In 2017, a contributor to the HubSpot community forum asked the question “Is HubSpot HIPAA compliant?”. HubSpot was quick to reply that HubSpot is not HIPAA compliant – prompting several vendors of HIPAA compliant HubSpot extensions to offer services to the contributor.
More than six years on from the original post, HubSpot is still not HIPAA compliant. Although the CRM service cannot be faulted for the security of data, HubSpot states in its Terms of Service (§2.9) the platform is not designed to comply with industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA).
Consequently, HubSpot will not enter into a HIPAA Business Associate Agreement with customers – an absolute necessity to make HubSpot HIPAA compliant – and therefore the platform cannot be used by covered entities or business associates to create, collect, store, or transmit electronic PHI, unless it is used with a HIPAA compliant HubSpot extension.
The Issue with HubSpot Extensions
The primary issue with using extensions to make HubSpot HIPAA compliant is that the extensions have been designed by software engineers who are not necessarily experts in HIPAA compliance. Therefore, if (for example) a covered entity has a question about how to configure an extension to use in a hybrid environment, the answer may not be 100% accurate.
Additionally, because HubSpot extensions are designed by software engineers, HIPAA compliance is often secondary to software functionality. In such cases, covered entities and business associates may have to use the software to do what the software was designed to do – and accepts its limitations – rather than how they would like to use it.
Other considerations include that it may be necessary to pay for more capabilities than required to (for example) simply connect HubSpot to an EHR, and that it may be important to review the content of the software provider’s Business Associate Agreement before using the extension to create, collect, store, or transmit electronic PHI.
Using HubSpot Without a BAA
As mentioned above, HubSpot cannot be used to create, collect, store, or transmit electronic PHI without a BAA. But this does not mean HubSpot cannot be used at all by covered entities and business associates. Indeed, provided the platform is configured not to collect or transmit PHI, HubSpot can be a valuable tool for marketing, sales, and services delivery.
The two things required to use HubSpot without a BAA is an understanding of what PHI is and how to use custom properties in HubSpot to ensure the only information collected by HubSpot does not relate to an individual’s past, present or future health condition, treatment for the health condition, or payment for the treatment.
Covered entities or business associates who are unsure about using HubSpot without a BAA, who require advice about HIPAA compliance training, or who are concerned about using any CRM in compliance with HIPAA, should seek professional compliance help.