Vendor compliance profile
HubSpot HIPAA compliance, BAA, and PHI notes
HubSpot may support some HIPAA-regulated workflows only under specific plan, configuration, and Business Associate Agreement conditions. Do not store or transmit PHI in HubSpot until BAA availability, covered services, and account configuration have been verified directly with HubSpot.
HIPAA status signal
Conditional
BAA public signal
Available for eligible setup
SOC 2 evidence signal
Public evidence
PHI warning: Marketing automation, forms, CRM notes, chat, and integrations can easily collect PHI if teams are not careful.
HIPAA, BAA, and SOC 2 summary
| HIPAA | HubSpot documents Sensitive Data functionality for Enterprise subscriptions and requires specific HIPAA-related selections before storing HIPAA-covered data. This is not a blanket approval for all HubSpot tools or plans. |
|---|---|
| BAA | HubSpot's Sensitive Data workflow references accepting the Business Associate Agreement when the account identifies as a HIPAA covered entity or business associate. Verify current BAA terms and covered tools in your account. |
| SOC 2 | HubSpot points users to its Trust Center for security program information. Review the latest SOC report scope directly through HubSpot's trust resources. |
| Category | HIPAA-Compliant CRM and Marketing Tools |
What it may be used for
- General business workflows that do not include PHI.
- Healthcare-adjacent operations after BAA scope and configuration have been verified.
- Vendor risk review, procurement research, and compliance planning.
What not to use it for
- Storing diagnosis, treatment, patient notes, or identifiers without verified BAA coverage.
- Sending PHI through unsupported forms, messages, automations, or integrations.
- Replacing legal, compliance, security, or vendor contract review.
What to verify with the vendor
- Whether the vendor will sign a BAA for your exact product, plan, and use case.
- Which services, add-ons, regions, and support channels are covered by the agreement.
- Whether your intended workflow stores, transmits, or processes PHI.
- Which admin, access control, retention, audit log, and encryption settings must be enabled.
Safer alternatives and related profiles
FAQ
Is HubSpot HIPAA compliant?
HubSpot may support some HIPAA-regulated workflows only under specific plan, configuration, and Business Associate Agreement conditions. Do not store or transmit PHI in HubSpot until BAA availability, covered services, and account configuration have been verified directly with HubSpot.
Will HubSpot sign a BAA?
HubSpot's Sensitive Data workflow references accepting the Business Associate Agreement when the account identifies as a HIPAA covered entity or business associate. Verify current BAA terms and covered tools in your account.
Can HubSpot be used with PHI?
Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.
Last checked and source notes
- Last checked
- 2026-04-30
- Confidence
- Medium
- Dataset rows
- 267 vendors
- ComplySaaS public vendor dataset entry.
- Vendor trust center, legal terms, BAA documentation, and covered services should be re-checked before use.
- HubSpot: Store Sensitive Data
- HubSpot: Sensitive Data in tools