CRM in healthcare operates under regulatory constraints that don’t apply to most industries – HIPAA in the US, and equivalent data protection frameworks in other jurisdictions. Healthcare organisations that use CRM for patient communication, referral management, and physician relationship management must ensure their CRM handles Protected Health Information (PHI) in a compliant manner. This guide covers the compliance requirements that determine which CRM platforms are viable for healthcare, the use cases where CRM creates genuine value in healthcare organisations, and the features that matter most for provider groups, hospitals, and healthcare-adjacent businesses.
That changes how the platform should be evaluated. A healthcare CRM only works if compliance, access control, and use case design all line up.
Healthcare CRM has to balance patient relationships with compliance requirements that generic sales tools are not built to handle. HIPAA is the main constraint, but the real issue is whether the CRM can support workflows without exposing sensitive information.
HIPAA and CRM: What Compliance Requires
| HIPAA Requirement | CRM Implication | What to Verify |
|---|---|---|
| Business Associate Agreement (BAA) | Any vendor storing PHI must sign a BAA with the covered entity | Does the CRM vendor sign BAAs? Salesforce, HubSpot, and Microsoft Dynamics do; many smaller CRMs do not |
| Access controls | PHI must only be accessible to authorised users; role-based access required | Does the CRM support role-based access at the field level? |
| Audit logging | All access to PHI must be logged and auditable for 6 years | Does the CRM maintain audit logs of record access and edits? |
| Encryption at rest and in transit | PHI must be encrypted when stored and transmitted | Does the CRM encrypt data at rest (AES-256) and in transit (TLS 1.2+)? |
| Data breach notification | Covered entities must notify patients of PHI breaches within 60 days | Does the CRM vendor have a documented breach response process? |
| Minimum necessary principle | Only collect and store the PHI necessary for the intended use | Can you configure CRM to capture only necessary patient data fields? |
CRM Platforms That Support HIPAA Compliance
Salesforce Health Cloud: Salesforce’s HIPAA-compliant CRM for healthcare, built on Salesforce Sales Cloud with healthcare-specific data models. Salesforce signs BAAs. Health Cloud includes patient and member management, care team coordination, referral management, and provider relationship management. Price: custom enterprise pricing (typically $300+/user/month for Health Cloud). Best for: large health systems, payers, and healthcare enterprises with complex care coordination requirements.
HubSpot (with BAA): HubSpot signs BAAs for customers on Enterprise plans and above. HubSpot is not purpose-built for healthcare but is used by healthcare-adjacent businesses (medical device companies, healthcare IT, digital health), physician groups managing referral relationships, and patient acquisition marketing. For clinical patient data (diagnoses, medications, clinical notes), HubSpot is not the right platform. For practice development, physician outreach, and patient acquisition marketing, HubSpot is widely used in healthcare. Price: HubSpot Enterprise plans from $150/user/month.
Microsoft Dynamics 365 + Azure: Microsoft signs BAAs. Dynamics 365 with Azure deployment can meet HIPAA requirements. Many large health systems run Dynamics 365 for CRM alongside separate EHR systems. The Microsoft-centric healthcare ecosystem (Teams for healthcare, Azure Health Data Services) integrates well with Dynamics. Price: Dynamics 365 from $65/user/month; BAA included in Microsoft’s standard enterprise agreements.
Salesforce HIPAA Shield: Salesforce HIPAA Shield provides additional encryption and key management controls above standard Salesforce security, specifically designed for PHI handling. Required for use cases where clinical data enters Salesforce. Significant premium above standard Salesforce pricing.
CRM Use Cases in Healthcare
Physician and referral relationship management: Hospitals and health systems use CRM to track relationships with referring physicians – logging visits, meals, events, and educational programmes directed at physicians to maintain referral volume. This is the most common healthcare CRM use case that mirrors standard B2B CRM activity. HIPAA compliance may not be required for this use case as long as patient data isn’t captured in the CRM; verify with legal counsel.
Patient acquisition and marketing: Healthcare systems and private practices use CRM to manage marketing campaigns, track lead sources for new patient appointments, and measure which campaigns generate the most new patient visits. Patient name and contact information in this context is PHI – a BAA is required. Marketing to prospective patients (website visitors who haven’t yet become patients) may not involve PHI if only contact information is captured and no clinical data is linked.
Care gap management: Payers and risk-bearing provider groups use CRM to manage outreach to members or patients with identified care gaps – patients overdue for preventive screenings, chronic disease management patients without recent visits, or members not filling medications. This use case involves PHI and requires full HIPAA compliance including a BAA.
“We chose a CRM that won’t sign a BAA, but we’re already using it with patient contact data”
This is a HIPAA compliance gap. If the CRM vendor won’t sign a BAA, patient contact data (including name, date of service, diagnosis references) must be removed from the CRM immediately. Evaluate whether a compliant alternative (Salesforce Health Cloud, Dynamics 365, or HubSpot Enterprise with BAA) can replace the current system. Document the gap and the remediation plan – regulators consider good-faith remediation efforts in enforcement actions.
“Our CRM has a BAA but reps are logging clinical details in free-text notes”
Unstructured free-text notes in CRM are a PHI risk even with a BAA – the minimum necessary principle requires limiting clinical detail. Train reps on what is appropriate to log in CRM (appointment date, service type, communication preference) versus what should remain in the EHR (clinical notes, diagnoses, treatment details). Configure CRM fields to capture only what’s necessary and provide training on appropriate use of note fields.
