HIPAA Security Controls

This article applies to:


The HIPAA Security Controls toggle button is used to indicate to Infusionsoft that your business is regulated by HIPAA and that your Infusionsoft app contains Protected Health Information (also known as "PHI".) It should only be activated if you are regulated by HIPAA. This setting is located in Settings > Privacy & Compliance.

Important Note! While HIPAA is a U.S.-only regulation, it is difficult for us to effectively identify all of the operating territories of our customers, so this toggle will display for all Infusionsoft accounts.

By default, the toggle is set to have the HIPAA controls Disabled.

When you toggle on HIPAA Security Controls, it can only be disabled again by contacting Infusionsoft Support. An Advanced Support team member will process your request. (To avoid accidentally enabling this security control, you will have to double confirm before saving it as Enabled.)

Vendors that Infusionsoft contracts to provide overflow and after-hours support are not yet HIPAA compliant and cannot be granted access to an Infusionsoft account that contains PHI. This means that your account will be supported only by in-house Infusionsoft Support during regular business hours.

Enabling HIPAA Security Controls in Infusionsoft does not make your business HIPAA compliant. It does, however, make it technologically possible for you to be compliant in the future as we continue to roll-out this feature.

The Infusionsoft HIPAA Business Associate Agreement Addendum (BAA)

Infusionsoft offers customers the opportunity to execute our standard Business Associate Agreement Addendum (or “BAA”) that satisfies the applicable subcontracting requirements under HIPAA and the HITECH Act. Before using Infusionsoft in support of your HIPAA compliance, be sure to do the following:

  1. Configure your Infusionsoft app as a HIPAA app by enabling the HIPAA Security Controls. This setting is located in Settings > Privacy & Compliance.
  2. Once the HIPAA Security Control is enabled, review the BAA below, complete all the required fields, and sign the BAA in accordance with the instructions.
  3. Be sure to confirm your email address after you sign. To do this, follow the instructions in the email you receive from Adobe® Sign. This verification email will be sent to the email address you specify when signing the Addendum. If you don't see the email in your inbox, be sure to check your spam folder.
  4. A fully executed copy of the BAA will then be emailed to both parties.

To review the BAA, click here.


Q: What is HIPAA?

A: The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets baseline privacy and security standards for medical information. Click here to learn what types of businesses are regulated by HIPAA. 

Q: What is a Business Associate?

A: People and companies that are hired or contracted by HIPAA covered entities. Infusionsoft is a business associate for our small business customers that are covered by HIPAA and have signed the Infusionsoft Business Associate Agreement Addendum.

Q: Is Infusionsoft HIPAA Certified?

A: There is no such thing as "HIPAA Certified", but the Infusionsoft software application is compatible with HIPAA, and Infusionsoft complies with HIPAA as a business associate as described in our BAA.

Q: I need advice on how to comply with HIPAA. What should I do?

A: Infusionsoft can’t provide any interpretation of HIPAA as it pertains to a customer’s particular circumstances. If you need help with HIPAA, consult a qualified attorney or legal adviser.

Q: Once I sign the BAA, does that mean I’m automatically HIPAA compliant?

A: HIPAA compliance is complicated, and the act of enabling HIPAA Security Controls in your Infusionsoft app does not alone make your business HIPAA complaint. But Infusionsoft is a HIPAA compatible application and can be used by organizations that are regulated by HIPAA to store, transmit, and otherwise process PHI.

Q: What about CustomerHub and third-party apps and services that integrate with Infusionsoft? Are those products and services HIPAA compatible too?

A: CustomerHub is not HIPAA compatible. Other Marketplace vendors may or may not offer HIPAA compatible solutions. Be sure to check directly with your Marketplace vendors – the Infusionsoft BAA does not cover your use of third party products or services.