Which CRMs are HIPAA Compliant?

Best Practices | Data & Reporting

The healthcare industry’s need for personalized and responsive service is more important than ever. Healthcare providers must prioritize patient satisfaction, data security, and compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA).

The daily operation of a healthcare organization can be highly complex and time-consuming. Filling out forms, managing appointments, and updating records are just a few of the many tasks, all while remaining HIPAA compliant. Having a Customer Relationship Management (CRM) system can provide additional help.

Understanding the Importance of HIPAA Compliance

HIPAA was enacted in 1996 to protect sensitive patient health information, known as Protected Health Information (PHI). Healthcare providers, insurance companies, and other entities handling PHI must comply with HIPAA regulations to safeguard this data and avoid severe penalties for non-compliance. The act establishes strict standards for data privacy, security, and PHI’s proper use and disclosure.

Failure to comply with HIPAA can lead to financial penalties, even criminal charges, in extreme cases. As the healthcare industry increasingly relies on digital systems to manage patient information, the need for secure HIPAA-compliant databases and software becomes a top business priority.

A HIPAA-compliant CRM integrates patient data, appointment scheduling, and communication tools, providing a centralized hub for healthcare professionals to manage patient interactions efficiently and securely.

Role-Based Permissions for Enhanced Security

One of the key features of a HIPAA-compliant CRM is role-based permissions. This feature ensures that only authorized personnel can access specific patient information. Different roles within the healthcare organization have different levels of access based on their responsibilities. Role-based permissions provide that the right people have access to the necessary information and prevent unauthorized access to sensitive data, thereby ensuring HIPAA compliance.

Automate Appointments for Efficiency and Convenience

A HIPAA-compliant CRM can automate appointment scheduling, reminders, and follow-ups. Patients can receive timely notifications about upcoming appointments, reducing the chances of no-shows and streamlining the overall process. By automating these administrative tasks, healthcare teams can allocate more time to focus on patient care, improving patient satisfaction.

Custom CRM Development for Unique Business Needs

Healthcare providers have unique needs, and some CRM solutions may not align perfectly with the goals of your business and team. Custom CRM development allows healthcare organizations to tailor the CRM software to their unique workflows, ensuring seamless integration with existing systems and tools. This customization ensures that all aspects of the CRM are designed with HIPAA compliance in mind, providing greater control over data security.

Evaluating CRM Platforms for HIPAA Compliance


Computer user using a CRM HIPPA Compliant.

Evaluating CRM platforms for HIPAA compliance can be tricky. There’s a lot of information out there and no official checklist or certifications for HIPAA compliance for healthcare CRM software— it can be complicated. Although we’re not legal professionals, we’ve identified three HIPAA compliance checks to serve as guiding principles to make your search easier.

CRM HIPAA Compliance Checks

  1. Does the CRM/platform have a firm Business Associate Agreement (BAA)? If the CRM vendor is considered a business associate under HIPAA, ensure they are willing to sign a BAA with your organization. A BAA is a legal agreement outlining the vendor’s responsibility to protect PHI as HIPAA requires.
  2. Is the CRM secure enough for your PHI? Assessing the security of a CRM system requires a thorough evaluation of the CRM’s security features, such as strong encryption protocols, role-based access permissions, and a secure method for data deletion and disposal.
  3. Does the ToS affirm HIPAA compliance? Ensure the CRM vendor explicitly states that their platform is HIPAA compliant within their Terms of Service (ToS). HIPAA compliance involves specific technical, physical, and administrative safeguards to protect PHI.

Is Insightly HIPAA Compliant?

Yes, Insightly is HIPAA compliant. Insightly CRM was built with healthcare businesses in mind, providing the administrative, physical, and technical safeguards required to operate as a compliant business associate.

