Configure Matomo Analytics for HIPAA compliance

The Health Insurance Portability and Accountability Act (HIPAA) is a US regulation developed to protect the privacy and security of certain health information. Matomo Analytics is used by many companies in the healthcare industry building medical and health related applications. Matomo can be configured in a way that it is compliant with HIPAA.

When should I care about HIPAA?

When you are a Covered Entity or a Business Associate as defined in HIPAA and you handle any Protected Health Information (PHI) using Matomo, you must comply with HIPAA rules that govern privacy, security, breach notification and enforcement, unless that particular processing is exempt.

What is Protected Health Information (PHI)

Not all personal information or data is PHI, which is defined as any health-related data that can be linked to the individual via identifiers such as: name, geolocation data, elements of birth date, contact details, device ID, account number, IP address, medical record number, web URL.

In the context of Matomo, PHI may be, for example User ID, custom dimensions possibly storing health data, or URLs, page titles, or session recordings that may record personal data.

What is Not Considered PHI?

  • Fully de-identified PHI: HIPAA does not apply to de-identified data, but threshold is high and HIPAA prescribes methodology and conditions for de-identification can occur.
  • Health-related data collected by non-covered entities, such as fitness trackers, personal health apps, or websites that are not associated with a healthcare provider.
  • Properly aggregated or anonymized health data that does not contain individual identifiers.
  • Identifiers on their own without the health-related information.

Steps For HIPAA compliance

To comply with HIPAA, you must complete at least the following steps:

  1. Develop and maintain a HIPAA-compliant Privacy Rule and Breach Notification Policies and Procedures.
  2. Appoint a Privacy Officer and Security Officer.
  3. Document how you will comply with patient rights
  4. Conduct risk analysis and establish a risk management plan.
  5. Train your personnel.
  6. Self-Hosting on HIPAA-Compliant Infrastructure
    • Download and install Matomo On-Premise on infrastructure and servers you own or lease from a HIPAA-compliant webhosting company. (The official Matomo Cloud service is not HIPAA compliant.)
    • Partner with web hosting companies that are HIPAA compliant and have processes for protecting PHI and your Matomo.
  7. Business Associate Agreement
    • Sign a business associate contract (BAA) with any third-parties that have access to the PHI.
    • You won’t need to sign the BAA document with us at Matomo since we don’t host your data and we cannot access it.
  8. Security
    • Ensure that you implement safeguards required by HIPAA Security Rule: develop, document and implement security policies and procedures covering administrative safeguards (policies and procedures, risk analysis and management), physical safeguards and technical safeguards.
    • Encrypt your Matomo database with data encryption at rest in MySQL/MariaDB.
    • Establish processes to delete, backup and restore encrypted PHI and Matomo database as needed.
    • Setup SSL certificate for all your websites and apps.
    • Setup SSL certificate for your Matomo server
    • Ideally, implement a secure SSL Database connection between Matomo web server and your MySQL/MariaDB database server.
    • Use Activity Log to keep track of changes done to Matomo entities.
    • Send Matomo emails (some which may contain PHI) through encrypted email servers.
    • Ensure that PHI and Matomo interface and API is only accessible to authorised individuals.

If you have any question or if you need help with your Matomo On-Premise setup contact us, we’re always happy to help.

Source used: fullmedia.com/a-beginners-guide-to-hipaa-compliant-websites

Previous FAQ: Is Matomo Analytics GDPR compliant?