Vendor compliance profile

Is HubSpot HIPAA compliant?

HubSpot may support some HIPAA-regulated workflows only under specific plan, configuration, and Business Associate Agreement conditions. Do not store or transmit PHI in HubSpot until BAA availability, covered services, and account configuration have been verified directly with HubSpot.

Visit vendor site

HIPAA status signal

Conditional

BAA public signal

Available for eligible setup

SOC 2 evidence signal

Public evidence

PHI warning: Marketing automation, forms, CRM notes, chat, and integrations can easily collect PHI if teams are not careful.

Search query answers

Is HubSpot HIPAA compliant in 2026?

HubSpot's public documentation indicates HIPAA-related use is conditional, not automatic. Enterprise plan eligibility, Sensitive Data settings, BAA acceptance, covered tools, and account configuration must be verified before PHI is stored or transmitted.

What does HubSpot HIPAA compliance depend on?

HubSpot HIPAA compliance depends on the customer's edition, Sensitive Data configuration, BAA acceptance, covered tools, integrations, support access, retention settings, and whether the intended CRM or marketing workflow stores PHI.

Does HubSpot offer a BAA?

HubSpot documentation references accepting a Business Associate Agreement when the account identifies as a HIPAA covered entity or business associate. Buyers should verify current BAA terms, covered services, and excluded tools directly in their HubSpot account.

Where is the official HubSpot HIPAA BAA signal?

The strongest public signal is HubSpot's Sensitive Data documentation, which references HIPAA-related account selections and BAA acceptance for eligible accounts. Treat this as a starting point, not proof that every HubSpot workflow is covered.

What should buyers check for HubSpot HIPAA BAA official review?

For a HubSpot HIPAA BAA official review, confirm the current Sensitive Data documentation, Enterprise subscription eligibility, BAA acceptance flow, covered tools, excluded features, integrations, support access, exports, and whether the planned 2026 workflow keeps PHI inside covered scope.

Does HubSpot have SOC 2 evidence?

HubSpot points buyers to its trust and security resources for current security evidence. Review the latest SOC report scope, covered products, report period, and exceptions directly through HubSpot before using it in vendor review.

HIPAA, BAA, and SOC 2 summary

HIPAAHubSpot documents Sensitive Data functionality for Enterprise subscriptions and requires specific HIPAA-related selections before storing HIPAA-covered data. This is not a blanket approval for all HubSpot tools or plans.
BAAHubSpot's Sensitive Data workflow references accepting the Business Associate Agreement when the account identifies as a HIPAA covered entity or business associate. Verify current BAA terms and covered tools in your account.
SOC 2HubSpot points users to its Trust Center for security program information. Review the latest SOC report scope directly through HubSpot's trust resources.
PHI riskMarketing automation, forms, CRM notes, chat, and integrations can easily collect PHI if teams are not careful.
CategoryHIPAA-Compliant CRM and Marketing Tools
Last checked2026-06-01
ConfidenceMedium

Public evidence and open questions

What public sources say

  • HubSpot publicly documents Sensitive Data functionality and HIPAA-related selections for eligible Enterprise subscriptions.
  • HubSpot documentation references BAA acceptance in the Sensitive Data workflow for accounts identifying as HIPAA covered entities or business associates.
  • HubSpot directs buyers to trust resources for security program and SOC evidence review.

What remains unconfirmed

  • Which HubSpot tools, add-ons, integrations, support channels, and data types are covered for the buyer's exact account.
  • Whether the customer's intended CRM, forms, marketing, chat, and reporting workflow keeps PHI inside eligible features.

What it may be used for

  • Enterprise CRM workflows where Sensitive Data settings, BAA acceptance, covered tools, permissions, and integrations have been verified.
  • Healthcare sales or operations workflows that minimize PHI and keep marketing, ads, enrichment, and unsupported integrations out of scope.
  • Vendor review for organizations comparing HubSpot against healthcare-specific CRM alternatives.

What not to use it for

  • Collecting PHI in HubSpot forms, chat, notes, tickets, calls, or marketing tools before eligible plan and BAA scope are confirmed.
  • Syncing PHI into ads, enrichment, analytics, email marketing, AI, or third-party integrations that are not covered.
  • Assuming HubSpot's security program or SOC evidence makes every HubSpot tool HIPAA-ready.

