BBAA Atlas

Is HubSpot HIPAA compliant?

CRM & marketing · vendor site ↗

BAA on select plansPHI with conditionsSOC 2 Type II
Will HubSpot sign a HIPAA BAA?
Sometimes — HubSpot signs a HIPAA BAA only on specific plans or add-ons.
Since the 2024 GA of Sensitive Data, HubSpot signs a BAA but only on Enterprise tiers, auto-activated when you enable Sensitive Data settings and check the Health/Medical Data plus HIPAA-covered-entity boxes.
PHI eligibility
PHI is allowed only within the scoped Sensitive Data Covered Services on Enterprise after the BAA is accepted; reporting analytics, call recordings/transcripts, and most integrations remain out of scope.
SOC 2
SOC 2 Type II
Trust center
knowledge.hubspot.com
Sub-processors
Notes
HubSpot reversed its historical 'won't sign a BAA' stance with the 2024 Sensitive Data rollout; verified from HubSpot's own knowledge base.
Last verified 2026-05-31confidence: high· Vendor terms change — confirm directly with HubSpot before storing PHI.

Get notified when this changes

We track HubSpot's BAA and HIPAA status. Leave your email and we'll send one note if the verdict on this page changes.

One email per change. No newsletter, no selling your address.

How to request and sign a BAA with HubSpot

Sometimes — HubSpot signs a HIPAA BAA only on specific plans or add-ons.

Request routeSelf-serve — enable it in your account
  1. 1
    Get on a qualifying plan
    Since the 2024 GA of Sensitive Data, HubSpot signs a BAA but only on Enterprise tiers, auto-activated when you enable Sensitive Data settings and check the Health/Medical Data plus HIPAA-covered-entity boxes.
  2. 2
    Request the Business Associate Agreement
    HubSpot lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account.
  3. 3
    Confirm what PHI is allowed before you store any
    PHI is allowed only within the scoped Sensitive Data Covered Services on Enterprise after the BAA is accepted; reporting analytics, call recordings/transcripts, and most integrations remain out of scope. Match your configuration to this scope before putting protected health information into HubSpot.
Last verified 2026-05-31 · Plan tiers and BAA terms change often — confirm the current process directly with HubSpot before you rely on it. This is cited public information, not legal advice.

Frequently asked questions

Does HubSpot sign a HIPAA Business Associate Agreement (BAA)?
Sometimes — HubSpot signs a HIPAA BAA only on specific plans or add-ons. Since the 2024 GA of Sensitive Data, HubSpot signs a BAA but only on Enterprise tiers, auto-activated when you enable Sensitive Data settings and check the Health/Medical Data plus HIPAA-covered-entity boxes.
Is HubSpot HIPAA compliant?
HubSpot can be HIPAA-compliant only on the specific plans or add-ons where it will sign a Business Associate Agreement (BAA). PHI is allowed only within the scoped Sensitive Data Covered Services on Enterprise after the BAA is accepted; reporting analytics, call recordings/transcripts, and most integrations remain out of scope.
Can you store PHI (protected health information) in HubSpot?
PHI is allowed only within the scoped Sensitive Data Covered Services on Enterprise after the BAA is accepted; reporting analytics, call recordings/transcripts, and most integrations remain out of scope.
Is HubSpot SOC 2 certified?
HubSpot reports a SOC 2 Type II attestation according to its public security documentation.
How do I request a HIPAA BAA from HubSpot?
HubSpot lets you obtain the BAA without a sales call. Follow the path named in the plan requirement above — typically an in-product toggle or a billing / compliance settings page — then request and accept the agreement from your own account. Confirm current terms directly with HubSpot before storing PHI.
What plan do I need to sign a BAA with HubSpot?
Since the 2024 GA of Sensitive Data, HubSpot signs a BAA but only on Enterprise tiers, auto-activated when you enable Sensitive Data settings and check the Health/Medical Data plus HIPAA-covered-entity boxes.

Sources

Store sensitive data in HubSpot
https://knowledge.hubspot.com/properties/store-sensitive-data
Supports: BAA available on Enterprise tiers; requires Health/Medical Data + HIPAA-covered-entity checkboxes and BAA acceptance to store PHIdated: 2026-05-08
This page is cited public information, not legal or compliance advice. A BAA's availability can depend on your specific plan, region, and contract. Always confirm current terms with HubSpot before processing protected health information.

Check another vendor

SalesforceSigns a BAAActiveCampaignBAA on select plansAcuity SchedulingBAA on select plansAdobe Acrobat SignBAA on select plansAircallSigns a BAAAirtableBAA on select plans

See all HIPAA compliant CRM software
Browse all 105 vendors by category →