Talk to sales
Start for free

Designed to streamline the sales and relationship-building process, Pipedrive is a cloud-based customer relationship management (CRM) solution that helps businesses reduce busywork, prioritize tasks, and keep better track of leads. While CRMs can serve as a valuable way to increase profits and productivity, covered entities should always take HIPAA compliance into consideration. Let’s explore if Pipedrive meets these critical security standards.

SEE ALSO: HIPAA compliant email


Pipedrive and business associate agreements


Third-party vendors that store, access, or send protected health information (PHI) are considered business associates. When a covered entity works with a business associate, a business associate agreement (BAA) must be signed by both parties. This is a written document that covers the responsibilities of the business associate to keep PHI secure. With no signed BAA, the vendor cannot be considered HIPAA compliant. In this particular instance, Pipedrive is considered a business associate for a healthcare organization if it manages PHI within its platform. There is no mention of any willingness to sign a BAA on the Pipedrive website.


Pipedrive and data security


Looking beyond the BAA, data security is another key component of maintaining HIPAA compliance. Therefore, covered entities should review the specific safeguards that a vendor has in place to protect PHI. The Pipedrive infrastructure is equipped with a variety of protective features including daily backups, encryption of data at rest and in transit, and a security dashboard that pinpoints suspicious activity in real-time. Customers can also further shield their information from potential risks through a set of custom controls. These include whitelisting IPs, setting time-restricted access, establishing user permission sets, implementing account lockdowns after multiple incorrect passwords, and enabling two-factor authentication to strengthen login security. Although these configurations can help organizations limit access to sensitive data, Pipedrive’s privacy policy states that the company is “not responsible for circumvention of any privacy settings or security measures” and “does not guarantee that information will not be viewed by unauthorized parties.”


Is Pipedrive HIPAA compliant? 


No, the company does not appear to offer a BAA and their community page confirms that “Pipedrive is committed to be HIPAA compliant eventually, but there are still steps to take.”


Step up your protection 


Selecting HIPAA compliant technology is a smart first step, but healthcare providers should be taking additional measures to safeguard PHI with stronger email security. Built to conveniently integrate with your existing email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt and your patients can receive your messages right in their inbox without having to navigate any additional passwords or portals. Paubox Email Suite’s Plus and Premium plan levels also come with innovative inbound email security tools that provide more protection from potential threats. Our patent-pending Zero Trust Email feature uses email AI to verify that an email is legitimate, while ExecProtect works quickly to put a stop to display name spoofing attempts.


Try Paubox Email Suite for FREE today.

Start a 14-day free trial of Paubox Email Suite today