryv (Oct 2024) so confirm the current contracting entity.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Keap correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Keap.
Frequently asked questions
Does Keap sign a BAA?
On specific plans. Keap Pro or Max plan; enable HIPAA Security Controls and sign the BAA in Settings > Privacy & Compliance. CRM data only — email and SMS are excluded A signed BAA is required before any PHI is involved.
Is Keap HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Keap offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Keap with PHI?
Email and SMS functionalities are NOT covered by the BAA and must not carry PHI.