Sources
HHS Office for Civil Rights, HIPAA Covered Entities and Business Associates (2025)
Salesforce, Health Cloud Documentation (2026)
Microsoft, HIPAA Compliance with Azure and Dynamics 365 (2025)
HubSpot, HIPAA and BAA Information (2026)
CRM Configuration for Healthcare Compliance Requirements
Healthcare organisations face a dual challenge with CRM: the system must support patient engagement and care coordination while remaining compliant with privacy regulations including HIPAA in the United States and equivalent frameworks in other jurisdictions. Most general-purpose CRM platforms can be configured for healthcare compliance, but doing so requires specific technical and contractual steps that are not part of a standard implementation.
Can HubSpot or Salesforce be used for healthcare CRM?
Salesforce can be used for healthcare CRM, particularly through its Health Cloud product, which is designed with healthcare workflows and data models in mind and includes provisions for HIPAA-compliant operation including BAA availability at the enterprise tier. HubSpot is not designed as a HIPAA-compliant platform and does not offer a Business Associate Agreement, which means it should not be used to store or process Protected Health Information. HubSpot can be used for general marketing and patient acquisition purposes where PHI is not involved, but a separate HIPAA-compliant system must handle any actual patient data. Microsoft Dynamics 365 and Veeva are also commonly used in healthcare environments with appropriate compliance configurations.
What is the difference between a patient portal and a healthcare CRM?
A patient portal is a patient-facing tool that allows individuals to view their health records, book appointments, message their care team, and access test results. It is typically integrated with the Electronic Health Record (EHR) and is operated primarily by the clinical team. A healthcare CRM is a staff-facing tool used to manage the patient relationship across the care journey: tracking engagement, coordinating outreach, managing referrals, and analysing patient cohorts for population health purposes. The two systems often need to be integrated: the CRM receives appointment and engagement data from the patient portal to inform care coordination activities, and the portal may display personalised content generated by the CRM. They serve different purposes and neither replaces the other.
How do we handle patient data when we migrate to a new CRM?
CRM migration in a healthcare context requires the same HIPAA compliance controls as any other PHI handling. Before migration, confirm that the migration vendor or consultant has signed a BAA. Map all PHI fields in the source system and ensure they are migrated to appropriately secured and access-controlled fields in the target system. Conduct a data quality audit on the migrated data before go-live. Decommission the source system only after confirming that all data is present and accessible in the target system and that audit logs from the source system are archived in compliance with your retention policy. Document the migration as part of your HIPAA compliance records.
What CRM metrics are most useful for healthcare organisations?
Healthcare CRM metrics fall into two categories: operational and clinical outcome. Operational metrics include appointment no-show rate (and its reduction through automated reminder workflows), referral conversion rate from inquiry to first appointment, patient re-engagement rate for lapsed patients, and staff response time to patient inquiries. Clinical outcome metrics require integration with your EHR and include care plan adherence rates, preventive care completion rates for eligible patient cohorts, and readmission rates for high-risk patient segments. The most valuable metrics are those that connect CRM activity to patient outcomes, not just operational efficiency. Building a dashboard that shows how CRM engagement activities correlate with appointment attendance and care plan adherence demonstrates the clinical value of the CRM investment to leadership.
The most important question is whether the system can protect the record while still supporting the work. If compliance is bolted on after the fact, the CRM is much harder to trust.
Common Problems and Fixes
Problem: Using a Standard CRM Without a Business Associate Agreement
HIPAA requires that any vendor who handles Protected Health Information (PHI) on behalf of a covered entity signs a Business Associate Agreement (BAA). Many healthcare organisations deploy CRM platforms without checking whether the vendor will sign a BAA, and without one, processing PHI through the CRM creates regulatory exposure regardless of the technical security controls in place.
Fix: Before deploying any CRM in a healthcare context, confirm whether the vendor offers a BAA. Salesforce Health Cloud includes BAA provisions at the enterprise tier. HubSpot does not offer a BAA as standard and is not designed as a HIPAA-compliant platform for PHI storage. Microsoft Dynamics 365, Veeva, and Salesforce Health Cloud are the most commonly used CRM platforms with established BAA programmes. If you are using a general-purpose CRM for patient-adjacent functions such as appointment reminders or survey collection, configure it to hold only non-PHI data and handle PHI exclusively in your EHR or purpose-built patient management system.
Problem: Staff Access to Patient Records Is Not Restricted by Role
In a healthcare CRM deployment, staff members sometimes have access to patient records beyond what their role requires. A front-desk scheduler with access to complete clinical history, or a billing coordinator who can view appointment notes, creates both a compliance risk and a patient trust issue. Over-provisioned access violates the HIPAA minimum necessary standard.
Fix: Implement role-based access control (RBAC) configured specifically around the minimum necessary standard. Map each staff role to the specific data fields they need to perform their function: schedulers need appointment history and contact details; care coordinators need care plan information and communication history; billing staff need financial and insurance data. Configure the CRM so each role sees only the objects and fields required for their function. Audit access quarterly and document your access control framework as part of your HIPAA compliance programme. Access changes should require sign-off from the Privacy Officer.
Problem: Patient Communication Preferences Are Not Consistently Captured
Healthcare CRM systems accumulate patient communication records across multiple channels: phone, email, patient portal, and in-person. Without a structured field for capturing and enforcing communication preferences, patients receive communications through channels they have not consented to, creating both compliance issues and patient experience problems. A patient who has requested email-only communication receiving a phone call from a care coordinator is a failure of both compliance and experience.
Fix: Create a Communication Preferences object in your CRM with fields for preferred channel, preferred language, preferred time of day, and explicit opt-in or opt-out status for each communication type (appointment reminders, care plan updates, health education). Capture these preferences at intake and make them visible at the top of every patient record. Configure workflow automation to route outbound communications through the preferred channel automatically. Build a preference update trigger: any returned mail, bounced email, or patient request to update preferences should auto-create a task for the patient coordinator to verify and update the record.