Updated June 4, 2024
A quick legal heads up: we may be HubSpot experts, but we’re not lawyers. Please seek qualified legal counsel for all compliance matters, especially as regulations change. Remember also to pay attention to any relevant data privacy or data protection regulations not encompassed within HIPAA compliance.
New Developments: Storing PHI in HubSpot
As of June 4, 2024, HubSpot has launched a public beta enabling Enterprise customers to store protected health information (PHI) covered under HIPAA in HubSpot’s Smart CRM.
This is a pretty huge update, and represents a fairly critical step in HubSpot’s larger move toward data sensitivity and empowering better data privacy. If you’re an Enterprise customer, you may be able to enroll in the beta program and get started storing PHI in HubSpot.
Here’s what you need to know:
What PHI can you store in HubSpot that’s covered under HIPAA?
Enterprise customers can store a lot more sensitive information now–including data like passport numbers, driver’s licenses, ethnic background, religious beliefs, and non-HIPAA health data.
You’ll be able to collect this sensitive data through HubSpot forms, to create properties to store sensitive data, and even use AI to help automate tasks related to sensitive data.
This includes personal information from covered entities and business associates subject to HIPAA, fitness information, wellness information, and sensitive personal data as defined under GDPR.
What are these new sensitive data settings?
These new sensitive data properties add an additional layer of encryption (application layer encryption), which gives even more protection and isolation for PHI.
Files containing sensitive information uploaded via certain methods in HubSpot–including attachments added via records, notes, emails, form submissions, and imports–will be protected by an additional layer of encryption. Keep in mind, though: files hosted in the files tool do not have additional protection.
How do I activate these sensitive data settings in HubSpot?
Enterprise customers can now store PHI by taking two important steps:
1) enrolling in the public beta, and
2) turning on HIPAA-specific sensitive data settings.
Still not sure how to get there? You can activate the sensitive data setting in your account through Privacy & Consent settings. All you need to do is click a checkbox that says “We are a HIPAA-covered entity or business associate.”
How can I use this sensitive data in HubSpot?
Sensitive data can be used across several HubSpot tools, including CRM records, views, lists, workflow triggers and actions, reports, search, and mobile.
Keep in mind, though: sensitive data properties are still unavailable in certain tools, including personalization tokens, sandboxes, chatbots, and playbooks.
HubSpot customers covered by HIPAA still need to adhere to compliance requirements, including the usage of HubSpot. It’s crucial that you verify that your business has the right contractual frameworks in place before granting access to their data, likely a Business Associate Agreement (BAA).
Why is HIPAA Compliance So Important?
For the healthcare industry, a CRM like HubSpot can be a powerful piece of technology.
That’s why so many businesses in healthcare use HubSpot today to improve their sales process and gain that competitive edge in the marketplace.
By collecting and digesting all that user data across each website, HubSpot makes it possible for healthcare businesses to
- Supercharge their marketing with personalized, patient-specific content
- Create and build data-based audiences to guide marketing efforts and identify lookalike audiences
- More effectively nurture users with clear visibility across the sales cycle, from potential customers all the way to loyal advocates
But there’s a big problem: HIPAA.
The Health Insurance Portability and Accountability Act (HIPAA) is the cornerstone of patient privacy legislation in the USA. Passed in 1996, HIPAA allows patients to control and protect their sensitive healthcare data.
Under the current guidelines, businesses need to be super careful about how they’re collecting, storing, and using all that patient data. Failure to do so could be bad—like, thousands of dollars in fines bad, not to mention a whole lot of bad publicity.
For most CRMs, this makes a lot of marketing a non-starter… but the same isn’t necessarily true for HubSpot.
Here’s a look at how you can use HubSpot within HIPAA compliance, and still get the most out of all that great marketing tech.
HIPAA Compliance: It’s A Big Deal for Healthcare
For healthcare organizations, maintaining HIPAA compliance when storing and using patient data is crucial—and failure to do so will result in some extensive penalties. Even something as simple as a social media post that unlawfully shares patient information can result in violations.
Also important to remember: HIPAA applies to more than just hospitals. In fact, any business that is involved with collecting, storing, and using private patient data is bound by HIPAA regulations. This includes.
- Healthcare providers: Anyone actually providing healthcare, like a hospital, surgical center, doctor’s office, etc.
- Health plans: Anyone paying for healthcare. (The only exception here is for group health plans with fewer than 50 participants administered solely by the employer that established and maintains the plan.)
- Healthcare clearinghouses: Anyone involved with the processing of data for healthcare providers & health plans. These can be billing services, repricing companies, etc.
- Business associates: Anyone involved with any services related to health data, including processing, data analysis, utilization review, billing, etc.
It’s this last one—Business Associates—that most often affects marketing organizations and partner agencies working alongside healthcare organizations. That’s who’s likely to be focused specifically on marketing efforts… and who’s most likely to be thinking about CRM compliance in HubSpot.
