Blog | HubSpot's Leap into HIPAA Compliance

HubSpot just made a major announcement: they're adding Health Insurance Portability and Accountability Act (HIPAA) compliance tools to the HubSpot platform!

This is big news, as it will expand how "covered entities" who need to follow HIPAA rules and their business associates can use HubSpot.

Let's explore how HubSpot's venture into HIPAA compliance revolutionizes data handling for healthcare companies—and how to ensure secure and compliant patient data management.

What Is Sensitive Data and How Is It Different from Personal Data?

Sensitive data is confidential information that needs to be kept away from any external parties that do not have permission to access it. This is distinct from personal data, which includes information like names, phone numbers, and email addresses that might be personally identifiable information that isn't as sensitive.

All sensitive data is personal data, but not all personal data is sensitive data.

What Is PHI for HIPAA?

The term "sensitive data" is often used interchangeably with the term "protected health information" (PHI) under the HIPAA umbrella. HIPAA's rules define PHI as: "individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral." 

The "individually identifiable health information" can include:

• The individual's past, present, or future physical or mental health condition data;
• Data on the provision of healthcare services to an individual; or
• Past, present, or future payment for the provision of health care to the individual.

For example, a data entry stating "John Doe was treated for schizophrenia on June 5 and paid $1,879.67 for services" would tick all three boxes of the PHI checklist.

It's essential to note that while all HIPAA data is considered sensitive, not all sensitive data is subject to HIPAA regulations.

Navigating this landscape requires a keen understanding of what data falls under which category, ensuring adherence to the strictest privacy standards. It can help to think of it as a nested hierarchy of sensitivity:

Breaking Down HubSpot's HIPAA Compliance Features

HubSpot has introduced a suite of HIPAA compliance features tailored to safeguard sensitive patient data, which are particularly game-changing for HubSpot Enterprise customers.

Most of these tools are geared towards "Sensitive Data" and are currently live. HIPAA data management tools are now in a public beta that HubSpot subscribers can sign up for by opting in from the "Product Updates" section of the HubSpot app interface.

Here's a glimpse into the tools that HubSpot is offering for HIPAA compliance:

• End-to-end encryption. HubSpot encrypts data at rest and in transit. This helps keep data secure from illicit access.
• Threat detection. HubSpot uses endpoint detection and response, threat lists, threat signatures, and other functions. These threat detection solutions are consistently updated to keep HubSpot customers safe.
• Audit trails and access monitoring. Record who accessed what information and when so you can verify accountability and identify abnormal access behaviors.
• Data access controls. Set strict password policies and enforce them to minimize illicit access risk. Device validation and multifactor authentication (MFA) further enhance data protection. HubSpot's internal data stores are only accessible from the corporate network or via a virtual private network (VPN) solution.
• Customizable data retention policies. Manage the lifecycle of sensitive and HIPAA data.

This list just scratches the surface of what HubSpot is doing to meet the stringent requirements of HIPAA while streamlining the workflow of healthcare marketers and customer service professionals.

You can find more details about the security tools in HubSpot by visiting HubSpot's Trust Center.

The Significance of HIPAA Compliance for Healthcare Marketing

HubSpot's HIPAA compliance is not just a technical enhancement; it's a transformative shift for healthcare marketing.

With its enhanced features and HIPAA compliance settings, healthcare organizations can now leverage the full power of HubSpot's inbound marketing and CRM platform while maintaining the uncompromising security standards required for handling patient data.

This means more targeted campaigns, personalized patient journeys, and improved engagement—all within the secure confines of HIPAA guidelines.

The responsibility that comes with HIPAA compliance cannot be overstated. Meeting this responsibility consistently helps reassure patients that their sensitive health information is in safe hands, solidifying patient-provider relationships.

For healthcare marketers, this trust translates into loyalty and retention.

How to Enable Sensitive Data Management with HubSpot

The storage and management of sensitive patient data in HubSpot come with tremendous responsibility. Missteps can lead to breaches, loss of trust, and hefty penalties. With this in mind, here's a quick explanation of how to turn on sensitive data management within HubSpot:

• Go to "Settings" (click the gear icon in the top nav of your HubSpot portal)
• Go to "Privacy and Consent" under the "Account Setup" header in the left nav menu
• Click the "Configure sensitive data settings" button in the "Sensitive data" box
• In the right fly-in menu that appears, select the checkboxes that will apply to the type of data you will be storing
  • For HIPAA-covered entities and business associates, you'll need to check the "Health/Medical Data" box before you can click on the "We are a HIPAA-covered entity or business associate" checkbox
• When finished, click "Next"
• Review the terms and conditions, then click the checkbox to accept them
• Click "Turn on sensitive data settings" to finish the setup

Next Step: Create Properties to Store HIPAA-Protected Data

After turning on your Sensitive Data Management settings and identifying your business as a HIPAA-covered entitity or business associate, it's time to create custom properties in HubSpot for storing HIPAA-protected data. 

Here's how:

• Go to your "Settings" menu
• In the left nav menu, click on "Properties" under the "Data Management" header
• Click on the "Create property" button
• Enter the property's basic information like you would for any other custom property in HubSpot and then click "Next"
• Mark the property as sensitive by clicking on the "Sensitive data" box
• To specify that the data is HIPAA-protected data, select the "Yes, this data contains protected health information (PHI) checkbox."

Best Practices for Maintaining HIPAA Compliance on HubSpot

While HubSpot is providing tools suitable for HIPAA compliance, it's still important to follow HIPAA compliance best practices if you plan to store sensitive and PHI data.

To ensure the highest level of HIPAA compliance when using HubSpot, healthcare companies should embrace the following best practices:

• Conduct regular security training for all team members. While it's easy to assume that your team knows how to safely use your computers and tools, you cannot take that for granted. Regular training and testing is a must.
• Implement strict access controls and permission settings. Doing things like enforcing multifactor authentication can go a long way towards preventing illicit data access. Also, defining who can access PHI and how they can use it is important for preventing accidental HIPAA rules violations.
• Regularly review audit logs to monitor access to PHI. Do you know who is accessing your sensitive data? Frequent checking of your data access logs is critical for identifying the 
• Utilize HubSpot's built-in security features, such as data encryption. Utilizing as many of HubSpot's "defense in depth" security features as possible will help to keep your data safer from illicit access. So, it is recommended that you turn these features on as soon as possible.
• Stay informed of the latest HIPAA regulations and HubSpot updates. If you're a HIPAA-covered entity or business associate to one, you should already be keeping abreast of any HIPAA news. But, be sure to add HubSpot product updates to your notifications as well! As HubSpot releases new tools and security features, being subscribed to their product updates can help you stay in the know and make the most effective (and safe) use of the HubSpot platform.

By following these guidelines, healthcare organizations can leverage HubSpot's capabilities confidently and responsibly. It also helps you avoid HIPAA violations and their consequences, such as fines or potential civil lawsuits over PHI data breaches.

Anticipating the Future of Healthcare Marketing with HubSpot

As HubSpot continues to innovate, the horizon of healthcare marketing expands. With HIPAA-compliant tools, healthcare marketers can anticipate more personalized, efficient, and engaging patient interactions.

The integration of AI, advanced analytics, and secure data management will pave the way for healthcare marketing that not only meets regulatory standards but sets new benchmarks for patient care.

Looking ahead, HubSpot's commitment to compliance and innovation promises a future where healthcare marketing is not only effective but also empowers a higher standard of patient privacy and trust.

It's a win-win for healthcare providers and patients alike.