Store Protected Health Data in HubSpot (BETA)

If your business works with protected health information (PHI) covered under HIPAA, you can turn on HIPAA-specific sensitive data settings. Once this setting is turned on, you can create sensitive data properties and upload attachments that store protected health information.

Please note: the storing of protected health information is in public beta while HubSpot product teams gather feedback to help improve learning resources and expand the permitted uses of HIPAA data. This article will be updated if functionality is added or changed.

Before you get started

Prior to storing protected health data, refer to the following resources:

• Learn more about storing sensitive data in HubSpot in this knowledge base article.
• Review which features are available to support the storage of HIPAA Data on the sensitive data terms page.

Turn on HIPAA-protected sensitive data

Prior to creating sensitive data properties to store protected health information, you'll need to turn on sensitive data in your Privacy & Consent settings, and accept the related terms and conditions. Users must have Super admin permissions to turn on sensitive data.

Please note: once you’ve turned on sensitive data and selected the categories of data you’ll store, it’s not possible to turn off or edit the setting.

• In your HubSpot account, click the settings settings icon in the top navigation bar.
• In the left sidebar menu, navigate to Privacy & Consent.
• Click Configure sensitive data settings.
  
  

• In the right panel, select the checkboxes to specify the categories in which you’ll be storing sensitive data.
• To store HIPAA-covered data, select the Health/Medical Data checkbox, then select the We are a HIPAA-covered entity or business associate checkbox.

Please note: while HubSpot provides a robust security program to protect your personal and sensitive data no matter the content, these data type identification processes help ensure your HIPAA and regulatory needs are supported. By identifying as a HIPAA Covered Entity or Business Associate, HubSpot can track the application of the Business Associate Agreement (BAA) and fulfill regulatory obligations.

• Click Next.
• Read the Sensitive Data Beta Terms and the Business Associate Agreement, then select the checkbox to accept the terms and conditions.

• Click Turn on sensitive data settings.

You can now create properties to store protected health information.

Create properties to store HIPAA-protected data

Super admins can mark a property as sensitive and specify that it will store protected health information (PHI). These properties will behave the same as other sensitive data properties, but will be categorized as storing protected health data.

Learn more about what happens when you mark properties as sensitive, and where you can use sensitive data properties in HubSpot.

• In your HubSpot account, click the settings settings icon in the top navigation bar.
• In the left sidebar menu, navigate to Properties.
• Click Create property.
• Enter the property’s basic information, then click Next.
• To mark the property as sensitive, select Sensitive data.

• To specify that the property will store HIPAA-protected health data, select the Yes, this data contains protected health information (PHI) checkbox.

• Select which users should have access to view and edit the property's values, either Everyone or Super admins only. If you’ve selected Everyone, it’s recommended to restrict the property’s view and edit access after the property is saved.
• Click Next.
• Finish setting up your property, then click Create. Once a property is created and marked as storing sensitive data with protected health information, the sensitive data setting cannot be changed.

Storing HIPAA-protected attachments

Depending on how an attachment is uploaded, it will have an additional layer of encryption in HubSpot’s database storage. Before uploading files, refer to this article to understand which files are protected.