How to make your website compliant with HIPAA

Health Insurance Portability and Accountability Act (aka HIPAA) is a law in the US that makes sure that health information is kept safe and private. If your site collects health information, you must follow HIPAA rules to avoid legal issues. To be sure that your site is HIPAA compliant while you use Piwik PRO, you need to do a few things:

  1. Use the Enterprise plan in Piwik PRO. The free Core plan doesn’t comply with HIPAA, but you can test HIPAA-compliant analytics covered by a Business Associate Agreement (BAA) on your Core account for free for 6 months.

    Note: Customizing the BAA or the scope of the offer is only possible with the paid Piwik PRO Enterprise plan.

  2. Sign a Business Associate Agreement (BAA) with us: This agreement makes sure that we understand our responsibilities in safeguarding protected health information (PHI).
  3. Make sure that any PHI collected on your site is only visible to authorized personnel. Inform your staff why keeping PHI confidential is crucial and what can happen if they break HIPAA rules.
  4. (Optional) Consider collecting less data to minimize the risk of PHI exposure. For example:
    • Don’t set PHI, like email, device ID or phone, as a user ID or custom dimension. Instead, use a hashed version of these identifiers.
    • Don’t collect visitors’ IP addresses. This practice makes sure that no location data is collected. It’s important to note that HIPAA regards sub-state location data and IP addresses as PHI. You can turn off IP address collection in Administration > Sites & apps > Privacy > Collect visitors’ IP addresses (off) or Administration > Account > Global site & app settings > Privacy > Collect visitors’ IP addresses (off).
    • Limit PHI sent in page URLs. Sometimes URLs contain data like a doctor’s visit, date of visit, name of illness or other PHI that may be visible to unauthorized personnel.

Protected health information (PHI) according to HIPAA

The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:

  1. Name
  2. All geographic subdivisions smaller than a state (street address, city, county, zip code)
  3. Dates, including birthdate, admission date, discharge date and date of death
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary numbers
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers and serial numbers, including license plate number
  13. Device identifiers and serial numbers
  14. Web URL
  15. IP address
  16. Biometric identifiers, including fingerprints and voice
  17. Full face photo
  18. Any other unique identifying number, characteristic or code

Piwik PRO automatically collects some PHI like sub-state location, page URLs and IP addresses. Other PHI may be collected if you set it as a user ID or custom event. If you want to know more about the data Piwik PRO collects, see this list.

Tip: Read more about the differences between PHI and PII on our blog.

Was this article helpful?

Technical support

If you still have any questions, visit our community.
There’s always someone happy to help!

Related articles

Back to help center