How Insightly Keeps Customer ePHI Data Safe and Secure 

Administrative Safeguards:

  • Security Management Process
  • Assigned Security Personnel
  • Information Access Management
  • Workforce Training & Management
  • Contingency Plan Evaluation

Physical Safeguards:

  • Facility Access and Control
  • Workstation and Device Security

Technical Safeguards:

  • Access Control
  • Audit Control
  • Integrity Controls
  • Transmission Security
  • Encryption

Any HIPAA-regulated business that signs a BAA with Insightly benefits from a robust network of layered safeguards, including:

  • In transit data encryption with TLS and perfect forward secrecy
  • Cryptographic one-way password hashing and salting
  • Two factor authentication
  • Full and complete audit logging to ensure data integrity and security 
  • Configurable fine-grained controls over user profiles and permission sets
  • Controls to define role-based hierarchies, roles, and security rules to govern data access
  • Continual monitoring of services for anomalies and security and access violations

While a formal BAA is integral to establishing compliance with HIPAA provisions, Insightly customers enjoy this level of security by default. The Insightly Engineering team also continuously reviews platform security, conducts routine penetration testing, and thoroughly audits new code across all apps before accepting and integrating into the platform. 

  1. Does Insightly have a firm Business Associate Agreement (BAA)? Yes, all Insightly customers enjoy this level of protection by default. 
  2. Is Insightly secure enough for your PHI? Yes, Insightly is secure enough to store PHI with a wide range of security features such as two-factor authentication, audit logging, role-based controls and permissions, and more!

Insightly has a comprehensive set of controls, measures, and procedures to comply fully with the HIPAA provisions required in its capacity as a business associate. Insightly also offers extensive security features that customers can utilize in their Insightly instance to address HIPAA Security Rule requirements.

Is Zoho HIPAA Compliant?

Yes, Zoho currently offers HIPAA-compliant CRM functionality. As a Business Associate, Zoho CRM ensures customers can:

  • Assess and track data sources. Customer information from web forms, APIs, manual data entry, and third-party integrations can be stored and tracked within each customer’s record details.
  • Encrypt protected health data. Zoho CRM lets you encrypt select fields that contain protected health information with AES and AES-256 protections. This offers data protection as it is transmitted and anonymity in case of a data breach.
  • Restrict access to ePHI. Control the disclosure of ePHI to users within the CRM and outside parties. You can also restrict protected data transfer via API and other integrated applications.
  • Audit activity logs. Know which users are accessing ePHI and how that data is used within the CRM. You’ll see all deletions and modifications made to customer records anytime in a single view. However, there are limitations. Zoho CRM does not log the act of viewing data.

Zoho’s HIPAA compliance functionality extends beyond CRM, offering ePHI protection across its various products and services. 

  1. Does Zoho have a firm Business Associate Agreement (BAA)? Yes, Zoho is willing to sign a BAA for all the services they offer, including Zoho CRM.
  2. Is Zoho secure enough for your PHI? Yes, Zoho offers quite a few features to securely store PHI, including encryption fields to protect health information with AES and AES-256 protections and restricted access and audit logs.
  3. Does Zoho’s ToS affirm HIPAA compliance? Within the ToS, Zoho confirms it does not collect, use, store, or maintain health information protected by HIPAA for its own purposes.

Is Salesforce HIPAA Compliant?

The Salesforce platform does not offer HIPAA compliance as a standard offering. However, with premium service add-ons, healthcare and other business organizations can achieve HIPAA compliance by implementing the necessary security measures, encryption, and access controls.

The premium service offering, Salesforce Shield, is required to achieve the security standards required for HIPAA compliance.

  1. Does Salesforce have a firm Business Associate Agreement (BAA)? Salesforce does not offer a BAA for all of its services, and no publicly available document detailing the general guidelines of Salesforce’s BAAs. Additionally, Salesforce requires customers to work with a third-party BAA provider at their own expense. 
  2. Is Salesforce secure enough for your PHI? The Salesforce platform can be set up to meet HIPAA compliance standards with pricey add-ons. With this premium offering, Salesforce includes administrative, physical, technical, organizational, and documentation safeguards to protect PHI through Salesforce Covered Services. 
  3. Does Salesforce’s ToS affirm HIPAA compliance? Salesforce’s standard ToS do not explicitly mention HIPAA compliance. However, with the addition of a signed BAA, Salesforce acknowledges its commitment to complying with the requirements of HIPAA when handling PHI on behalf of the customer.

Salesforce’s total cost of ownership should be considered when researching and deciding on a HIPAA-compliant CRM. Add-ons could raise base subscription costs by 20-30%.

