Is HubSpot HIPAA Compliant? What Healthcare Practices Need to Know

HubSpot can support HIPAA compliance, but not out of the box. A Business Associate Agreement has to be in place first, and until it is, putting Protected Health Information into HubSpot is itself the violation.

Yes, conditionally

HubSpot supports HIPAA compliance for a limited set of features, but only on Enterprise plans after you enable its Sensitive Data settings. Turning those settings on automatically issues the Business Associate Agreement.

Plan / requirement: An Enterprise plan plus the Sensitive Data settings enabled. Compliance is limited to the covered services listed in the executed BAA.

Sources: Is HubSpot HIPAA Compliant and Will It Sign a BAA? (Accountable) Is HubSpot HIPAA compliant? (HIPAA Journal). Last verified 2026-06-14.

What HIPAA actually requires here

HIPAA does not certify software. It requires that any vendor handling Protected Health Information on your behalf sign a Business Associate Agreement and uphold the Security Rule safeguards. For HubSpot, that mechanism works like this:

Read and accept the HubSpot Sensitive Data Beta Terms, then turn on Sensitive Data Settings. That action automatically activates the BAA, which lists the covered services.

The conditions that decide whether you are actually covered:

Only the services expressly listed in the executed BAA are covered; treat everything else as excluded.
Integrated third-party apps need their own separate BAAs.

Where the vendor stops and you begin

The most expensive misunderstanding in healthcare practices is assuming a signed BAA finishes the job. It does not. Compliance is shared:

Where responsibility sits
HubSpot acts as Business Associate for covered services once Sensitive Data settings are enabled.
You keep PHI inside the covered objects and out of non-covered features.
You vet every connected app and ensure each has its own BAA.

Compliance review

Not sure your HubSpot setup holds up to an audit?

Cobrix runs a configuration review against the actual healthcare rules your practice operates under, then fixes what does not pass.

Book a compliance review Call (213) 214-1385

Configuring HubSpot the right way

A defensible HubSpot deployment in a healthcare practice comes down to a short, ordered checklist:

Confirm you are on an eligible Enterprise plan.
Accept the Sensitive Data Beta Terms and turn on Sensitive Data Settings to activate the BAA.
Map exactly which HubSpot services the BAA covers and confine PHI to them.
Audit connected apps and secure separate BAAs for any that touch PHI.
Restrict user permissions on PHI-bearing records to minimum necessary.

Mistakes that quietly void compliance

Storing PHI on a Professional or Starter plan with no Sensitive Data settings.
Putting PHI in a HubSpot feature the BAA does not list as covered.
Connecting a marketing app that pulls PHI without its own BAA.

Where Cobrix fits

Cobrix is a California MSP/MSSP that configures and monitors tools like HubSpot for healthcare practices, then documents the controls so they survive an audit. The software gives you the BAA; the configuration, monitoring, and paper trail are what actually keep you compliant. That is the part we own.

Free resource

HubSpot HIPAA setup checklist

The exact configuration steps above, formatted as a printable checklist your team can work through and keep on file.

Get the checklist

Frequently asked questions

Is HubSpot HIPAA compliant?

How do I get a BAA with HubSpot?

Read and accept the HubSpot Sensitive Data Beta Terms, then turn on Sensitive Data Settings. That action automatically activates the BAA, which lists the covered services.

What plan do I need for HubSpot to be HIPAA compliant?

An Enterprise plan plus the Sensitive Data settings enabled. Compliance is limited to the covered services listed in the executed BAA.

Does a BAA alone make HubSpot compliant?

No. HIPAA compliance follows a shared-responsibility model. The vendor secures the platform; your practice is responsible for configuration, access controls, and staff handling of PHI.