HIPAA Security Controls

This article applies to:


The HIPAA Security Controls toggle button is used to indicate to Keap that your business is regulated by HIPAA and that your Keap app contains Protected Health Information (also known as "PHI".) It should only be activated if you are regulated by HIPAA. This setting is located in Settings > Privacy & Compliance.

Important Note! While HIPAA is a U.S.-only regulation, it is difficult for us to effectively identify all of the operating territories of our customers, so this toggle will display for all Keap accounts.

By default, the toggle is set to have the HIPAA controls Disabled.

When you toggle on HIPAA Security Controls, it can only be disabled again by contacting Keap Support. An Advanced Support team member will process your request. (To avoid accidentally enabling this security control, you will have to double confirm before saving it as Enabled.)

Vendors that Keap contracts to provide overflow and after-hours support are not yet HIPAA compliant and cannot be granted access to a Keap account that contains PHI. This means that your account will be supported only by in-house Keap Support during regular business hours.

Enabling HIPAA Security Controls in Keap does not make your business HIPAA compliant. It does, however, make it technologically possible for you to be compliant in the future as we continue to roll-out this feature.

The Keap HIPAA Business Associate Agreement Addendum (BAA)

Keap offers customers the opportunity to execute our standard Business Associate Agreement Addendum (or “BAA”) that satisfies the applicable subcontracting requirements under HIPAA and the HITECH Act. Before using Keap in support of your HIPAA compliance, be sure to do the following:

  1. Configure your Keap app as a HIPAA app by enabling the HIPAA Security Controls. This setting is located in Settings > Privacy & Compliance.
  2. Once the HIPAA Security Control is enabled, review the BAA below, complete all the required fields, and sign the BAA in accordance with the instructions.
  3. Be sure to confirm your email address after you sign. To do this, follow the instructions in the email you receive from Adobe® Sign. This verification email will be sent to the email address you specify when signing the Addendum. If you don't see the email in your inbox, be sure to check your spam folder.
  4. A fully executed copy of the BAA will then be emailed to both parties.

To review the BAA, click here.


Q: What is HIPAA?

A: The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets baseline privacy and security standards for medical information. Click here to learn what types of businesses are regulated by HIPAA. 

Q: What is a Business Associate?

A: People and companies that are hired or contracted by HIPAA covered entities. Keap is a business associate for our small business customers that are covered by HIPAA and have signed the Keap Business Associate Agreement Addendum.

Q: Is Keap HIPAA Certified?

A: There is no such thing as "HIPAA Certified", but the Keap software application is compatible with HIPAA, and Keap complies with HIPAA as a business associate as described in our BAA.

Q: I need advice on how to comply with HIPAA. What should I do?

A: Keap can’t provide any interpretation of HIPAA as it pertains to a customer’s particular circumstances. If you need help with HIPAA, consult a qualified attorney or legal adviser.

Q: Once I sign the BAA, does that mean I’m automatically HIPAA compliant?

A: HIPAA compliance is complicated, and the act of enabling HIPAA Security Controls in your Keap app does not alone make your business HIPAA complaint. But Keap is a HIPAA compatible application and can be used by organizations that are regulated by HIPAA to store, transmit, and otherwise process PHI.

Q: What about CustomerHub and third-party apps and services that integrate with Keap? Are those products and services HIPAA compatible too?

A: CustomerHub is not HIPAA compatible. Other Marketplace vendors may or may not offer HIPAA compatible solutions. Be sure to check directly with your Marketplace vendors – the Keap BAA does not cover your use of third party products or services.