Is Pipedrive HIPAA Compliant?

The short answer is no; Pipedrive is not currently advertised as HIPAA compliant. A recent community post on their site states, “Pipedrive is committed to being HIPAA compliant eventually, but there are still steps to take.” There is also no mention of a Pipedrive BAA on their site. If you’re a covered entity working with Pipedrive as a business associate, you may be unable to secure written documentation that secures your clients’ PHI, but it would be up to the business to take these steps on their own.

Security is also critical when evaluating and maintaining HIPAA compliance with any CRM you choose. While Pipedrive offers various protective features which can help limit access to sensitive patient data, there’s no explicit guarantee that the health information you share with them will remain confidential. According to Pipedrive’s privacy policy, the company “does not guarantee that information will not be viewed by unauthorized parties.”

  1. Does Pipedrive have a firm Business Associate Agreement (BAA)? No, we found no mention of a BAA on Pipedrive’s website.
  2. Is Pipedrive secure enough for your PHI? No, although there are some features that limit access to sensitive data, there is no guarantee of security for PHI in compliance with HIPAA standards. 
  3. Does Pipedrive’s ToS affirm HIPAA compliance? Unfortunately, no. Pipedrive does not verify compliance with HIPAA at this time.

Is Monday.com HIPAA Compliant?

The popular project management tool, Monday.com, offers versatile solutions, but its built-in security measures are not well-suited for small healthcare businesses seeking HIPAA compliance.

With 4 paid pricing plans (and one free plan for up to two users), monday.com’s pricing is as follows:

  • Basic Plan: $10/seat per month
  • Standard Plan: $12/seat per month
  • Pro Plan: $24/seat per month
  • Enterprise Plan: no price available

HIPAA compliance is only available for Enterprise plan accounts with 25 users or more. As a small business looking for a HIPAA-compliant CRM, there may be better choices than monday.com.

Project Management: Is Asana HIPAA Compliant? 

Another project management tool, Asana, has an option available for purchase to make the workspace HIPAA compliant. But it is not included in the standard plan features.

  1. Does Monday.com have a firm Business Associate Agreement (BAA)? Available only for Enterprise accounts with the HIPAA Compliance feature enabled. The BAA is available to sign digitally within your monday.com account. 
  2. Is Monday.com secure enough for your PHI? Monday.com’s website notes that on all HIPAA-compliant Enterprise plans, the broadcast feature is disabled to prevent accidental disclosure of PHI. Additional security features include a “panic button” blocking accounts if the team’s login credentials are compromised, single sign-on (SSO), and IP restrictions.
  3. Does Monday.com ToS affirm HIPAA compliance? Yes, Monday.com’s ToS does affirm HIPAA compliance. 

Is HubSpot HIPAA Compliant?

You may struggle to maintain firm HIPAA compliance if you’re trying to use HubSpot as a healthcare CRM. According to their Terms of Service, the service offering is “not designed to comply with industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA)…” So, despite their robust platform and security features, you are not permitted to store protected health information within Hubspot’s CRM.

Although there isn’t currently a way to make Hubspot truly HIPAA compliant, you may be able to use multiple platforms for the different types of contacts you engage with. While this could be a valid strategy for healthcare practices looking to achieve compliance with their CRM of choice, you’ll likely need to spend more time and money to reach and maintain HIPAA compliance with this approach.

  1. Does HubSpot have a firm Business Associate Agreement (BAA)? No, HubSpot does not currently sign BAAs with their customers.
  2. Is HubSpot secure enough for your PHI? Technically, yes. HubSpot offers security features to protect PHI but prohibits storing that information on the platform.
  3. Does HubSpot’s ToS affirm HIPAA compliance? No, HubSpot’s terms of service prohibit the capture, storage, or transfer of PHI within the Hubspot platform.

Is Keap HIPAA Compliant?

HIPAA-covered entities and business associates can use Keap’s CRM and Marketing Automation platforms to store, transmit, and otherwise process PHI legally. However, email marketing, SMS, and VoIP features within the Keap platform (as well as the GroSocial and CustomerHub applications) are not included in Keap’s HIPAA-compatible offering.

Is Keap PCI and GDPR Compliant? 

