The Health Insurance Portability and Accountability Act (HIPAA) applies to businesses required by federal law to align with privacy and security standards regarding personal medical information.

Enable HIPAA Security Controls in Infusionsoft 

The Admin Settings section labeled, Privacy contains a toggle button called HIPAA Security Controls. It is used to indicate to Infusionsoft that your business is regulated by HIPAA and that your Infusionsoft app contains Protected Health Information (PHI). It should only be activated by those customers who are regulated by HIPAA. 

  • This setting is located in Admin > Settings > Privacy & Compliance at the bottom of the page.

Important Note: While HIPAA is a U.S.-only regulation, it is difficult for us to effectively identify all of the operating territories of our customers, so this toggle displays in all Infusionsoft accounts.

  • By default, the toggle is set to have the HIPAA controls Disabled.
  • When you select and save the toggle to have HIPAA Security Controls Enabled, it can only be disabled again by contacting Infusionsoft Support and will be processed by an Advanced Support team member. To avoid accidentally enabling this security control, you will have to double confirm before saving it as Enabled.
  • Vendors that Infusionsoft contracts to provide overflow and after-hours support are not yet HIPAA compliant and cannot be granted access to an Infusionsoft account that contains PHI. This means that your account will be fully supported only by in-house Infusionsoft Support during regular business hours.

    USA Toll Free
    +1 866 800 0004 Ext. 2
    Monday-Friday 6AM - 5PM Arizona Time


Important Note: Enabling HIPAA Security Controls in Infusionsoft does not make your business HIPAA compliant. It identifies to Keap that your application with us contains HIPAA sensitive information. 

The Infusionsoft HIPAA Business Associate Agreement Addendum (BAA)

  • Infusionsoft offers customers the opportunity to execute our standard Business Associate Agreement Addendum (or BAA) that satisfies the applicable subcontracting requirements under HIPAA and the HITECH Act.
  • Before using Infusionsoft in support of your HIPAA compliance, be sure to do the following:
    • Configure your Infusionsoft app as a HIPAA app by enabling the HIPAA Security Controls. This setting is located in Admin > Settings > Privacy & Compliance, under the section labeled Privacy.
    • Once the HIPAA Security Control is enabled, review the BAA below, complete all the required fields, and sign the BAA in accordance with the instructions.
    • Be sure to confirm your email address after you sign. To do this, follow the instructions in the email you receive from Adobe® Sign. This verification email will be sent to the email address you specify when signing the Addendum. If you don't see the email in your inbox, be sure to check your spam folder.
    • A fully executed copy of the BAA will then be emailed to both parties.
  • To review the BAA, click here.


Q: What is HIPAA?
A: The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets baseline privacy and security standards for medical information. Click here to learn what types of businesses are regulated by HIPAA.

Q: What does enabling HIPAA security controls do for my application?
A: It signal to Keap that your application contains HIPAA protected information and/or your are an organization that is regulated by HIPAA.  Enabling HIPPA securing controls creates additional logs of who has accessed the account that are stored.  No fields other than first and last name, email address and phone number are able to be displayed anywhere outside of the app. 

Q: Is email sent through KEAP encrypted?
A:  It will not be encrypted, and we do not provide a secure way for non-users to access their information (aka a patient portal).

Q: What is a Business Associate?
A: People and companies that are hired or contracted by HIPAA covered entities. Infusionsoft is a business associate for our small business customers that are covered by HIPAA and have signed the Infusionsoft Business Associate Agreement Addendum.

Q: Is Infusionsoft HIPAA Certified?
A: There is no such thing as "HIPAA Certified", but the Infusionsoft software application is compatible with HIPAA, and Infusionsoft complies with HIPAA as a business associate as described in our BAA.

Q: I need advice on how to comply with HIPAA. What should I do?
A: Infusionsoft can’t provide any interpretation of HIPAA as it pertains to a customer’s particular circumstances. If you need help with HIPAA, consult a qualified attorney or legal advisor.

Q: Once I sign the BAA, does that mean I’m automatically HIPAA compliant?
A: HIPAA compliance is complicated, and the act of enabling HIPAA Security Controls in your Infusionsoft app does not alone make your business HIPAA compliant. But Infusionsoft is a HIPAA compatible application and can be used by organizations that are regulated by HIPAA to store, transmit, and otherwise process PHI.

Q: What about CustomerHub and third-party apps and services that integrate with Infusionsoft? Are those products and services HIPAA compatible too?
A: CustomerHub is not HIPAA compatible. Other Marketplace vendors may or may not offer HIPAA compatible solutions. Be sure to check directly with your Marketplace vendors – the Infusionsoft BAA does not cover your use of third party products or services.

Did this article answer your question?
Thank you for your feedback!