Is a CRM HIPAA compliant?
HIPAA compliance applies to CRMs only if you handle protected health information (PHI) — patient names tied to medical records, treatment data, or health insurance details. Most contractor CRMs don't process PHI, so HIPAA doesn't apply. For the small number that do, this post covers what's required.
Who actually needs HIPAA in a CRM
HIPAA covers PHI specifically — protected health information. A general contractor's CRM with customer names, addresses, and job notes doesn't qualify. A medical-billing service's CRM with patient records does. A handyman doing accessibility modifications for a medical clinic might process PHI if the work order includes the patient's diagnosis. Most contractors never touch PHI and don't need HIPAA-compliant tools. If you're not sure, ask: 'does the CRM record any data about a person's medical condition, treatment, or diagnosis.' Usually no.
The Business Associate Agreement
If you do need HIPAA, the first requirement is a Business Associate Agreement (BAA) with your CRM vendor. The BAA legally extends HIPAA obligations to the vendor — they agree to safeguard PHI, report breaches, and comply with HIPAA controls. Without a signed BAA, no CRM is HIPAA-compliant for you, no matter how secure their infrastructure. Reputable CRMs that serve healthcare-adjacent industries (home health, medical equipment, accessibility contractors) offer BAAs. Most contractor-focused CRMs don't, because their customer base doesn't need it.
Technical and process requirements
Beyond the BAA, HIPAA requires audit logs (who accessed what PHI and when), access controls (only authorized users can see records), encryption (in transit and at rest), breach notification procedures, and secure disposal of records. Reputable CRMs that offer BAAs have these controls in place — they had to build them to get the BAA in the first place. The contractor's job is to follow the procedures: enable 2FA, restrict access to the people who need it, train staff on what counts as PHI.
What contractors with light medical exposure do
Some contractors have rare medical exposure — say, a remodeler doing one ADA bathroom retrofit a year where the client's medical condition is documented in the work order. The risk-aversion path: scrub the medical detail from the CRM record (note 'accessibility retrofit per client request,' not 'wheelchair-bound after stroke'). The compliance path: pick a HIPAA-capable CRM and get a BAA. Most contractors in this position pick the first path and call it good. Lawyers will disagree about whether it's enough, but in practice, it is.
Bottom line
Most contractors don't need HIPAA-compliant CRMs. If you process protected health information regularly, get a BAA and pick a vendor that explicitly supports HIPAA. Otherwise, you're fine.