Choosing a HIPAA Compliant CRM

The primary focus of healthcare IT is on EHR systems. Using an EHR is clearly important for building a scalable digital care business, but I’ve found there is another, in my opinion, equally important piece of software that is much less discussed, and that is the CRM system. I’ve spent a few years struggling over CRM systems in digital care companies and would like to share my learnings so you can struggle less.

While the EHR provides interfaces to manage clinical workflows used by your doctors and clinical support teams, it does not provide the ‘wrap-around’ features to manage the entire patient lifecycle. The key features of a CRM for a digital care company are visualizing patient profiles and communication history, integrating communication channels into one ‘command center’, and automating processes as patients move through stages of their lifecycle. The CRM allows you to manage the experience of many users as they flow through your virtual clinic.

There are a couple reasons why CRM systems are crucial to digital care companies. First, digital care companies are built to differentiate from incumbent healthcare organizations on operational efficiency and customer experience. To deliver on this, you need to automate the patient lifecycle (onboarding, treatment, offboarding). CRMs provide tools to create automation with flexibility. Secondly, usually the patient lifecycle involves some ‘human element’ this could be an introductory call, or a patient getting labs. A CRM is needed to manage communication and workflow when the patient is communicating with company staff.

Not all digital care companies will need a CRM, but I believe most will. The key service features that indicate the need for a CRM are: high LTV, high consideration service, and a human element as part of the process. Some example businesses that need a CRM are autism, weight loss, diabetes, or addiction treatment. Some companies offering low LTV, low consideration, and highly automated services, like Sleepio, or Teledoc, possibly don’t need a CRM. In these cases, the patient lifecycle could be fully automated with no need for a human to be involved.

You also won’t need a CRM on day one of your operation and you shouldn’t get a CRM on a day one. It is better to start with a Google Sheet and manually enroll your first 100 patients. Once you get to that point, you will realize you can’t handle the complexity anymore, but you will have learned what your workflows should look like which you can now encode in a CRM.

The HIPAA compliant CRM market 

There are apparently 611 CRMs available. This number is irrelevant because the actual number that matters for digital care companies is the number of CRMs that exist that are HIPAA compliant. By HIPAA compliance I mean a CRM that will sign a BAA or can be self-hosted and has substantial data access control features

The actual number of CRMs that pass the HIPAA bar is around 15. I’ve spent many hours evaluating these 15, I’ve directly worked with 2, and have spoken with people who have worked with a few more. Based on these experiences, I believe the healthcare CRMs fall into three categories. I’ll share in what cases you would choose one of these categories and what is the specific ‘best CRM’ in each category.

Category 1: Salesforce and other enterprise CRMs

  • CRMs: Salesforce, Oracle, SAP, Microsoft
  • Winner of the category: Salesforce
  • Cost (10 licenses/yr): ~$35,000

Of course this starts with Salesforce. This is most people’s first thought when they think of a CRM system. Salesforce has become the ‘low risk’ option for companies choosing a CRM. 

Salesforce is built for a non-technical organization. This is either a sales organization inside of a company or in the case of healthcare, an incumbent healthcare organization (hospital, health system, insurance company). Salesforce is designed to be the technical monolith inside of the organization. It has been built for all code and hosting to exist within the Salesforce walls. This is a huge benefit if the organization wants to silo the technical investment. They can hire a consultant to manage the full deployment.

If you are a company that is innovating with technical investment (aka a health tech company), then Salesforce is probably not the best choice. You will be building software services outside of Salesforce and connecting via API. If you are doing this, there are other lower cost CRMs with better UX that will offer all the functionality that Salesforce offers. Salesforce is very expensive. I know a medium sized digital care company that was spending $500k/yr on Salesforce licenses and around another $1m/yr to employ Salesforce developers. 

The one clear advantage Salesforce has is the integration ecosystem. All B2B SaaS companies build the Salesforce integration first, so if you go with another CRM, you will likely need to write some custom code to integrate all of your 3rd party services such as scheduling, phone, SMS, and web form services.

If you have an engineering team, and will be innovating in your market with technology, then don’t go with Salesforce.

