
Quick Guide For HIPAA Compliance While Using HubSpot
March 20, 2020
By Sandy Moore
Friendly reminder: We are not attorneys and this should not be interpreted as legal advice. Please seek your own legal counsel for all compliance matters—and in light of new and changing regulations, HIPAA compliance doesn’t necessarily mean compliance with all relevant data privacy or data protection regulations.
If you work within the healthcare industry, you are likely familiar with HIPAA, which stands for the Health Information Portability and Accountability Act of 1996. This act sets the requirements and security standards for protecting an individual’s health information.
Violating HIPAA can result in severe penalties, so many healthcare organizations are careful to follow the guidelines outlined by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), as well as the advice of the organization’s legal counsel. Most healthcare organizations have questions and concerns about storing and sharing information from within their digital platforms, even as they gain a competitive advantage within the marketplace by using cutting-edge software.
You can protect your contacts’ health information and perform top-level marketing and sales activities at the same time. You can do this by using a combination of digital platforms to follow specific standards for ongoing communications and to ensure you are HIPAA compliant.
Within the healthcare industry, it is common to have multiple platforms for digital communications. You can organize your digital communications by segmenting your contacts and using one platform for patients and another platform for prospects. For example, you could use an electronic medical records system (EMR) such as Nextech to store patient information while using platform such as HubSpot for marketing and sales communications with prospects.
“Many of our healthcare clients use a mixture of Nextech and HubSpot. They use HubSpot Marketing Hub and Sales Hub for the acquisition of new patients, but once someone becomes a customer/patient, they are moved over to Nextech for appointment reminders, patient information, medical records, etc. The challenge, of course, is you don't have one system for everything, but this compromise has allowed our digitally savvy clients to leverage best-of-breed tech for new patient acquisition, and they have been pleased with the results.” –Jen Spencer, VP of Sales and Marketing, SmartBug®
Not only can you ensure that you are HIPAA compliant by using multiple platforms for different contacts, but you can also take advantage of the unique features of each digital platform and control the information that you collect from individuals and store.
For example, within HubSpot, you can create custom properties with dropdown fields for your website forms so you can control what information is collected from the visitor. By only asking within the dropdown field for information that is not protected by HIPAA, you’ll feel confident about the information that you collect, store, and share while using HubSpot for your marketing automation and sales activities.
You may also want to receive a double opt-in from individuals that convert on your forms in order to confirm consent for ongoing communications. One example is including a form field with a pre-checked box stating one of the following: “Yes, I want to receive health and wellness information” or “Yes, I would like to receive patient education information.” Then, using the HubSpot lists tool, you can create a list of contacts that have opted in and only contact these individuals for future email marketing campaigns.
When it comes to your email marketing strategy, avoid overusing HubSpot’s personalization tokens within your emails because they could conflict with HIPAA. Use general wording such as “you may be interested in” or “here is a popular service we offer,” and never reveal the patient’s treatment or medical history within the email copy.
Spend time each month cleaning up the database to ensure you aren’t collecting and storing information that is protected by HIPAA within HubSpot. Delete or bulk edit unnecessary information from contacts’ timelines and properties. You may also want to remove contacts that have become patients from your HubSpot database. By doing so, you may choose to only communicate with patients via your electronic medical records system instead of using HubSpot.
Finally, if you set up an integration between HubSpot and your electronic medical records system, set up a one-way integration. Only send information from HubSpot to the electronic medical records system, rather than passing sensitive patient information back to HubSpot. This will ensure that a patient’s medical history isn’t being stored in your HubSpot database.
Many healthcare organizations use HubSpot for their ongoing marketing and sales communications and are quite successful with their process and inbound marketing program. As a friendly reminder, you should always follow the advice provided by your legal counsel to ensure you are HIPAA compliant.

About the author
Sandy Moore Sandy Moore is a Senior Director, Marketing Strategy at SmartBug Media. She has more than 20 years of experience in marketing with extensive knowledge in outbound and inbound marketing, advertising sales, promotions, public relations, and sales enablement. Read more articles by Sandy Moore.