For healthcare organizations and their business associates who are responsible for managing sensitive health information, it is important to be Health Insurance Portability and Accountability Act (HIPAA) compliant. HubSpot, a widely used customer relationship management (CRM) platform, has gained popularity for its marketing and customer service tools. However, many healthcare professionals wonder whether HubSpot can be used in a manner that complies with HIPAA regulations.
As of June 2024, HubSpot has introduced new features and capabilities to support HIPAA compliance for specific "covered services”. This means that certain HubSpot products can now be used to collect, store, process, and transmit Protected Health Information (PHI) subject to covered entities subscribing to an enterprise account and agreeing to the terms of HubSpot's Business Associate Agreement (BAA).
HIPAA (Health Insurance Portability and Accountability Act), enacted in 1996, is a federal law that sets standards for the privacy and security of protected health information (PHI). It applies to all healthcare providers and health plans, as well as any business that handles PHI on behalf of business associates. HIPAA compliance is important to protect patient privacy and security.
There are different requirements that healthcare organizations and business associates must follow if they want to be HIPAA-compliant.
Organizations should implement safeguards to protect PHI from unauthorized access, use, disclosure, or modification.
Patients have the right to access their PHI and file complaints.
All staff members who handle PHI must be trained on HIPAA requirements.
The penalties for non-compliance with HIPAA can be severe. Organizations that violate HIPAA can be fined up to $1.5 million, and individuals can be fined up to $250,000. In addition, organizations that violate HIPAA may also be subject to civil and criminal penalties.
HubSpot does not advertise itself as HIPAA compliant by default. While it is a robust platform for marketing, sales, and customer service, its standard features and infrastructure are not designed to meet the stringent security and privacy requirements outlined in the HIPAA. HubSpot does not have a standard BAA in place that would legally bind the company to protect PHI. Moreover, although HubSpot maintains secure data centers, they may not meet the specific security standards required for PHI.
HubSpot primarily handles marketing and CRM data, including contact information (names, addresses, email addresses, phone numbers), company information (industry, size, location), website traffic data, sales activities, and customer support interactions. This data is valuable for business, but it does not typically include PHI.
HubSpot's decision not to advertise itself as HIPAA-compliant is important for businesses handling PHI. This way, HubSpot avoids misleading businesses that need a HIPAA-compliant solution. This allows businesses to make informed decisions about their software choices and avoid potential legal risks.
There are certain services and conditions for HubSpot’s compliance with HIPAA Here are the key points:
For certain covered services, HubSpot may be HIPAA-compliant. A subscription to an enterprise account and acceptance of HubSpot's Business Associate Agreement (BAA) are prerequisites for this compliance.
You must enable the Sensitive Data setting in your HubSpot account to store data covered by HIPAA. To do this, you must first click the Health/Medical Data checkbox and verify that your company or association is a HIPAA-covered entity.
Source: HubSpot
Although HubSpot's basic terms of service cover data processing and security, they also make it clear that absent certain circumstances, the platform is not intended to adhere to industry-specific laws such as HIPAA.
A Business Associate Agreement (BAA) is a legal contract between a covered entity (e.g., healthcare provider, health plan) and a business associate (e.g., third-party vendor) that outlines the responsibilities and obligations of both parties in handling Protected Health Information (PHI). BAAs are essential for ensuring that PHI is protected and maintained in compliance with HIPAA regulations.
BAAs are important for HIPAA compliance, as they define the scope of the relationships and specify the security measures that the business associate must implement to protect PHI. Additionally, BAAs can allocate liability for HIPAA violations between the covered entity and the business associate.
The HubSpot version that complies with HIPAA regulations is now in "public beta." As such, the services listed below are the ones that are covered under the HubSpot Business Associate Agreement (BAA) and could change at any time. It is noteworthy that the services mentioned below are exclusively included in enterprise subscriptions.
CRM Objects API
CRM Object Properties
CRM Attachments
Forms
Form Submissions Authenticated API
Integrations
Reports
Search
Workflows
List Creation
There are three processes involved in bringing HubSpot into compliance with HIPAA. The HIPAA-protected sensitive data settings must be enabled by a user with super administrator HubSpot features through the "Privacy and Consent" tab. Then, when asked, "What type of information will you store?" they must tick the box labeled "Health/Medical Data" as well as the one designating the company as a HIPAA-covered firm or business associate.
One of the most effective ways to mitigate risks when using HubSpot in a healthcare setting is to avoid storing or transmitting Protected Health Information (PHI) directly within the platform. Here are some strategies to consider:
Data Segregation: Keep PHI in a separate, HIPAA-compliant system and only transfer necessary, de-identified data to HubSpot for marketing or sales purposes.
