Analytics and HIPAA
During the last few weeks I have been designing the architecture for a mobile app and the backend supporting that app. The domain model is related to healthcare, so all data that is a PHI (Protected Health Information) must be stored in a system HIPAA compliant.
Today I was looking at what Analytics tool I will be using. So I checked what data is collected and I found that the IP address is often stored. That means that even without writing any code to send PHI data, the Analytics providers still collect at least one element viewed as PHI.
Then began the search for a HIPAA compliant provider. To my surprise, Google Analytics is not compliant. Then my hope turned to Firebase, but no compliance either. I found three solutions: Amplitude, Mixpanel and PiwikPro. The first two are quite similar in their basic/free offering. The last one is very different, it's based on Matomo (previously Matomo). It's an open source alternative to Google Analytics. The Pro version provide the compliance with HIPAA. Unfortunately, the starting price was too high ( $6 000 / year).
Choosing between Amplitude and Mixpanel is not easy. I previously used Amplitude on another project and I wanted to get up and running quickly, so I chose Amplitude.