Keap adheres to and is audited annually for Payment Card Industry Data Security Standard. Additionally, Keap complies with GDPR standards. 

  1. Does Keap have a firm Business Associate Agreement (BAA)? Keap offers a standard BAA that satisfies the applicable subcontracting requirements under HIPAA. However, the Keap BAA does not include coverage for transmitting PHI via the platform or the use of third-party products or integrations.
  2. Is Keap secure enough for your PHI? Keap is a HIPAA-compatible application that organizations regulated by HIPAA can store, transmit, and otherwise process PHI. As a safeguard, only in-house Keap Support agents can access and provide support to PHI-containing accounts, and only during regular business hours. 
  3. Does Keap’s ToS affirm HIPAA compliance? Yes, Keap’s ToS does affirm HIPAA compliance. 

Healthcare CRM

Person using a CRM HIPPA Compliant.

A CRM can enhance and streamline how businesses engage with customers. This powerful tool holds even greater value when it comes to a highly relationship-based, collaborative industry like healthcare. For healthcare providers, it’s less about whether or not you need a CRM and more about which CRM is the right fit.

But what makes a good CRM for healthcare? Here’s a brief overview of 11 key factors to consider when evaluating a CRM for your healthcare organization.

  • Patient-centric design: The right healthcare CRM should simplify personalized customer engagement and outreach. Representatives should have easy access to the patient histories, preferences, and treatment plans required to fulfill their duties and administer care.
  • Comprehensive Data Management: Accuracy, security, and compliance with regulatory requirements like HIPAA are of the utmost importance for healthcare organizations. Your CRM should help, not hurt, your team in achieving your goals for data management.
  • Flexible Integration Capabilities: While CRMs are integral to any modern organization’s tech stack, your healthcare CRM must securely integrate with other essential services and applications you need to treat and engage with your patients.
  • Collaboration and Communication: Healthcare is a team effort. A good CRM should enable seamless communication and collaboration among healthcare professionals, allowing them to share patient insights and treatment updates and coordinate care plans in real time.
  • Task Automation: Free up your team to focus on healthcare. Your healthcare CRM should automate routine tasks like prescription renewals, follow-ups, and appointment schedules.
  • Analytics and Reporting: A healthcare CRM should provide robust reporting and analytics to help stakeholders identify patient trends and performance and enable innovation.
  • Customization and Flexibility: Every healthcare organization is unique. Your CRM should be highly customizable so it can be tailored to your organization’s unique processes and specifications.
  • Ease of Use: A user-friendly interface is crucial, especially in a busy healthcare environment. Representatives at every level of your organization should be able to easily navigate the CRM, access relevant patient information, and perform their duties without a steep learning curve.
  • Security and Compliance: Protecting patient data is non-negotiable. Your healthcare CRM must adhere to stringent security protocols and comply with healthcare regulations to ensure patient confidentiality and data integrity. 
  • Scalability: As healthcare organizations grow, their CRM should be able to scale seamlessly to accommodate increased patient volumes, additional functionalities, and evolving technology needs.
  • Support and Training: Comprehensive training and ongoing support are essential for successful CRM implementation. The CRM provider should offer training resources and responsive customer support to assist your team as they navigate the CRM.

By keeping these factors in mind, you’ll ensure your CRM is compliant with HIPAA and calibrated to a healthcare organization’s particular needs.

HIPAA-Compliant Customer Service Software

A HIPAA-compliant help desk system, like Insightly Service, is a specialized software solution tailored for healthcare providers, hospitals, and medical institutions. It ensures that all interactions with patients, whether through email, chat, or phone, adhere to HIPAA regulations and safeguard the confidentiality of PHI. 

By integrating HIPAA-compliant protocols within their customer service software, healthcare organizations can build a reliable support infrastructure that prioritizes patient privacy and enhances customer service efficiency.

Insightly is HIPAA Compliant

To ensure you have the safest CRM for your data, check out Insightly. Get started with a free trial today, watch a demo-on-demand at your convenience, or request a personalized demo to see how your healthcare team can benefit from using Insightly’s HIPAA-compliant CRM.


Harryson Pointdujour, Insightly’s customer marketing manager, contributed to this blog post.