Health Insurance Portability and Accountability Act (aka HIPAA) is a law in the US that makes sure that health information is kept safe and private. If your site collects health information, you must follow HIPAA rules to avoid legal issues. To be sure that your site is HIPAA compliant while you use Piwik PRO, you need to do a few things:
- Use the Enterprise plan in Piwik PRO. Our free Core plan doesn’t comply with HIPAA.
- Sign a Business Associate Agreement (BAA) with us: This agreement ensures that we understand our responsibilities in safeguarding protected health information (PHI).
- Make sure that any PHI collected on your site is visible only to authorized personnel. It’s important to educate them on the significance of maintaining the confidentiality of PHI and the potential consequences of violating HIPAA regulations.
- (Optional) Consider collecting less data to minimize the risk of PHI exposure. For example:
- Don’t set PHI like email, device ID or phone as a user ID or custom dimension. Instead, use a hashed version of these identifiers.
- Mask visitors’ IP addresses to two bytes (Level 2: 192.168.xxx.xxx). This will limit the location data to the country level and make the IP address incomplete. HIPAA considers sub-state location data and IP address as PHI.
- Limit PHI sent in page URLs. Sometimes URLs contain data like a doctor’s visit, date of visit, name of illness or other PHI that may be visible to unauthorized personnel.
Protected health information (PHI) according to HIPAA
The Department of Health and Human Services (HHS) lists the 18 HIPAA identifiers:
- Name
- All geographic subdivisions smaller than a state (street address, city, county, zip code)
- Dates, including birthdate, admission date, discharge date and date of death
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary numbers
- Account number
- Certificate/license number
- Vehicle identifiers and serial numbers, including license plate number
- Device identifiers and serial numbers
- Web URL
- IP address
- Biometric identifiers, including fingerprints and voice
- Full face photo
- Any other unique identifying number, characteristic or code
Piwik PRO automatically collects some PHI, like sub-state location, page URLs and IP addresses. Other PHI may be collected if you set it as a user ID or custom events. For a more in-depth understanding of the data collected by Piwik PRO, you can refer to this list.
We explained how to deal with PHI in the first part of this article.
Tip: Read more about the differences between PHI and PII on our blog.