Category 2: Newer/Lower Cost Salesforce Alternatives

  • CRMs: Freshsales, Zendesk Sell
  • Winner of the category: Freshsales
  • Cost (10 licenses/yr): ~$15,000

CRM functionality is totally commoditized. It’s a secret Salesforce doesn’t want you to know. Most CRMs offer the same functionality and similar UI. Salesforce has great sales and marketing, and with that is able to charge 2-3x more than other similar products.

Unfortunately, very few of the CRM competitors offer HIPAA compliance. The two best that do are Freshsales and Zendesk Sell. Of these two, Freshsales is the most feature rich. I know of two digital care companies using Freshsales and they seem happy with it.

Freshsales is not as customizable as Salesforce, so in order to offer fully custom workflows you will need to write custom code outside of the CRM that communicates via API. Also the Freshsales integration ecosystem is significantly smaller, so you will likely need to write some integrations yourself.

Pricing of CRMs is complicated, because they get more and more expensive as you use more of the suite of features offered. It looks like Freshsales will cost around 50% of the cost of Salesforce. Depending on how many features you want, it will run $1000 - $2500/yearly license, compared to around $2000-$5000 for Salesforce.

If you are a digital care startup that already has an engineer or engineers and you plan on innovating through technology and user experience, then Freshsales is a good choice.

Category 3: Self-Hosted and Open Source

  • CRMs: Bitrix24, SuiteCRM
  • Winner of the category: Bitrix24
  • Cost (10 licenses/yr): ~$1,500

There are two pathways to HIPAA compliance for a CRM. Option 1 is to buy remotely hosted software as a service (SaaS) with a signed BAA. Option 2 is to self-host the CRM software on your own HIPAA compliant servers such as AWS or Google Cloud. Salesforce and Freshsales both follow Option 1 as SaaS products with BAAs. For the self-hosted option, the two best CRM options are Bitrix24 and SuiteCRM.

As with all CRMs, these self-hosted options offer the same functionality: leads, deals, workflow automation, and omni-channel communication, but they have two distinct advantages: customizability and price.

Since the software is self-hosted and open-source, you can actually modify the code of the CRM to fit your custom needs. Doing this is probably a bad idea for small organizations, but it is an option to have as the organization scales. This customizability is actually one of the big selling points of Salesforce, but with self-hosted, you get it for a much lower price.

The price of self-hosted CRMs is ridiculously cheaper than SaaS products. Bitrix24 is about $3000 flat fee for up to 50 licenses while SuiteCRM is actually free. For comparison, Freshsales would cost $138k/yr for similar functionality with 50 licenses. After evaluating these two options, I think Bitrix24 is a better option than SuiteCRM. The UX is closer to the expensive CRMs and it comes built in with features that are costly add-ons for other CRMs such as Task Management, Chat, and a Phone system.

Bitrix24 does have significant downsides. Since you are self-hosting, if your server goes down, it’s your problem to fix it. Also, since these products are a lot lower cost they don’t offer the same level of support and documentation provided by more expensive CRMs. It will take some learning to use them well.

The Bottom Line

My assumption is most digital care companies will innovate with technology and UX, given this Salesforce is probably not the best option. Salesforce is built for incumbent healthcare organizations. Though if you won’t have an in-house development team, then Salesforce is the option with the least likelihood of needing to write custom code.

If you plan to write custom code outside of the CRM, like all tech startups will, then a lighter weight CRM will work just fine. The two best options I’ve seen are Freshsales and Bitrix24. These two have very similar functionality the primary difference is how they are hosted. Bitrix24 is self-hosted, Freshsales is SaaS. Bitrix24 is much cheaper (~10% of the cost), has greater flexibility due to being open-source, but has the downside of requiring more technical maintenance. 

How do you choose between Bitrix24 and Freshsales? In most cases the technical support required to manage a self-hosted CRM like Bitrix24 won’t be worth it. If you know you will want to heavily modify the CRM, then a self-hosted option is a good choice. If you are planning on using the CRM in a more off-the-shelf state, then Freshsales is probably a better choice.

If you are building a digital care company and are already using a CRM or are in the market for one, I would love to talk. Please reach out at I can share more details about the options I mentioned here and I would like to hear from your experiences.

Back to Articles

Interested in talking?