Matomo is the most common free and open-source web analytics app. It tracks online visits to websites and creates reports on these visits for analysis. However, in the healthcare industry, sensitive protected health information (PHI) must be protected under HIPAA.
HIPAA compliance requires covered entities to sign a business associate agreement (BAA) with all vendors. Matomo does not offer a BAA, stating that it doesn't need to because it does not host any data.
What is Matomo?
Matomo, formerly known as Piwik, is a downloadable, free web analytics software platform. It provides detailed reports on a website and its visitors. Information includes search engines and keywords used, language spoken, pages liked, files downloaded, and so much more.
The platform stores data on its cloud though organizations can also configure their settings so that no data is maintained on its servers. The cloud is not HIPAA compliant.
Website analytics can provide valuable information about who is seeking or interested in learning more about a healthcare organization. Such information improves patient communication, satisfaction, and, ultimately, patient care. Matomo Analytics is used by many within the healthcare industry for this purpose.
Learn more: HIPAA compliant email: The definitive guide
Matomo's privacy and security features
Matomo provides information on its website that allows users to configure their privacy settings themselves. Accordingly, it ensures that data is only accessible to Matomo administrators. It states that it can be compliant with HIPAA for customers that follow (at least) the following steps:
- Download/install Matomo on personal infrastructure and servers or that of a HIPAA compliant business associate.
- Partner with web hosting companies that are HIPAA compliant and use processes to protect PHI.
- Sign a BAA with all third parties that access PHI.
- Encrypt your Matomo database with encryption at rest in MySQL/MariaDB.
- Establish processes to delete, backup, and restore encrypted PHI.
- Set up an SSL (Secure Socket Layer) certificate for all websites and apps as well as your Matomo server.
- Implement a secure SSL database connection between Matomo and your MySQL/MariaDB database server.
- Use an activity log to keep track of changes.
- Send Matomo emails (some of which may contain PHI) through encrypted email servers.
- Ensure that PHI and Matomo's interface and API are only accessible to authorized individuals.
Is Matomo a business associate?
To determine whether Matomo is a business associate under HIPAA, healthcare organizations must consider how it functions for them. According to Matomo, it is not considered a business associate since it doesn't host nor access organizations' data.
But Matomo is involved in the collection and movement of PHI. This means it could be considered a business associate under HIPAA. Business associate status, however, depends on the services provided and the agreements in place.
Related: How to know if you're a business associate
BAA provisions
A BAA is a legal contract between covered entities and their business associates. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
- Permitted uses and disclosures of PHI
- Safeguards for protecting PHI
- Reporting and mitigation of security incidents
- Compliance with HIPAA regulations
- Dispute resolution and termination clauses
Related: Business associate agreement provisions
Matomo and the BAA
On its web page discussing HIPAA compliance, Matomo says that healthcare organizations should sign BAAs "with any third parties" that access PHI. The company then states that organizations "won't need to sign the BAA" with Matomo because it does not store or retrieve data.
This means that Matomo will not have any legal obligations if a breach or HIPAA violation occurs.
Is Matomo HIPAA compliant?
Matomo appears to place significant emphasis on privacy and security but is not willing to sign a BAA.
Conclusion: If considered a business associate, Matomo may not be HIPAA compliant.
Go deeper: HHS and FTC issue stern warning on online tracking in healthcare
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.