Keeping Your HubSpot Compliant with HIPAA Might Be Easier Than You Think
Despite the challenges, HubSpot can be used by healthcare organizations within HIPAA compliance. You can deliver great marketing communication to your customers without sacrificing patient privacy.
To do so, it’s critical you set yourself up to store patient healthcare information in HubSpot safely and efficiently. From there, it’s a matter of implementing intelligent marketing to improve the customer experience in ways that:
- don’t feel invasive for patients
- don’t violate HIPAA regulations around data storage and privacy
- don’t put you too far down a bad path before regulations (inevitably) change in the future.
To use HubSpot without violating HIPAA compliance, it’s crucial to take a few big ideas into consideration. By building a strategy around these data privacy guidelines, healthcare organizations can make the most of HubSpot’s capabilities well within the boundaries of HIPAA.
1. Safely Collecting and Storing Patient Digital Information
Having your private medical information stolen by hackers… it’s not good! HIPAA regulations specifically deal with data storage for this reason: if it’s too easy for data to leak, it’s not being properly secured.
For HubSpot users, there’s a straightforward solution: create a one-way integration with a HIPAA-compliant EHR, or Electronic Health Records software (sometimes called EMR, or Electronic Medical Record).
When as user is identified as a prospect, their data is stored in HubSpot—and available for use for all the usual marketing, automation, and personalization efforts. As long as you’re complying with any other relevant data privacy rules, you should have no problem.
Once that user becomes a patient, however, their data needs to be pushed immediately into that HIPAA compliant EHS, like Epic, TheraNest, or Kareo (among others). By making this relationship one-way, there is no opportunity for HIPAA-protected data to fall into a non-compliant CRM environment.
Sure, this will move these patients outside of the marketing capabilities of HubSpot, but it will also protect an organization from accidentally using protected patient data where it shouldn’t be.
2. Culling Old User Data Periodically
Data in HubSpot can move from compliant to noncompliant with HIPAA as soon as a “prospective patient” becomes an “actual patient.” But what if it’s been months and you don’t have confirmation that a user did actually become a patient? Is there a chance the data you have collected is now in violation of HIPAA?
Well, it could be yes or it could be no—but until you close the loop, it’s best to assume that old data is no longer safe to store. That’s why it’s a good idea to periodically remove any user data old enough to pose a risk to your HIPAA compliance.
The ideal time to purge this data is an open question, and it really depends on your sales cycle and user engagement. Overall, however, having a process in place is not only good for your legal standing, but also good for the health of your lists and segments in general.
3. Only Asking Patients for Compliant Info
One of the best ways to prevent your CRM from accumulating sensitive patient data is to not ask for it all—or, at the very least, only asking for information you can use in marketing communications that does not put patient data at risk.
Here’s how HIPAA defines “Individually identifiable health information” when it comes to sensitive data collection:
“‘Individually identifiable health information is information’, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
- identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”
Clearly, it’s critical that you not ask users to provide any information that would otherwise identify their sensitive medical data. That said, there are still some useful bits of information you should feel safe asking users to provide, especially anything directly related to the website experience.
Any input from users regarding their content preferences (I.e., “What kind of content would you like to receive from us?”), or web engagement information determined through HubSpot (like lead score or pages visited) can all be beneficial toward delivering relevant content to your interested.
4. Double Opt-In for Receiving Health & Wellness Information on Forms
Generally, it’s good practice to ask users who fill out forms on your website to also confirm they want to receive marketing communications. Not only is this good for GDPR compliance, it’s also just a good practice to build user trust.
But when it comes to health and wellness marketing info, this double opt-in is even more crucial. Be specific here: ask users who fill out forms whether they want to receive specifically health- and wellness-focused marketing content. That way, when they do, they won’t feel like you’re violating their health information privacy.
Consider making this opt-in as general as possible—something like “Yes, I would like to receive heath & wellness information.” Anyone who selects this can be added to a HubSpot list for future delivery of your marketing content.
5. Avoiding Personalization in Emails
It can be tempting—and, honestly, effective—to add personalized copy to emails and marketing communication. HubSpot’s personalization token allows marketers to add features like “name” and “company” to emails directed at specific users, and that can really help to make content feel personalized for each user.
Unfortunately, it can also feel a little invasive—especially in a health and wellness context. Overall, you’re better skipping the personalization on these emails and keeping the copy more general.
Try to stick to big, general language like “you may be interested in ____” when offering relevant content to users, and be sure you’re not revealing too much personal information on users that could make them feel uncomfortable.
Get Your HubSpot Strategy In Line with HIPAA
Sticking to patient privacy guidelines in HubSpot doesn’t have to be a huge headache… but it can be a little tricky if it’s not something you’re used to. That’s where an experienced partner comes in handy.
We’ve helped tons of healthcare companies (small and large, including publicly traded organizations) integrate HubSpot into their processes, so we know it to its core. Plus, we’re a Diamond Partner, so we’re always in conversation with HubSpot about client needs and evolving CRM capabilities.
Get in touch and let’s talk through your HubSpot strategy today, before you run into trouble with HIPAA.