Does HubSpot sign a HIPAA BAA?

Yes — but only with HubSpot's Healthcare Hub add-on, which is available on Enterprise-tier plans. Standard HubSpot Marketing Hub, Sales Hub, Service Hub, and CMS Hub plans (including Starter, Professional, and Enterprise tiers without the Healthcare Hub add-on) are not HIPAA eligible and cannot be used with protected health information.

Can I use standard HubSpot CRM for healthcare lead tracking?

If the contacts in your HubSpot CRM are prospective patients or leads who have not yet received care, and the CRM contains only general contact and marketing data with no PHI, standard HubSpot may be usable for general marketing purposes. However, once you begin adding health information (conditions, diagnoses, treatment history, insurance) or tracking people as current patients in your EHR, you're handling PHI and need the Healthcare Hub add-on with a BAA.

What is the HubSpot Healthcare Hub?

HubSpot Healthcare Hub is an add-on for Enterprise-tier HubSpot customers that enables HIPAA-compliant use of HubSpot's CRM and marketing tools for healthcare organizations. It includes a Business Associate Agreement with HubSpot, access controls and audit logging for PHI, and data handling configurations required for HIPAA compliance. It is priced as an add-on to HubSpot Enterprise plans — contact HubSpot sales for current pricing.

Vendor BAA Guide

Does HubSpot Sign a HIPAA Business Associate Agreement?

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 4 min read

Key Takeaways

✓ Yes — but only with the Healthcare Hub add-on (requires Enterprise plan)
⚠ Standard HubSpot plans (Starter, Professional, Enterprise without Healthcare Hub) are not HIPAA eligible
⚠ Many healthtech companies unknowingly use standard HubSpot with patient data — this is a violation
✓ Healthcare Hub includes a BAA, HIPAA-specific access controls, and audit logging
✓ HubSpot is one of the few CRM/marketing platforms to offer a genuine HIPAA compliance path

Direct answer: Yes — HubSpot offers a HIPAA BAA through its Healthcare Hub add-on, which requires an Enterprise-tier plan. Standard HubSpot Marketing, Sales, Service, and CMS Hub plans are not HIPAA compliant and cannot be used with PHI. If your healthtech company is using standard HubSpot to track patient leads, clinical trial participants, or any contact data that constitutes PHI, you need the Healthcare Hub.

HubSpot is one of the most widely used CRM and marketing automation platforms among healthcare startups and health systems. The compliance question comes up constantly — especially at the point when a healthtech company starts onboarding healthcare customers who ask about their vendor's HIPAA status.

HubSpot's HIPAA Compliance Path

HubSpot introduced HIPAA compliance capabilities through its Healthcare Hub add-on, available for Enterprise customers. This is a meaningful offering — most general-purpose CRMs (including Salesforce's base product without Health Cloud) don't offer HIPAA compliance at all.

To use HubSpot in a HIPAA-compliant manner, you need:

HubSpot Enterprise plan — Healthcare Hub requires the Enterprise tier of Marketing Hub, Sales Hub, Service Hub, or the Customer Platform
Healthcare Hub add-on — the add-on that enables HIPAA features and BAA execution
Executed BAA — through HubSpot's legal team, obtained as part of the Healthcare Hub onboarding

What Healthcare Hub Includes

Beyond the BAA, Healthcare Hub adds HIPAA-specific technical controls to HubSpot:

Sensitive data fields that restrict display and logging of PHI within HubSpot's UI
Audit log access for all PHI-related activity
Restrictions on third-party integrations that could expose PHI to non-BAA-covered services
Access controls aligned with HIPAA minimum necessary standards

The Common Healthtech Mistake

Many digital health startups use standard HubSpot CRM for sales and marketing from day one — before they have healthcare customers, their contact data is just leads and prospects, and that's fine. The problem occurs when they start closing healthcare customers and those customers send them patient data, or when they begin tracking patient journeys within HubSpot's contact records. At that point, standard HubSpot becomes a PHI exposure risk.

If your company sells to healthcare and your CRM contacts are mixed between general business contacts and patient-adjacent data, it's time to either: (a) upgrade to Healthcare Hub, (b) segregate PHI from your CRM entirely, or (c) use a different HIPAA-compliant CRM solution.

Alternatives to HubSpot for Healthcare CRM

Salesforce Health Cloud — purpose-built for healthcare; BAA available; more expensive than HubSpot Healthcare Hub
Microsoft Dynamics 365 — BAA available under Microsoft's OST for commercial plans
Keap (formerly Infusionsoft) — BAA available on certain plans for healthcare use

Need BAAs for your full vendor stack?

From HubSpot to your EHR to AWS — every vendor who handles PHI needs a signed BAA. Generate them in minutes.

Generate BAA for Free →