Is HubSpot HIPAA Compliant?

HubSpot is one of the most popular CRM and marketing automation platforms in the world. Healthcare organizations use it for lead generation forms, email marketing campaigns, patient outreach, and contact management. Its appeal is understandable: it brings CRM, email, forms, analytics, and content management into a single platform with a polished user experience.

In 2023, HubSpot introduced a "sensitive data" feature that includes a BAA option for Enterprise-tier customers. For many healthcare marketing teams, this felt like the green light they had been waiting for. But the scope of that BAA is narrower than most teams realize, and the features most likely to encounter protected health information are the ones left uncovered.

Understanding what HubSpot's BAA actually covers, and what it does not, is essential before any healthcare organization builds its marketing operations around the platform.

What Healthcare-Grade Compliance Actually Requires

When evaluating any marketing platform for use in healthcare, three pillars matter more than the tool's feature set: the legal agreement, the audit posture, and the data architecture.

A Real Business Associate Agreement

Under HIPAA, any vendor that receives, stores, or transmits protected health information on behalf of a covered entity must sign a Business Associate Agreement. A BAA is a legal contract where the vendor accepts liability for safeguarding PHI and agrees to specific obligations around breach notification, data handling, and permitted uses.

Not all BAAs are equal. Some vendors offer agreements that carve out entire product areas: marketing data, analytics data, or data collected through specific features. A legitimate healthcare BAA covers the full data pipeline: collection, processing, storage, and transmission. If a vendor's BAA excludes the features where PHI is most likely to flow, the agreement creates a false sense of security rather than actual protection.

SOC 2 Type II with All Five Trust Criteria

SOC 2 Type II is an independent audit that verifies a vendor's controls over an extended review period. The audit covers up to five trust service criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Most vendors certify only Security (1 of 5). That's table stakes. It means an auditor confirmed the vendor has basic access controls and encryption. It says nothing about how data is processed, whether it remains confidential, or how the vendor handles privacy obligations.

All five criteria mean independent auditors verified the vendor handles data with the rigor healthcare requires: that the system is available when needed, processes data accurately, keeps it confidential, and respects privacy commitments. Type II (not Type I) means this was verified over a sustained period, not a single point-in-time snapshot.

Server-Side Data Architecture

Client-side tracking technologies work by loading JavaScript in the visitor's browser. That JavaScript collects behavioral data and sends it directly from the browser to the vendor's servers. The browser is the intermediary, and the data transits through a third-party connection that your organization does not control.

Server-side tracking works differently. Data is collected on your server and sent from your infrastructure to its destination. The visitor's browser never communicates with the tracking vendor. There is no third-party JavaScript, no third-party cookies, and no data path outside your control.

This distinction matters because every major healthcare tracking enforcement case involved client-side tracking technologies. The browser-to-third-party data path is the root cause, not a contributing factor.

Where HubSpot Stands

HubSpot's compliance story is more complex than most tools in this category because it offers a partial BAA rather than no BAA at all. That partial coverage creates specific risks worth understanding.

The BAA only covers CRM data on Enterprise plans. HubSpot's sensitive data feature and associated BAA apply only to data stored within the HubSpot CRM itself, and only for customers on Enterprise-tier plans. This covers contact records, deal records, and other structured CRM data.

The BAA does not cover HubSpot's tracking code, analytics, forms, or marketing automation. This is the critical gap. When a prospective patient fills out a form on your website asking about a specific procedure, that form submission flows through HubSpot's client-side JavaScript. When HubSpot's tracking pixel records that a visitor browsed your oncology services page and then clicked through to schedule a consultation, that behavioral data transits through the browser to HubSpot's servers. None of this activity falls under the BAA.

HubSpot's tracking pixel operates client-side. The HubSpot tracking code loads JavaScript in the visitor's browser to collect page views, form submissions, and behavioral data. This is the same client-side architecture that has been at the center of every major enforcement case. Page URLs, IP addresses, device identifiers, and interaction data all flow from the browser to HubSpot's infrastructure.

The practical challenge is that healthcare marketing teams typically use HubSpot for the features the BAA excludes. Lead generation forms capture appointment requests and condition inquiries. Marketing automation workflows trigger based on what pages a visitor viewed. Analytics dashboards track conversion paths that reveal health interests. The CRM data the BAA covers is often the last stop for information that traveled through unprotected channels.

What the Enforcement Landscape Looks Like

Since 2023, healthcare organizations have paid over $193 million in settlements and penalties related to tracking technologies on their websites. Every case involved standard marketing tools, not sophisticated attacks.

BetterHelp settled for $7.8 million with the FTC after tracking pixels shared email addresses, IP addresses, and mental health intake questionnaire responses with Facebook, Snapchat, Criteo, and Pinterest. BetterHelp even used the fact that users had previously been in therapy to build Facebook lookalike audiences. The FTC found that a recent college graduate with no marketing training had been placed in charge of deciding what user data was uploaded to Facebook. Governance failures turned a routine marketing setup into a federal enforcement action.

Advocate Aurora Health settled for $12.25 million after installing Meta Pixel and Google Analytics on its website, app, and patient portal to "better understand patient needs." The tracking exposed data of approximately 3 million patients. The intent was routine analytics. The outcome was a class action.

Kaiser Permanente reached a $47.5 million settlement affecting 13.4 million members. Their websites and patient portals used third-party tracking code that transmitted health information to Google, Microsoft, Meta, and X from 2017 to 2024.

The pattern across these cases is consistent: healthcare organizations installed widely used marketing tools. Those tools operated client-side. Data flowed to third parties. Nobody noticed until regulators or plaintiffs did. The tools involved were Meta Pixel, Google Analytics, and similar tracking technologies. HubSpot's tracking pixel operates with the same client-side architecture.

