View All Blog Posts

Is Piwik PRO HIPAA-Compliant?

As a healthcare marketing agency, we are often asked about the HIPAA compliance of certain marketing tools. To address this need, we have created a blog series that examines common marketing tools and software to determine whether or not they pose a HIPAA concern.

This week, we’re taking a closer look at Piwik PRO.

What Is Piwik PRO?

Piwik PRO is an advanced, privacy-focused web analytics platform. Designed as an alternative to platforms like Google Analytics, it offers in-depth insights into website traffic while ensuring user data privacy. Prioritizing data ownership and GDPR compliance, Piwik PRO provides both on-premises and cloud hosting options. It caters to businesses wanting granular data without compromising user trust or regulatory requirements.

Significant features:

  • User Privacy: One of Piwik PRO’s major selling points is its focus on data privacy. Their customers have the option to anonymize or redact IP addresses, respect Do Not Track headers, and provide transparent opt-out options for visitors.
  • Heatmaps: These features provide visual insights into where users are clicking, moving, and scrolling on a webpage.
  • Tag Manager: An integrated tag manager helps users easily add and manage various marketing and analytics tags on their website without the need to modify the site’s code directly.
  • Audience Segmentation: Piwik PRO allows for detailed audience segmentation, enabling marketers to analyze specific subsets of their traffic, such as users from a particular location or users who arrived through a specific marketing campaign.
  • Data Ownership: Unlike many other platforms, Piwik PRO ensures that the data collected remains under the website owner’s control. This is a particularly privacy-forward feature of Piwik PRO
  • Multi-site Analytics: Users can manage the analytics for multiple websites within a single Piwik PRO instance.
  • CDP (Customer Data Platform): Piwik’s CDP is available for premium customers. Piwik’s robust CDP allows users to create robust customer profiles and segmented audiences.
  • Consent Management Platform: Piwik PRO boasts an easy-to-use consent management platform that ensures that website visitors can appropriately select their privacy preferences.

Third party integrations: Piwik PRO supports many integrations with other CMS, data visualization and data storage tools, and marketing platforms like Google Ads.

What Data Does Piwik PRO Collect?

Piwik PRO is a first-party data platform that uses a similar framework to Universal Analytics. The biggest difference between Piwik PRO & other analytics platforms is the data ownership. This means that the owner of the website always retains ownership of the data, which is fairly uncommon in similar products. What the platform collects is entirely dependent on the tool’s setup, but the following are almost always collected:

  • Site actions: The primary points of data collection, the events that users take on your site. This could be a button click, a form submission, a video view, or nearly any action you’ve defined on your site.
  • Event properties: The additional information attached to events, such as transaction prices, categories, & other information, which can be defined during setup.
  • Device information: This can include the model of the device the user is using, the operating system, browser.
  • Location data: This includes your approximate location based on your IP address.

Is Piwik PRO HIPAA-Compliant?

Every organization’s definition of HIPAA-compliance is dependent on their legal team’s interpretation of the guidelines set by the U.S. Department of Health and Human Services. That being said, Piwik PRO falls pretty low on the risk scale because they offer self-storage and are willing to enter into a Business Associate Agreement (BAAs).

Risk Mitigation

Piwik PRO is a data-forward, privacy-focused product, whose risk mitigation options go beyond entering into a BAA. That being said, it is a good idea to ensure you have the following in place in order to catch some common missteps:

  • Ensure that you have a current, valid BAA in place. Schedule regular check-ins to verify that your BAA is still current.
  • Consider any other tools that may be integrated with Piwik PRO – is your configuration sending data to another third party tool? If so, do you have a BAA in place with that vendor? Stay aware of all steps of your data processing, storage, & transmissions and be judicious about integrations that are unnecessary, redundant, or obsolete.
  • Remember that as the website owner, it is your responsibility to own the data process & determine where this data goes. Are you storing it on a third party server? If so, is this server HIPAA-compliant? Each endpoint introduces another possibility for liability and risk.

It’s always important to connect with your legal team to determine how best to move forward. Listen to our HIPAA & FTC 101 podcast for more information about changes for healthcare companies.

Not sure how to get started?

Hedy & Hopp has already engaged multiple healthcare clients to perform an audit and risk assessment that both marketing and legal teams can use to make the best decisions for their business. If you’re looking to make sure your marketing practices are compliant, let’s talk – we’d love to help!



About the Author

The Hedy & Hopp analytics team is the cornerstone to patient-centered activation. This team is responsible for building measurement plans and data visualizations that provide useful and action-oriented insights for all of our marketing campaigns. Insightful and curious, for this team of lovable geniuses, decision science is their marketing happy.

More from this author
Next Blog Post

Is Mixpanel HIPAA-Compliant?