The Health Insurance Portability and Accountability Act (HIPAA) is a US regulation developed to protect the privacy and security of certain health information. Matomo Analytics is used by many companies in the healthcare industry building medical and health related applications. Matomo can be configured in a way that it is compliant with HIPAA.
When should I care about HIPAA?
When you collect any protected health information (PHI) using Matomo for example via user id, custom dimensions possibly storing health data, urls, page titles, session recordings that may record personal data, or even other PII… then you may need to be compliant with HIPAA in the US (and other privacy regulations like GDPR).
To be compliant with HIPAA you will need to follow these steps at least:
- Download and install Matomo on infrastructure and servers you own or lease from a HIPAA compliant webhosting company. (The official Matomo Cloud service is not HIPAA compliant.)
- Partner with web hosting companies that are HIPAA compliant and have processes for protecting PHI and your Matomo.
- Sign a business associate contract (BAA) with any third-parties that have access to your patients’ PHI. (You won’t need to sign the BAA document with us at Matomo since we don’t host your data and we cannot access it.)
- Encrypt your Matomo database with data encryption at rest in MySQL/MariaDB.
- Establish processes to delete, backup and restore encrypted PHI and Matomo database as needed
- Setup SSL certificate for all your websites and apps
- Setup SSL certificate for your Matomo server
- Ideally implement a secure SSL Database connection between Matomo web server and your MySQL/MariaDB database server.
- Send Matomo emails (some which may contain PHI) through encrypted email servers
- Ensure that PHI and Matomo interface and API is only accessible to authorized individuals
If you have any question or if you need help with your Matomo On-Premise setup contact us, we’re always happy to help.