HIPAA

Definition

HIPAA (Health Insurance Portability and Accountability Act) is a US law governing the protection of health information. Organizations handling Protected Health Information (PHI) must ensure vendors and tools they use are HIPAA compliant.

What Is Protected Health Information (PHI)?

PHI includes any health-related data that can identify an individual:

• Medical records and diagnoses
• Treatment information
• Health insurance details
• Payment information for healthcare
• Any data combined with health information

HIPAA Requirements for Software

Do I Need HIPAA Compliance?

You likely need HIPAA-compliant tools if you’re:

• A healthcare provider
• A health insurance company
• A healthcare clearinghouse
• A business handling PHI on behalf of above

HIPAA and Analytics

Most analytics tools are NOT HIPAA compliant by default. Healthcare organizations should:

• Use analytics tools that offer BAAs
• Avoid tracking PHI in analytics events
• Consider self-hosted options for full control
• Implement data anonymization

PostHog offers self-hosting for organizations needing HIPAA compliance with full data control.

Frequently Asked Questions

What is a Business Associate Agreement (BAA)?

A BAA is a contract between a healthcare organization and a vendor handling PHI. It specifies how the vendor will protect PHI. Without a BAA, using a vendor for PHI is a HIPAA violation.

Can I use Google Analytics with HIPAA?

Google does not sign BAAs for Google Analytics, so it cannot be used to track sessions involving PHI. You’d need a HIPAA-compliant alternative or ensure no PHI is captured.

What are HIPAA violation penalties?

Penalties range from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category. Criminal penalties can include imprisonment for willful violations.