Quick Guide for HIPAA Compliance While Using HubSpot

Friendly reminder: We are not attorneys, and this should not be interpreted as legal advice. Please seek your own legal counsel for all compliance matters—and in light of new and changing regulations, know that HIPAA compliance doesn’t necessarily mean compliance with all relevant data privacy or data protection regulations.

If you work in the healthcare industry, you are likely familiar with HIPAA, also known as the Health Information Portability and Accountability Act of 1996. This act sets the requirements and security standards for protecting an individual’s health information. 

Violating HIPAA can result in severe penalties, so many healthcare organizations are careful to follow the guidelines outlined by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), as well as the advice of the organization’s legal counsel. 

Most healthcare organizations have questions and concerns about storing and sharing information from within their digital platforms, even as they gain a competitive advantage in the marketplace by using cutting-edge software. 

Want to protect your contacts’ health information and perform top-level marketing and sales activities at the same time? You can—by using a combination of digital platforms to follow specific standards for ongoing communications and to ensure you are HIPAA compliant. Most conversations regarding HIPAA and your digital platform should involve someone from marketing, sales, and the C-suite (e.g., CIO, CTO, COO) to get perspectives from each department on how to achieve an efficient and compliant setup. 

In the healthcare industry, it is common to have multiple platforms for digital communications. You can organize your digital communications by segmenting your contacts and using one platform for patients and another platform for prospects. For example, you could use an electronic medical records (EMR) system such as Nextech to store patient information while using a platform such as HubSpot for marketing and sales communications with prospects. 

Many of our healthcare clients use a mixture of Nextech and HubSpot. They use HubSpot Marketing Hub and Sales Hub for the acquisition of new patients, but once someone becomes a customer/patient, they are moved over to Nextech for appointment reminders, patient information, medical records, etc. The challenge, of course, is you don't have one system for everything, but this compromise has allowed our digitally savvy clients to leverage best-of-breed tech for new patient acquisition, and they have been pleased with the results. 

—Jen Spencer, CEO, SmartBug

Not only can you ensure that you are HIPAA compliant by using multiple platforms for different contacts, but you can also take advantage of the unique features of each digital platform and control the information you collect from individuals and store. 

For example, within HubSpot, you can create custom properties with drop-down fields for your website forms so you can control what information you collect from visitors. By only asking in the drop-down field for information that is not protected by HIPAA, you’ll feel confident about the information that you collect, store, and share while using HubSpot for your marketing automation and sales activities. 

You may also want to receive a double opt-in from individuals who convert on your forms to confirm consent for ongoing communications. One example is including a form field with a pre-checked box stating one of the following: “Yes, I want to receive health and wellness information” or “Yes, I would like to receive patient education information.” Then, using the HubSpot lists tool, you can create a list of contacts who have opted in and only contact these individuals for future email marketing campaigns.  

When it comes to your email marketing strategy, avoid overusing HubSpot’s personalization tokens within your emails because they could conflict with HIPAA. Use general wording such as “you may be interested in” or “here is a popular service we offer,” and never include details about the patient’s treatment or medical history in the email copy. 

Spend time each month cleaning up the database to ensure you aren’t collecting and storing information that is protected by HIPAA within HubSpot. Bulk-edit unnecessary information or delete it from contacts’ timelines and properties. You may also want to remove contacts who have become patients from your HubSpot database. By doing so, you can choose to only communicate with patients via your EMR system instead of using HubSpot. 

Finally, if you set up an integration between HubSpot and your EMR system, set up a one-way integration. Only send information from HubSpot to the EMR system, rather than passing sensitive patient information back to HubSpot. This will ensure that a patient’s medical history isn’t being stored in your HubSpot database. 

Many healthcare organizations use HubSpot for their ongoing marketing and sales communications and are quite successful with their process and digital marketing program. As a friendly reminder, you should always follow the advice provided by your legal counsel to ensure you are HIPAA compliant.

This blog was originally written in 2020 and has been updated since.