What a Compliant Marketing Architecture Looks Like

Healthcare organizations that need CRM, marketing automation, and analytics capabilities (which is all of them) should evaluate vendors against a specific architecture:

Server-side data collection. All event data, including form submissions, page views, and behavioral signals, should flow from your server to the marketing platform. The visitor's browser should never communicate directly with a third-party vendor. This eliminates the data path that caused every enforcement case listed above.

First-party infrastructure. Data collection should happen on your domain, through your DNS, using server-set cookies. No third-party JavaScript in the page source. No tracking endpoints visible in browser developer tools. This also makes your data collection immune to ad blockers and Safari's Intelligent Tracking Prevention, improving data accuracy alongside compliance.

Consent-gated data dispatch. Consent and privacy represent the next frontier of healthcare compliance, driven by state privacy laws and rising patient expectations around how their health information is handled. Data should only flow to downstream destinations (ad platforms, CRM, email tools) after consent is verified server-side. A JavaScript consent check can be bypassed or blocked. A server-side consent gate cannot. Organizations building consent into their data architecture now will be ahead as the regulatory landscape continues to tighten.

Continuous compliance monitoring. Installing a compliant marketing platform does not tell you whether your entire website is compliant. Marketing teams add scripts, plugins update, third-party tags load other tags. A web scanner that crawls your site regularly detects every cookie, script, localStorage entry, and tracking pixel across every page. It flags healthcare-specific risks: which scripts lack a BAA, which cookies are set by third parties, which tracking pixels are sending data to ad platforms. Every enforcement case in the record involved tracking that had been running for years before anyone noticed. Continuous scanning catches drift before it becomes a breach notification.

A real BAA covering the full data pipeline. Not a BAA that carves out marketing data, analytics, forms, or tracking features. If the BAA does not cover the channels where PHI is most likely to flow, the agreement is not providing the protection healthcare requires.

SOC 2 Type II with all five trust criteria. Security, Availability, Processing Integrity, Confidentiality, and Privacy. Verified by independent auditors over a sustained review period.

How to Evaluate Any Marketing Vendor for Healthcare

Whether you are evaluating HubSpot or any other marketing platform, use this checklist:

1. Does the vendor sign a BAA? If yes, read the BAA carefully. Does it cover all data the tool collects, including form submissions, tracking data, and marketing automation? Or does it carve out specific features?

2. What does the SOC 2 report cover? Ask for the trust criteria. If it covers Security only (1 of 5), the audit did not verify confidentiality, privacy, or data processing integrity.

3. Where does data flow? Does the tool load JavaScript in the visitor's browser that sends data to a third-party server? Or does data flow server-side from your infrastructure? If the platform relies on a client-side tracking pixel, understand exactly what data it collects and where that data goes.

4. How is consent enforced? Is consent a JavaScript check that can be bypassed, or is it enforced server-side before any data leaves your infrastructure? As state privacy laws continue to expand, consent management is becoming as important as data security.

5. Can you monitor your site continuously? Does the vendor provide scanning tools that detect non-compliant scripts, cookies, and pixels across your entire site on an ongoing basis? Or are you relying on the hope that nobody on your team introduced a non-compliant script since your last manual audit?

6. Who are the subprocessors? Does the vendor process data entirely within their own infrastructure, or do they rely on third-party subprocessors that introduce additional compliance risk?

A compliant healthcare marketing stack is achievable. It requires evaluating vendors against these criteria rather than trusting that a partial BAA or an enterprise plan label provides adequate coverage. Ours Privacy offers server-side data collection, a BAA covering the full data pipeline, SOC 2 Type II with all five trust criteria, and a web scanner for continuous compliance monitoring.

FAQ

Does HubSpot offer a BAA?

Yes, but with significant limitations. HubSpot offers a BAA through its "sensitive data" feature, available only to Enterprise-tier customers. The BAA covers CRM data stored within HubSpot. It does not cover HubSpot's tracking code, analytics features, forms, or marketing automation tools. If your use of HubSpot involves any of those features (and most healthcare marketing teams rely heavily on them), the BAA does not protect that data flow.

Can I use HubSpot forms on a healthcare website?

HubSpot forms operate through client-side JavaScript. When a visitor submits a form, the data travels from the browser to HubSpot's servers through a channel not covered by HubSpot's BAA. If those forms collect information that could constitute PHI (appointment requests, condition inquiries, insurance details), that data is flowing through an unprotected path. Healthcare organizations should evaluate whether form submissions can be routed server-side through a compliant intermediary before reaching any marketing platform.

Is HubSpot's Enterprise plan enough for HIPAA compliance?

The Enterprise plan enables the sensitive data feature and BAA option, but it does not make the entire platform compliant. The BAA's scope is limited to CRM data. The tracking pixel, analytics, forms, and marketing automation features remain outside the BAA regardless of plan tier. Compliance depends on your specific data flows, not the plan you purchase.

What about using HubSpot alongside a compliant CDP?

Some healthcare organizations use a server-side CDP as an intermediary layer. The CDP collects data server-side, applies consent checks, and then sends only permissioned, non-sensitive data to HubSpot. This approach can reduce risk by removing HubSpot's client-side tracking code from the website entirely and controlling exactly what data reaches HubSpot. However, it requires careful implementation and ongoing monitoring to verify the data flowing to HubSpot does not include PHI.

How much have healthcare organizations paid in tracking-related settlements?

Since 2023, healthcare organizations have paid over $193 million in combined enforcement actions and class action settlements related to tracking technologies. The largest single case, Kaiser Permanente, settled for $47.5 million affecting 13.4 million members. Cases like BetterHelp ($7.8M) and Advocate Aurora ($12.25M) demonstrate that standard marketing tools and tracking pixels are at the center of these enforcement actions.