Is HubSpot HIPAA Compliant? Yes — Only on Enterprise + BAA (2026)

HubSpot can be HIPAA compliant — but only on Enterprise edition tiers with an explicitly signed Business Associate Agreement (BAA). HubSpot's Free, Starter, and Professional tiers are not HIPAA-eligible. This distinction catches many independent practices that adopted HubSpot for general marketing and only later realized that patient outreach workflows put them out of compliance.

The product also has unusual edge cases. Marketing Hub, Sales Hub, Service Hub, Operations Hub, and CMS Hub each have their own HIPAA-eligibility status that depends on the edition. Lower-tier accounts that worked fine for general business use cannot simply add a BAA — the underlying infrastructure changes between tiers.

Here is what is covered, what is not, and how to set up HubSpot for HIPAA-compliant patient communications.

Which HubSpot Tiers Are HIPAA-Eligible?

HubSpot makes HIPAA-eligibility available on Enterprise editions of its main hubs. The eligibility framework changed in recent years — historically HubSpot did not sign BAAs at all, and the Enterprise eligibility expansion is relatively new.

Marketing Hub Enterprise. HIPAA-eligible with a signed BAA. Covers email marketing, landing pages, forms, and marketing automation when contracted under a BAA.

Sales Hub Enterprise. HIPAA-eligible with a BAA. Covers contact records, deal pipelines, sales workflows, and sequences for healthcare-related sales operations.

Service Hub Enterprise. HIPAA-eligible with a BAA. Covers ticketing, knowledge base, and customer service automation when used in healthcare contexts.

Operations Hub Enterprise. HIPAA-eligible with a BAA. Covers data sync, workflow automation, and custom code actions.

CMS Hub Enterprise. HIPAA-eligible with a BAA when used as the website backend for healthcare practices.

Free, Starter, and Professional editions. Not HIPAA-eligible. HubSpot does not sign BAAs for these tiers regardless of customer request. Workflows that handle PHI cannot be retrofitted onto these editions.

The practical rule: Enterprise is the minimum tier. The BAA is the second prerequisite. Both must be in place before any PHI enters HubSpot.

What HubSpot Provides for HIPAA Compliance

When you deploy HubSpot Enterprise with a signed BAA, the platform offers compliance-relevant capabilities that match the technical safeguards of the HIPAA Security Rule.

Encryption in transit and at rest. All HubSpot data is encrypted using TLS in transit and AES-256 at rest in HubSpot's infrastructure.

Role-based access control. Enterprise editions offer granular permission sets — partitioning access by team, by record type, and by field. Field-level permissions allow PHI fields to be restricted to specific roles.

Audit logging. HubSpot logs administrative actions, login events, and significant changes to records. Enterprise plans include extended audit retention and export capabilities.

Single sign-on and SCIM provisioning. Enterprise tiers support SAML SSO and SCIM-based user lifecycle management — the foundation for centralized identity governance.

Field-level security. Custom contact, company, and deal properties can be restricted at the field level on Enterprise editions, allowing sensitive PHI fields to be visible only to authorized roles.

Sandbox environments. Enterprise plans include sandbox accounts for testing changes without exposing production data.

What HubSpot Does Not Do

HubSpot's compliance capabilities cover what HubSpot does. Beyond that, the responsibility is yours.

HubSpot does not enforce minimum-necessary content. If a workflow includes a patient's diagnosis in an email body, HubSpot will send it. There is no native PHI detection or redaction.

HubSpot does not extend the BAA to integrations. HubSpot's marketplace includes hundreds of third-party integrations. Each integration is a separate vendor with its own BAA status. Connecting an unauthorized integration to PHI-containing data is a compliance failure.

HubSpot does not classify PHI in your data model. Custom contact properties, deal notes, and ticket descriptions can accumulate PHI in unstructured form. HubSpot has no awareness of which fields contain protected information.

HubSpot does not cover non-Enterprise features used alongside Enterprise products. Some standalone HubSpot features are only available on lower tiers. If your team uses one of those features — even within an Enterprise account — verify HIPAA eligibility before pushing PHI through it.

HubSpot does not perform your risk assessment, training, or breach response. These are administrative safeguards owned by the covered entity. The BAA documents responsibility but does not deliver the program.

HubSpot does not validate landing page submissions for PHI. A contact form on a HubSpot landing page can be configured to capture extensive medical information. The platform does not block excessive PHI capture — that is a workflow design responsibility.

