Is HubSpot HIPAA Compliant for Medical Clinics?

Verdict: Yes with conditions — Enterprise with add-on only

HubSpot supports HIPAA-compliant use, but the path is narrow. A signed BAA is available only on HubSpot Enterprise plans that have the HIPAA compliance add-on enabled. Standard plans at any lower tier are not covered.

For most small clinics, this creates a practical problem: HubSpot Enterprise is priced for mid-market and large organizations, not for a three-to-fifty-staff medical practice that needs a CRM.

BAA availability and tier requirements

HubSpot’s knowledge base documents that HIPAA compliance support, including BAA execution, is part of the Enterprise plan with the add-on. This applies across HubSpot’s product hubs — Marketing Hub, Sales Hub, Service Hub, and CMS Hub — at the Enterprise tier only. The separate HIPAA compliance add-on agreement must also be executed; the Enterprise plan alone is not sufficient.

A clinic on HubSpot Starter or Professional — across any hub — that stores patient intake data, contact forms mentioning health conditions, or appointment-related communications in HubSpot is out of compliance. Marketing Hub Starter, Sales Hub Starter, and Sales Hub Professional are all explicitly excluded. The PHI is in a system without a BAA.

What HIPAA mode restricts

When the HIPAA compliance add-on is enabled, HubSpot restricts features that process data outside the BAA’s scope:

• Certain AI tools, including AI-generated email content and AI chatbots, are limited or disabled
• Some third-party integrations must be individually evaluated for BAA status
• Data processing for marketing analytics may be restricted

The specific list changes with product updates. Verify the current restrictions directly with HubSpot’s compliance documentation when setting up the configuration.

The PHI-in-CRM risk for clinics

Even with a BAA and HIPAA mode, using a general-purpose CRM for patient-adjacent data requires ongoing governance. Common risk points in a HubSpot-based clinical workflow include:

• Contact properties. Custom properties added to contact records can accumulate PHI if staff use free-text fields without training.
• Email threads. HubSpot’s email-logging feature attaches email content to contact records. PHI-containing emails from patients or referral sources can land in records without deliberate action.
• Form submissions. Patient inquiry forms on a clinic website that feed into HubSpot must be scoped to avoid collecting PHI unless the full HIPAA configuration is active.
• Third-party integrations. Any integration that pulls PHI from an EHR or billing system into HubSpot is a separate data flow requiring its own BAA assessment.

Enabling HIPAA mode in HubSpot: what’s involved

For clinics on an eligible Enterprise plan, the configuration process involves more than a settings toggle:

1. Execute the Enterprise BAA. Contact HubSpot’s sales or account team to execute the BAA as part of the Enterprise agreement. This is not available through the standard web signup flow.
2. Enable the HIPAA compliance add-on. The add-on must be separately activated. This restricts certain AI features, third-party data shares, and marketing analytics that would otherwise process contact data outside the BAA’s scope.
3. Audit active integrations. Each HubSpot integration that pulls or pushes data containing PHI must be individually evaluated. Any third-party app that receives PHI through a HubSpot integration is a separate business associate and requires its own BAA.
4. Configure contact property access. Restrict access to contact records that may contain PHI to only staff with a legitimate need. HubSpot’s role-based permissions should be used to enforce this.
5. Train staff on free-text fields. Free-text properties in HubSpot contact records are a common source of unintended PHI accumulation. Staff must be trained not to enter clinical details into general-purpose contact fields.

What small clinics usually discover

HubSpot makes sense for a clinic’s external marketing: tracking leads, running educational email, managing non-patient contacts. The moment the contact record touches patient information — even an inquiry about a specific condition — it becomes a PHI question.

Small clinics that need patient-adjacent tracking and compliance documentation in one place typically find that purpose-built HIPAA tools cost less than HubSpot Enterprise and require less customization to stay safe.