HIPAA-compliant analytics with Piwik PRO Analytics Suite

Apply the highest privacy and security safeguards as you collect data and analyze the full customer journey on your website or app.

If you fall under HIPAA, you’re responsible for providing the right safeguard for US citizens’ protected health information (PHI). There are two routes you can take to achieve it when doing analytics. You can either de-identify all PHI in your data or sign a business associate agreement (BAA) with your vendor to ensure the compliant collection and processing of PHI and ePHI. Regardless of which option you choose, Piwik PRO will support you in achieving HIPAA compliance.

How Piwik PRO keeps you aligned with HIPAA

Secure hosting

Know the exact location of your data and keep it on HIPAA-compliant data centers maintained by Microsoft Azure. Choose the US cloud or one of 60+ private cloud locations (dedicated database or dedicated hardware).

Safe backup storage

Keep sensitive information thoroughly protected and get maximum recovery capability. Benefit from replication to another location in the same region.

100% data control

Be the sole controller of granular information on visitors and access it at any time. We never use your data for other purposes or share it with third parties. Decide what ePHI you collect and how you use it to provide the best patient experience.

Audit log & change log

Monitor and review user activity in the analytics platform, such as login attempts, password updates, modification of the settings and API calls, and more. Keep logs of these actions to improve your risk management process. Utilize advanced user-permission options.

BAA options

Sign a business associate agreement (BAA) with us regardless of which hosting option you choose. Ensure joint compliance and liability for the provided services and establish responsibilities concerning PHI/ePHI.


Create a holistic view of your patients by combining first-party data from multiple touchpoints. Expand your marketing capabilities through integrations and natively available Tag Manager, Consent Manager, and CDP with data activation features.

Data encryption & transmission

Piwik PRO fulfills HIPAA requirements to encrypt ePHI when the data is at rest. We use 256-bit AES encryption with Microsoft Azure native encryption mechanisms and customer-managed keys, which prevents Microsoft from accessing unencrypted data.

Security measures

Piwik PRO follows the ISO 27001 and SOC 2 standards and is regularly audited and pen tested by independent auditors. This translates into enhanced measures for handling sensitive data, preventing data breaches, malicious attacks and unauthorized use of assets, and much more.

HIPAA compliant settings

Use a feature in our product to switch off the collection of visitors’ IP addresses. With this setting, IP addresses are not collected or stored anywhere in Piwik PRO, allowing you to enhance your HIPAA compliance.

The guide to HIPAA compliance in analytics

Learn how to make your company HIPAA-compliant in analytics, marketing and advertising, and find vendors who take compliance seriously.


“Working with health information means working with sensitive data, which makes privacy compliance the key aspect that healthcare organizations should focus on. Noncompliance with HIPAA regulations could result in sanctions, not to mention the looming loss of users’ trust. Choosing a compliant vendor, like Piwik PRO, helps you avoid those risks because data privacy and security are at the core of our business.”

Lisette Meij
Data Protection Officer at Piwik PRO

Resources on HIPAA-compliant analytics

We’ve gathered our content on HIPAA to help you evaluate your organization’s compliance and understand the requirements to comply with the law. Learn how to collect and process patient data online, what security measures to apply across your organization and tech, and how to find a HIPAA-compliant analytics vendor.

A review of HIPAA-compliant analytics platforms

Compare the HIPAA compliance of popular analytics vendors. Understand their pros and cons concerning HIPAA-compliant implementations.

Read more

HHS guidance on using online tracking technologies: How to make your analytics HIPAA-compliant

Find out how HIPAA-covered entities can follow HHS’s guidance and their options for HIPAA-compliant and effective approaches to analytics.

Read more

Is Google Analytics HIPAA-compliant?

Find out how Google Analytics approaches HIPAA compliance and why it’s not an optimal analytics solution for HIPAA-covered organizations.

Read more

HIPAA, marketing and advertising: How to run compliant campaigns in healthcare

Find out how to run effective marketing and advertising campaigns that respect user privacy, and learn how to choose marketing vendors, all while following HIPAA provisions.

Read more

Is Adobe Analytics HIPAA-compliant?

Learn whether companies covered by HIPAA can use Adobe Analytics and what measures they need to take to respect their patients’ rights.

Read more

PHI and PII: How they impact HIPAA compliance and your marketing strategy

Familiarize yourself with the concept of protected health information (PHI) to better understand what data to collect and how to protect it to satisfy HIPAA’s requirements.

Read more


Who must follow HIPAA requirements?

The HIPAA rules apply to any individual or organization that meets the definition of a covered entity as stated in HIPAA guidelines.

Covered entities include:
  • Health plans – for example, health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Healthcare providers that conduct certain business electronically, such as electronically billing your health insurance – including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health care clearinghouses – entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Beyond covered entities, the following must adhere to HIPAA:
  • Business associates
  • Subcontractors
  • Hybrid entities
  • Researchers
A business associate can be an individual or company that provides services to a HIPAA-covered entity that requires them to have access to, store, use, or transmit protected health information. Generally, an analytics vendor will be a business associate.