What to verify with the vendor

  • Whether the account is on an eligible Enterprise plan with Sensitive Data functionality enabled.
  • Whether the BAA has been accepted and which HubSpot tools, objects, support paths, and integrations are covered.
  • How PHI is isolated from marketing automation, ads, enrichment, AI features, exports, reports, and notifications.
  • Whether audit logs, role permissions, retention, deletion, and support access satisfy the intended workflow.

Safer alternatives and related profiles

Safer alternatives to consider

  • Salesforce Health Cloud or covered Salesforce services when the BAA, covered-service scope, and configuration are verified.
  • monday.com Enterprise for operational workflows after HIPAA mode and BAA acceptance are confirmed.
  • A healthcare-specific CRM or patient engagement platform when PHI must appear in marketing or patient communication workflows.

Klaviyo

HIPAA: Unable to confirm | SOC 2: Verify with vendor

Salesforce

HIPAA: Conditional | SOC 2: Public evidence

Pipedrive

HIPAA: Conditional | SOC 2: Yes

Shopify

HIPAA: Not supported for PHI | SOC 2: Public evidence

Wix

HIPAA: Conditional | SOC 2: Verify with vendor

FAQ

Is HubSpot HIPAA compliant in 2026?

HubSpot's public documentation indicates HIPAA-related use is conditional, not automatic. Enterprise plan eligibility, Sensitive Data settings, BAA acceptance, covered tools, and account configuration must be verified before PHI is stored or transmitted.

What does HubSpot HIPAA compliance depend on?

HubSpot HIPAA compliance depends on the customer's edition, Sensitive Data configuration, BAA acceptance, covered tools, integrations, support access, retention settings, and whether the intended CRM or marketing workflow stores PHI.

Does HubSpot offer a BAA?

HubSpot documentation references accepting a Business Associate Agreement when the account identifies as a HIPAA covered entity or business associate. Buyers should verify current BAA terms, covered services, and excluded tools directly in their HubSpot account.

Where is the official HubSpot HIPAA BAA signal?

The strongest public signal is HubSpot's Sensitive Data documentation, which references HIPAA-related account selections and BAA acceptance for eligible accounts. Treat this as a starting point, not proof that every HubSpot workflow is covered.

What should buyers check for HubSpot HIPAA BAA official review?

For a HubSpot HIPAA BAA official review, confirm the current Sensitive Data documentation, Enterprise subscription eligibility, BAA acceptance flow, covered tools, excluded features, integrations, support access, exports, and whether the planned 2026 workflow keeps PHI inside covered scope.

Does HubSpot have SOC 2 evidence?

HubSpot points buyers to its trust and security resources for current security evidence. Review the latest SOC report scope, covered products, report period, and exceptions directly through HubSpot before using it in vendor review.

Is HubSpot HIPAA compliant?

HubSpot may support some HIPAA-regulated workflows only under specific plan, configuration, and Business Associate Agreement conditions. Do not store or transmit PHI in HubSpot until BAA availability, covered services, and account configuration have been verified directly with HubSpot.

Will HubSpot sign a BAA?

HubSpot's Sensitive Data workflow references accepting the Business Associate Agreement when the account identifies as a HIPAA covered entity or business associate. Verify current BAA terms and covered tools in your account.

Can HubSpot be used with PHI?

Do not use this vendor with PHI until your organization verifies BAA scope, covered services, configuration, access controls, data retention, and connected integrations.

Does SOC 2 mean HubSpot is HIPAA compliant?

No. SOC 2 evidence can support security diligence, but it does not prove HIPAA compliance, confirm BAA coverage, or approve PHI use. Review HIPAA terms, BAA scope, covered services, configuration, and intended workflow separately.

What should buyers verify before using HubSpot with PHI?

Whether the account is on an eligible Enterprise plan with Sensitive Data functionality enabled. Whether the BAA has been accepted and which HubSpot tools, objects, support paths, and integrations are covered. How PHI is isolated from marketing automation, ads, enrichment, AI features, exports, reports, and notifications. Whether audit logs, role permissions, retention, deletion, and support access satisfy the intended workflow.

Last checked and source notes

Last checked
2026-06-01
Confidence
Medium
Dataset rows
268 vendors
  • Reviewed HubSpot Sensitive Data documentation and public security resources for HIPAA, BAA, and SOC evidence signals on 2026-06-01.
  • HubSpot eligibility may depend on subscription tier, Sensitive Data configuration, covered tools, and customer workflow design.
  • ComplySaaS did not verify a private contract or account-specific BAA scope.
  • HubSpot: Store Sensitive Data
  • HubSpot: Sensitive Data in tools