Data Masking: Mask or anonymize PHI before transferring it to HubSpot to protect patient privacy.
Third-Party Integrations: Use HIPAA-compliant integrations to connect HubSpot with your primary healthcare system. This will allow you to transfer data without storing it directly within HubSpot.
Permissions and Access Controls: Implement granular permissions and access controls within HubSpot to limit access to sensitive data.
Data Encryption: Encrypt data stored within HubSpot to protect it from unauthorized access.
Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities.
Data Retention Policies: Establish clear data retention policies to ensure that PHI is not stored for longer than necessary.
Hybrid Approach: Use HubSpot for non-PHI-related activities and a dedicated HIPAA-compliant platform for storing and processing PHI.
Hybrid Approach: Use HubSpot for non-PHI-related activities and a dedicated HIPAA-compliant platform for storing and processing PHI.
Disclaimer: While these strategies can help mitigate risks, it is crucial to consult with a legal professional specializing in healthcare law to ensure full compliance with HIPAA regulations.
Healthcare organizations face challenges when they try to balance effective marketing strategies with HIPAA compliance. Marketing is undoubtedly important for reaching patients and promoting services. However, it must be done in a way that protects and avoids violating HIPAA regulations. Here are some key practices that must adhere to HIPAA.
When sending email marketing campaigns to patients, healthcare organizations must obtain explicit consent and ensure that the content does not disclose PHI.
Sharing patient stories or testimonials must be done with the patient's written consent and in a way that does not reveal PHI.
Using patient data for targeted advertising must comply with HIPAA regulations and avoid disclosing sensitive information.
Obtaining explicit patient consent is crucial for any marketing communication. This consent should be documented and clearly outline the types of information that will be collected and used. Additionally, healthcare organizations must implement robust measures to protect patient privacy, including data security, minimization, and retention.
Here are some best practices to ensure that your marketing efforts remain compliant and effective.
Ensure that any data used for marketing purposes is stripped of personal identifiers like names, addresses, Social Security numbers, and medical record numbers.
Combine data from multiple sources to create general trends and insights without revealing individual patient information or, in simple terms, aggregate data.
Be aware of what constitutes Protected Health Information (PHI) and avoid using it in your marketing materials. PHI includes any information that can be used to identify an individual.
When discussing patient outcomes or case studies, use general terms and avoid specific details that could reveal patient identities.
Before collecting or using patient information for marketing purposes, obtain explicit, informed consent. This means clearly explaining how the information will be used and allowing patients to opt-in or opt-out.
Maintain records of consent to demonstrate compliance with regulations.
Use hypothetical or generic patient case studies to illustrate the benefits of your services without revealing PHI.
Focus on providing valuable educational content that doesn't require the use of PHI. For example, create blog posts or webinars on health topics that are relevant to your target audience.
Collect testimonials from satisfied patients, but ensure that they are anonymized to protect their privacy.
Use non-PHI demographic data, such as age, gender, and geographic location, to target your marketing efforts.
Use non-PHI demographic data, such as age, gender, and geographic location, to target your marketing efforts.
Provide comprehensive HIPAA training to your marketing team to ensure they understand the regulations and their responsibilities
One well-known marketing automation software that has a strong toolkit that works well in healthcare settings is HubSpot. However, following HIPAA standards is essential when handling patient data. Here's how to use HubSpot and keep your privacy intact:
Segmentation: Create segments based on non-PHI criteria like geographic location, age, or general health interests. This allows you to target your marketing efforts without exposing sensitive patient information.
Automation: Automate tasks like email campaigns, lead nurturing and reporting to streamline your marketing efforts.
Reporting: Use HubSpot's reporting tools to track the effectiveness of your marketing campaigns without compromising patient privacy.
Data Storage: Ensure that any patient data stored in HubSpot is anonymized or redacted. Avoid storing PHI directly in the platform.
Custom Fields: Create custom fields that align with non-PHI data points to track patient interactions without violating HIPAA.
HIPAA-Compliant CRM: Integrate HubSpot with a HIPAA-compliant CRM to store and manage patient data securely.
Secure Email Provider: Use a HIPAA-compliant email provider to ensure that all communications with patients are encrypted and protected.
Data Encryption: Implement data encryption measures to protect patient information both at rest and in transit.
Regular Audits: Conduct regular audits of your HubSpot account to ensure that you're adhering to HIPAA guidelines.
Stay Updated: Keep up-to-date with the latest HIPAA regulations and guidelines to ensure your HubSpot usage remains compliant.
If your company is thinking about using HubSpot or comparable platforms, it is imperative to restrict the usage of PHI and look at solutions that comply with HIPAA regulations. Ensuring the security and privacy of patient information is of utmost importance to your firm to uphold confidence and comply with relevant requirements.