What is PHI and its electronic version (called ePHI) under HIPAA?

PHI and ePHI is a subset of personally identifiable information (PII) that refers explicitly to information processed by HIPAA-covered entities. When health information is combined with a personal identifier, the data becomes PHI.

Examples of health information include:
  • Medical test results
  • Prescription or treatment records
  • Billing information
  • Appointment scheduling information
When health information is combined with a personal identifier, the data becomes PHI.

The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:
  • Name
  • All geographic subdivisions smaller than a state (street address, city, county, zip code)
  • Dates, including birthdate, admission date, discharge date, and date of death
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary numbers
  • Account number
  • Certificate/license number
  • Vehicle identifiers and serial numbers, including license plate number
  • Device identifiers and serial numbers
  • Web URL
  • IP address
  • Biometric identifiers, including fingerprints and voice
  • Full face photo
  • Any other unique identifying number, characteristic, or code
This means that not all health information acquired by organizations is considered PHI. For example, phone numbers and residential addresses alone are not PHI. But this data will be considered PHI if it includes health information about an individual’s condition, the treatment of that condition, or the payment for the treatment. It also must be transmitted and maintained in any form by a covered entity.

Specific examples of PHI and ePHI include:
  • Information your doctors, nurses, and other health care providers put in your medical record.
  • Conversations your doctor has about your care or treatment with nurses and others.
  • Information about you in your health insurer’s computer system.
  • Billing information about you at your clinic.
Importantly, PII collected on a covered entity’s website or app is considered PHI even if the individual does not have an existing relationship with the entity or the PII does not include specific treatment or billing information. When a covered entity collects such information, it is indicative that the individual has received or will receive health care services or benefits from it.

Why is HIPAA compliance important?

HIPAA introduced several benefits for the healthcare industry to help transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure that protected health information is shared securely.

People now care about the privacy of their data more than ever. Health information is a special category of personal information because it contains details about users’ conditions that they may not want to disclose. Protecting the privacy of health-related data helps you maintain the trust of individuals whose information you are processing.

Neglecting users’ rights related to HIPAA can negatively affect your business and have a long-lasting impact on how patients view your organization. Since HIPAA is a standard that must be followed by many organizations similar to yours, the lack of compliance can make you lose business to your compliant competitors. Not to mention that any covered entity that violates HIPAA regulations can face civil action lawsuits, criminal charges, and hefty monetary penalties.

How can you stay compliant with HIPAA?

HIPAA makes covered entities responsible for complying with a number of rules – the Privacy Rule, Security Rule, Breach Notification Rule, Enforcement Rule, and Omnibus Rule. The first three rules are particularly important.

The Privacy Rule provides federal standards to protect the privacy of PHI – particularly, it:
  • Limits how covered entities may use and disclose individually identifiable health information they receive or create.
  • Gives individuals rights concerning their protected health information, including a right to review and obtain a copy of their medical records and the right to ask covered entities to amend the information if it is inaccurate or incomplete.
  • Imposes administrative requirements for covered entities, such as training of employees concerning the Privacy Rule.
  • Establishes civil penalties.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect ePHI. Specifically, they must:
  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit.
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  • Protect against reasonably anticipated, impermissible uses or disclosures.
  • Ensure compliance by their workforce.
  • Perform risk analysis as part of their security management processes.
The Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information.

How can you ensure you have HIPAA-compliant analytics?

You must apply a few safeguarding practices while collecting and processing data online. Some requirements you must fulfill include:
  • Establish a business associate agreement (BAA) with every platform you use for marketing, advertising, and analytics and any other business associate. Otherwise, you cannot disclose PHI to that vendor without the individuals’ authorization.
  • Address the use of analytics and other data platforms in your risk analysis and management processes.
  • Implement administrative, physical, and technical safeguards – such as encrypting PHI transmitted to the analytics vendor and enabling and using appropriate authentication, access, encryption, and audit controls when accessing PHI maintained in the analytics platform infrastructure.
  • Work with vendors that support values such as privacy by design to fully control and understand what data you collect, store, and transfer.
  • Remove all 18 identifiers from PHI. Once the data is impossible to trace back to one individual, it is no longer PHI and no longer has protection under HIPAA.
Note: De-identification of PHI is not necessary with Piwik PRO – you can sign a BAA and send the desired PHI.

You need to carefully select an analytics vendor that would allow you to achieve HIPAA compliance – for example, don’t forget that Google Analytics is not HIPAA compliant.

You must either make an extra effort to avoid passing any trace of PHI to your analytics or switch to an analytics platform that will help you process patient data with the proper safeguards.

Healthcare organizations that chose Piwik PRO:

Want to learn more about how to make your analytics HIPAA-compliant?

We’re here to help and answer all your questions!

Get a custom demo