How to make your website compliant with HIPAA

Health Insurance Portability and Accountability Act (aka HIPAA) is a law in the US that makes sure that health information is kept safe and private. If your site collects health information, you must follow HIPAA rules to avoid legal issues. To be sure that your site is HIPAA compliant while you use Piwik PRO, you need to do a few things:

  1. Use the Enterprise plan in Piwik PRO. Our free Core plan doesn’t comply with HIPAA.
  2. Sign a Business Associate Agreement (BAA) with us: This agreement ensures that we understand our responsibilities in safeguarding protected health information (PHI).
  3. Make sure that any PHI collected on your site is visible only to authorized personnel. It’s important to educate them on the significance of maintaining the confidentiality of PHI and the potential consequences of violating HIPAA regulations.
  4. (Optional) Consider collecting less data to minimize the risk of PHI exposure. For example:
    • Don’t set PHI like email, device ID or phone as a user ID or custom dimension. Instead, use a hashed version of these identifiers.
    • Mask visitors’ IP addresses to two bytes (Level 2: 192.168.xxx.xxx). This will limit the location data to the country level and make the IP address incomplete. HIPAA considers sub-state location data and IP address as PHI.
    • Limit PHI sent in page URLs. Sometimes URLs contain data like a doctor’s visit, date of visit, name of illness or other PHI that may be visible to unauthorized personnel.

Protected health information (PHI) according to HIPAA

The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:

  1. Name
  2. All geographic subdivisions smaller than a state (street address, city, county, zip code)
  3. Dates, including birthdate, admission date, discharge date and date of death
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary numbers
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers and serial numbers, including license plate number
  13. Device identifiers and serial numbers
  14. Web URL
  15. IP address
  16. Biometric identifiers, including fingerprints and voice
  17. Full face photo
  18. Any other unique identifying number, characteristic or code

Piwik PRO automatically collects some PHI, like sub-state location, page URLs and IP addresses. Other PHI may be collected if you set it as a user ID or custom events. For a more in-depth understanding of the data collected by Piwik PRO, you can refer to this list.

We explained how to deal with PHI in the first part of this article.

Was this article helpful?

Technical support

If you still have some questions, visit our community.
There’s always someone ready to help!

Back to help center