2 min read

Is Matomo HIPAA compliant?

Kapua Iao July 21, 2023

HIPAA Compliance

Matomo is the most common free and open-source web analytics app. It tracks online visits to websites and creates reports on these visits for analysis. However, in the healthcare industry, sensitive protected health information (PHI) must be protected under HIPAA.

HIPAA compliance requires covered entities to sign a business associate agreement (BAA) with all vendors. Matomo does not offer a BAA, stating that it doesn't need to because it does not host any data.

What is Matomo?

Matomo, formerly known as Piwik, is a downloadable, free web analytics software platform. It provides detailed reports on a website and its visitors. Information includes search engines and keywords used, language spoken, pages liked, files downloaded, and so much more.

The platform stores data on its cloud though organizations can also configure their settings so that no data is maintained on its servers. The cloud is not HIPAA compliant.

Website analytics can provide valuable information about who is seeking or interested in learning more about a healthcare organization. Such information improves patient communication, satisfaction, and, ultimately, patient care. Matomo Analytics is used by many within the healthcare industry for this purpose.

Learn more: HIPAA compliant email: The definitive guide

Matomo's privacy and security features

Matomo provides information on its website that allows users to configure their privacy settings themselves. Accordingly, it ensures that data is only accessible to Matomo administrators. It states that it can be compliant with HIPAA for customers that follow (at least) the following steps:

Download/install Matomo on personal infrastructure and servers or that of a HIPAA compliant business associate.
Partner with web hosting companies that are HIPAA compliant and use processes to protect PHI.
Sign a BAA with all third parties that access PHI.
Encrypt your Matomo database with encryption at rest in MySQL/MariaDB.
Establish processes to delete, backup, and restore encrypted PHI.
Set up an SSL (Secure Socket Layer) certificate for all websites and apps as well as your Matomo server.
Implement a secure SSL database connection between Matomo and your MySQL/MariaDB database server.
Use an activity log to keep track of changes.
Send Matomo emails (some of which may contain PHI) through encrypted email servers.
Ensure that PHI and Matomo's interface and API are only accessible to authorized individuals.

Is Matomo a business associate?

To determine whether Matomo is a business associate under HIPAA, healthcare organizations must consider how it functions for them. According to Matomo, it is not considered a business associate since it doesn't host nor access organizations' data.

But Matomo is involved in the collection and movement of PHI. This means it could be considered a business associate under HIPAA. Business associate status, however, depends on the services provided and the agreements in place.

BAA provisions

A BAA is a legal contract between covered entities and their business associates. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

Permitted uses and disclosures of PHI
Safeguards for protecting PHI
Reporting and mitigation of security incidents
Compliance with HIPAA regulations
Dispute resolution and termination clauses

Matomo and the BAA

On its web page discussing HIPAA compliance, Matomo says that healthcare organizations should sign BAAs "with any third parties" that access PHI. The company then states that organizations "won't need to sign the BAA" with Matomo because it does not store or retrieve data.

This means that Matomo will not have any legal obligations if a breach or HIPAA violation occurs.