HubSpot, a Customer Relationship Management (CRM) platform, has become popular for its centralized system. The cloud-based software offers a suite of marketing, sales, customer service, and content management tools, making it a convenient option for organizations looking to increase client engagement.
Despite this, asking the question, “Is HubSpot HIPAA-compliant?” is still a must, especially for those who intend to use it in healthcare.
Table of Contents
Why HIPAA Compliance Is Important in Healthcare Marketing
CRM platforms are a massive help in healthcare. They can facilitate better communication, allow healthcare providers to give personalized care, and make it easier to manage patient data. However, the convenience these platforms offer should also align with the Health Insurance Portability and Accountability Act (HIPAA) guidelines.
Under HIPAA, organizations that handle protected health information (PHI) are legally obligated to maintain strict security and privacy measures to protect patient data. They should first ensure that the software complies with HIPAA before they can share PHI with any software or service. Negligence in this area may lead to data breaches and legal repercussions.
Is HubSpot HIPAA-Compliant?
No, Hubspot is not HIPAA-compliant. HubSpot’s terms of service make it clear that its Subscription Service is not specifically designed to comply with healthcare data privacy regulations like HIPAA. Therefore, the CRM platform cannot process or manage sensitive information, including PHI.
Also, HubSpot explicitly disclaims any liability resulting from the usage of its service to collect, process, or manage sensitive information. Given this, HubSpot will not sign a Business Associate Agreement (BAA) with clients.
Under HIPAA guidelines, A BAA is a required legal document. Thus, healthcare providers and their business associates (in this case, HubSpot) should sign this BAA before they can store, manage, or transmit PHI.
See also: Is Salesforce HIPAA-compliant?
Can Healthcare Organizations Still Use HubSpot?
Healthcare organizations should not use HubSpot for communications subject to HIPAA regulations. However, they can use Hubspot in situations that do not require collecting PHI.
If the organization still uses Hubspot in connection with PHI, it could be subject to a HIPAA violation. Even if an organization has safeguards and controls to ensure compliance, using software to store, process, or manage PHI without a BAA goes against HIPAA rules.
HubSpot’s Security Measures
Healthcare organizations considering using the CRM platform for marketing should carefully review the software’s security measures and terms of service. To its credit, HubSpot invested in a comprehensive set of security measures to safeguard customer data, as explained in the HubSpot Trust Center. Note that these security measures do not automatically ensure HubSpot’s compliance with HIPAA, as discussed above.
- Access monitoring: HubSpot strictly controls access to its systems, following the principle of least privilege. Access requests, modifications, and deletions are managed through a defined process, with pre-authorization based on employees’ functional roles or in-workflow approval.
- Backups enabled: Systems are regularly backed up, with seven days’ worth of backups retained for easy restoration. Monitoring them for successful execution and generating alerts for any exceptions is also critical. Data is backed up daily to local regions, and periodic copies are stored in separate AWS regions for disaster recovery.
- Data erasure: HubSpot provides active customers with tools to delete or export their data in various formats. Data is retained for active customers and is purged based on specific criteria following the termination of customer agreements.
- Encryption: HubSpot uses encryption to protect data at rest and in transit. Data is stored using AES-256 encryption, and sensitive interactions with HubSpot’s products are encrypted with TLS 1.2 or 1.3 and 2048-bit keys or better.
- Network security: HubSpot enforces multiple layers of filtering and inspection of all connections throughout its platform. Network-level access control lists prevent unauthorized network access, and firewalls are configured to deny network connections not explicitly authorized by default.
- Incident response: HubSpot has a Security Operations Center (SOC) that provides 24/7 coverage to respond rapidly to security and privacy events. An incident response program is in place, with predefined incident types for efficient tracking, task assignment, escalation, and communication.
- Risk management: HubSpot maintains an Enterprise Risk Management (ERM) program that includes risk assessments, a risk register, and risk mitigation and remediation activities. Security awareness training is provided to employees, including phishing awareness training and simulations.
Using HIPAA-Compliant Alternatives to HubSpot
Some online sources suggest using HubSpot in a HIPAA-compliant manner. In this case, information collected from visitors should not include PHI. For example, when a prospect targeted in a marketing campaign becomes a patient, their data must be promptly removed from HubSpot and transferred to a HIPAA-compliant CRM platform. Alternatively, others propose using an external CRM extension to render HubSpot HIPAA-compliant when handling PHI.
While both approaches can potentially ensure HIPAA compliance, they are complicated to implement and susceptible to user errors. It’s best to use a CRM system that is inherently designed to comply with HIPAA.
Instead of forcing HubSpot compliance with HIPAA, healthcare organizations should choose CRM platforms that can sign a BAA and prioritize patient data privacy.