Common Mistakes Practices Make with HubSpot

Starting on Marketing Hub Starter or Professional, then trying to add a BAA later. A BAA cannot be retrofitted onto a non-eligible tier. The migration to Enterprise involves contract change, often pricing change, and review of all workflows that touched PHI under the prior tier.

Including diagnosis or visit reason in marketing emails. A campaign segmented by "patients diagnosed with diabetes" inherently contains PHI in its targeting metadata. Even an Enterprise BAA does not authorize careless content design.

Capturing extensive medical detail on contact forms. Forms that ask about symptoms, medications, or insurance create PHI on submission. Without minimum-necessary content discipline, the form itself becomes a high-risk data flow.

Connecting non-BAA integrations. Common integrations like Calendly, generic Slack, or marketing tools without a BAA create exposure when PHI syncs through. Each integration must be reviewed.

Storing PHI in unstructured fields. Note fields, ticket descriptions, and deal comments accumulate PHI without field-level access control. Audit and structure these fields.

Using HubSpot's free tools alongside an Enterprise account. A Free Hub or sandbox set up for marketing experiments can accidentally end up with production PHI. Maintain a clean separation.

Treating sales sequences as outside the BAA scope. Automated outbound sales emails are still HubSpot-mediated communications. They fall under the BAA on Enterprise — but only if the content respects minimum-necessary rules.

How to Configure HubSpot for HIPAA Compliance

These are the baseline configurations for HIPAA-compliant HubSpot deployments.

• Contract a BAA for every relevant Hub. Sales, Marketing, Service, Operations, and CMS each have separate BAA scope. Confirm coverage in writing.
• Restrict the account to Enterprise editions. Disable feature combinations that could pull lower-tier capabilities into a PHI workflow.
• Implement field-level security. Identify every property that may store PHI. Restrict it by role. Remove PHI from non-restricted properties.
• Audit the integration registry. List every connected integration. Confirm each has a BAA or is removed from PHI-containing workflows.
• Constrain forms and CTAs. Forms collecting visit reasons, symptoms, or insurance information must be reviewed for minimum-necessary content. Use links to a secure intake portal for sensitive detail.
• Enable SSO and SCIM provisioning. Centralize user lifecycle. Eliminate orphan accounts. Enforce MFA at the identity provider.
• Configure audit log retention. Export audit logs to a retained, encrypted destination. Document the retention period.
• Disable export permissions for non-essential roles. Bulk export is the easiest path to PHI escaping the platform. Restrict it tightly.
• Document workflow content rules. Email templates, sequence content, and campaign assets must follow minimum-necessary rules. Build the rules into your editorial review.

Where HubSpot Fits in Your Compliance Program

HubSpot is rarely the only tool in a healthcare practice's stack. It often connects to an EHR, a scheduling platform, a patient portal, payment processors, and analytics tools. Each connection creates a data flow that needs evaluation.

A HubSpot BAA covers HubSpot. It does not cover the other platforms in the stack, the integrations between them, or the content your team writes inside HubSpot.

Patient Protect maps your full marketing and CRM stack, tracks every vendor BAA, and monitors configuration across the integrations that often go unaudited until something fails.

Frequently Asked Questions

Does HubSpot sign a BAA?

Yes, but only on Enterprise tier accounts. HubSpot does not sign BAAs for Free, Starter, or Professional editions. The BAA must be requested through HubSpot's compliance or sales team and explicitly executed in writing.

Can I upgrade from Professional to Enterprise to get HIPAA coverage?

Yes — but the BAA only covers data going forward from the contract date. Any PHI handled on the Professional tier prior to the upgrade was uncovered. The compliance status of that historical data needs a documented review.

Is HubSpot Marketing Hub Enterprise enough for HIPAA-compliant email?

Marketing Hub Enterprise with a BAA covers HubSpot's role. The compliance work — minimum-necessary content, list segmentation discipline, opt-in management, and downstream system review — is yours.

What about HubSpot's free CRM?

HubSpot's free CRM tier is not HIPAA-eligible. It does not qualify for a BAA. Using the free CRM with patient data is a contractual violation and a HIPAA exposure.

Are HubSpot integrations covered by the BAA?

No. Each integration in HubSpot's marketplace is a separate vendor. The HubSpot BAA does not extend to them. You must evaluate each integration's BAA status independently.

Can I use HubSpot forms to collect HIPAA-protected intake information?

On Enterprise with a BAA, yes — but with content discipline. Forms should request minimum-necessary information. For deeper clinical intake, link to a HIPAA-compliant intake platform rather than collecting full medical history through HubSpot forms.

---

Patient Protect tracks your full compliance program — including marketing automation vendors, BAAs, and integration data flows — starting at $39/month.