HubSpot HIPAA update: Not a one-size-fits-all for healthcare marketing

HubSpot recently announced an update to its Smart CRM platform. This new feature provides a comprehensive and unified view of customer data across marketing, sales, and service teams. However, it is not a universal solution for healthcare marketing needs.

Understanding HubSpot's HIPAA support

HubSpot has launched a new feature in its Smart CRM platform that allows for the secure management and storage of sensitive data. This update is relevant for businesses in regulated industries like healthcare, finance, and insurance, where handling sensitive information like medical records and government IDs is necessary. By incorporating this feature, HubSpot now offers a unified customer view across its marketing, sales, and service teams, eliminating the need for multiple systems.

The feature improves HubSpot's functionality by allowing the collection, storage, and utilization of sensitive data within its ecosystem. It includes security measures such as advanced authentication, comprehensive audit logging, and application level encryption.

According to HubSpots announcement of the feature, “Backed by robust security and privacy protections, this also includes operating HubSpot’s products in compliance with HIPAA.” As we previously discussed in the article “Is HubSpot HIPAA compliant?” the software did not previously assure compliance. This update represents the first time HubSpot is HIPAA compliant. 

The HIPAA compliant feature in HubSpot's Smart CRM is currently available in public beta. This allows Enterprise subscription customers to start integrating and testing the feature by enabling it in their Privacy & Consent settings. As it's in public beta, this means HubSpot is still in the process of refining the feature based on user feedback and performance before it is fully launched. 

How does it work for healthcare providers?

The HIPAA compliant feature is accessible to healthcare providers through the following steps: 

• Customers must first activate the feature to store sensitive data in HubSpot, specifically indicating if it involves HIPAA data.
• By enabling this setting, they agree to HubSpot's Sensitive Data Terms and the HubSpot Business Associate Agreement (BAA), applicable to HIPAA covered entities or their business associates.
• Once activated, customers can create custom properties marked as sensitive for storing health information.
• These properties can be used to import data, manually update the CRM, and for building lists, workflows, and some reports.
• However, these properties cannot be used as personalization tokens in content, for syncing into Sandboxes, or for training machine learning models.
• Customers can also upload sensitive CRM attachments manually on CRM records, through Notes, Email, Forms, and Sensitive File Properties.

The challenges with using Hubspot despite its HIPAA compliance

The high paywall

The high cost of HubSpot's Enterprise subscription, starting at $3,600 per month, makes the HIPAA compliance feature largely inaccessible to many healthcare providers, particularly smaller practices or clinics. This subscription price, combined with a one time Enterprise Onboarding fee of $7,000, can be prohibitively expensive for healthcare organizations operating with limited budgets. As HIPAA compliance is necessary for any healthcare provider handling sensitive patient data, the fact that this feature is only available in the more expensive Enterprise tier means that smaller entities may struggle to afford the necessary tools to manage their marketing and patient interactions securely within HubSpot. 

Personalization may not be accessible

According to a LinkedIn post by Tim Stuke, Principal Enterprise Account Executive at Hubspot, “The properties can be used to import data into, manually update in the CRM, build lists, workflows, and some reports. The properties can't be used as personalization tokens in content, to sync into Sandboxes, or to train ML models. Customers can also upload sensitive CRM attachments via specific channels, namely manually on CRM Records, via Notes, Email, Forms, and Sensitive File Properties.”

In layman's terms, this means several things, namely: 

• Using the properties: You can add data to these properties, update it whenever needed, and use it to organize your CRM records into lists, automate tasks with workflows, and generate certain types of reports.
• Limitations: These properties cannot be used to customize content directly (like inserting a customer's name into an email), they cannot be copied over to your testing environments (known as Sandboxes), and you cannot use them to feed data into machine learning models.

For customers looking to personalize emails within HubSpot, the limitation on using sensitive properties means they cannot automatically insert sensitive data directly into email content as personalization tokens. 

Customers have to personalize emails in other ways. 

Compliance management is complex

Compliance management in HubSpot can be complex for users because it involves a detailed understanding of both HubSpot's specific settings and broader regulatory requirements. Users must actively manage how they collect, store, and utilize sensitive data within the CRM to ensure it meets strict standards like HIPAA. This includes setting up and maintaining correct data permissions, managing consent properly, and ensuring that all marketing activities are compliant. Additionally, users must stay updated with any changes in compliance regulations, which can frequently shift, adding another layer of complexity. 

Manual processes can be tedious and costly with time

Accessing HIPAA compliance features often involves several manual processes, which can become both tedious and costly over time. Healthcare teams need to carefully manage how they upload and handle sensitive patient data—such as entering data manually into CRM records, attaching files, or updating specific health information. Each of these manual steps is time consuming, requiring careful attention to maintain compliance and accuracy. This not only adds to the workload of healthcare staff but also diverts their focus from other patient care activities.

Why Paubox Marketing is still essential 

Healthcare providers must still rely on HIPAA compliant marketing software like Paubox Marketing to make sure that their communications remain secure. Paubox guarantees every email sent is HIPAA compliant, safeguarding sensitive patient information and maintaining regulatory compliance. This protects patient trust and avoids costly legal issues.

Paubox makes personalized email outreach incredibly easy and effective. With its drag and drop email builder, healthcare providers can create professional, customized emails quickly. The ability to use dynamic text for patient names, medical conditions, and medications ensures that each message resonates personally with recipients. This level of personalization helps in engaging patients and providing them with relevant information that addresses their specific needs.

Paubox’s marketing automation features streamline the entire process. Healthcare providers can set up drip campaigns that send targeted content at the right time, based on user actions or segmented audience data. This automation can handle everything from appointment reminders to health tips and promotional messages.

Paubox Forms further enhances its value by allowing healthcare providers to securely collect patient data in compliance with HIPAA regulations. These forms can be customized with a simple drag and drop builder and can trigger automated drip campaigns based on patient responses.

See also: Top 7 HIPAA compliant email marketing services

FAQs

What is a CRM?

A Customer Relationship Management system helps businesses manage and analyze customer interactions and data throughout the customer lifecycle.

What form of encryption is recommended for email? 

The recommended form of encryption for email is TLS 1.2 or higher. 

What is HIPAA compliant email?

HIPAA compliant email is a type of email communication that meets the privacy and security standards to protect sensitive patient information.