A HIPAA Compliance Add-On is available as an optional, account-wide upgrade that enables encryption of ePHI, Business Associate Agreements (BAAs), audit logging, and MFA enforcement. The add-on is priced at $297 per month or $2,970 per year (two months free). Once purchased, the HIPAA package applies to all sub-accounts within the system and cannot be removed.

IMPORTANT: HIPAA compliance is not included by default and requires a separate subscription. To activate HIPAA features, you must purchase the HIPAA Compliance Add-On from the Compliance section of your settings. Once the HIPAA package has been purchased and implemented, it becomes a permanent part of the account and cannot be downgraded, canceled, or removed. All sub-accounts inherit HIPAA protections automatically, including encryption, MFA enforcement, and all associated security controls.

TABLE OF CONTENTS

What is HIPAA?

HIPAA stands for the Health Insurance Portability And Accountability Act of 1996, which is a United States legislation that provides data privacy and security provisions for safeguarding medical information.


The act, which was signed into law by President Bill Clinton on Aug. 21, 1996, contains five sections, or titles: 


  • Title I: HIPAA Health Insurance Reform

  • Title II: HIPAA Administrative Simplification

  • Title III: HIPAA Tax-Related Health Provisions

  • Title IV: Application and Enforcement of Group Health Plan Requirements

  • Title V: Revenue Offsets


In the context of online marketing, adhering to HIPAA Title II is what most people mean when they refer to HIPAA compliance.

HIPAA Title II

Also known as the Administrative Simplification provisions, Title II includes the following HIPAA compliance requirements:

  • National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit national provider identifier number, or NPI.

  • Transactions and Code Set Standard. Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.

  • HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.

  • HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security.

  • HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations.


The two requirements that apply to the relationship between HighLevel, a customer Agency, and the agency's client (the Practice) are the HIPAA Privacy Rule and the HIPAA Security Rule. The details of each of these rules can be found here:
 

Compliance Overview


In HIPAA terms:


  • The Practice (end client) is the covered entity

  • The platform and the service provider are the Business Associates


The system has been independently evaluated to ensure compliance with the HIPAA Privacy Rule and HIPAA Security Rule, enabling Business Associate Agreements (BAAs).

To ensure complete HIPAA protection for PHI, the service provider must also be HIPAA compliant so they can provide a BAA to their Practice clients.

Security

The platform automatically encrypts all stored data:


  • All data is encrypted before being written to disk

  • Decryption occurs automatically only for authorized users

  • Encryption uses AES-256

  • Encryption keys are managed and rotated using hardened, audited key management systems

  • No user configuration is required; encryption is always active


Any account, regardless of plan level, can subscribe to the HIPAA Compliance Add-On at $297/month.

How to become HIPAA Compliant


1. Navigate to settings -> compliance




2. Select your monthly or yearly HIPPA plan and click "Pay"




3. After subscribing, sign the HIPPA compliance document inside the app


How to view and download the document


1. Go to Settings → Compliance → View Details 








Please Note: Accounts that subscribed to HIPAA after November 15, 2023 can download their documentation directly within the app. Accounts that subscribed before this date should contact support to obtain the required documents.

Frequently Asked Questions


Q. Can a HIPPA-compliant sub-account be transferred?

Yes.Sub-account can be transferred between accounts when both accounts have HIPPA enabled.


Q. Is the mobile app covered?

Yes, Conversations, Calendar, and Contacts follow the same encryption and MFA policies as the web platform. 


Q. Can HIPPA be disabled after purchase?

No. Because PHI cannot be “un-encrypted”, the add-on is permanent for that agency.


Q. What data types are included?

All objects that can store PHI: Contacts, Notes, Custom Fields, SMS/MMS, voice recordings, email bodies & attachments, form/survey submissions, calendars, invoices. (In short, everything the account has).