Is Matomo HIPAA Compliant?

Between 2023 and 2025, healthcare organizations paid more than $193 million in enforcement actions and class action settlements tied to tracking technology. The common thread across every case was not a sophisticated cyberattack. It was standard marketing tools, deployed by well-intentioned teams, sending patient data to third parties like Google and Meta without adequate safeguards.

That regulatory environment has driven a predictable response: healthcare organizations searching for analytics tools where data never leaves their own infrastructure. Matomo, an open-source analytics platform that can be self-hosted on your own servers, appears to be the answer. No third-party data sharing. No vendor with access to patient information. No BAA required because there is no business associate.

The logic is appealing. It is also incomplete.

The Regulatory Shift That Changed Healthcare Analytics

In December 2022, the HHS Office for Civil Rights published guidance clarifying that HIPAA-regulated entities may not use tracking technologies in ways that disclose protected health information (PHI) to tracking vendors without proper safeguards. The guidance made clear that even IP addresses on unauthenticated public pages could constitute PHI when combined with health context.

In July 2023, OCR and the FTC sent joint warning letters to approximately 130 hospital systems and telehealth providers about tracking technology risks. The FTC followed through with enforcement actions against GoodRx ($25 million in combined penalties) and Cerebral ($7 million), while class action settlements against organizations like Kaiser Permanente ($47.5 million), Advocate Aurora Health ($12.25 million), and Sutter Health ($21.5 million) demonstrated that the private litigation risk was just as severe.

This wave of enforcement created a clear message: if your analytics tool sends data to a third party, and that third party does not have a BAA with you, you have a problem.

Self-hosted analytics tools like Matomo entered the conversation as a way to sidestep that problem entirely.

Why Self-Hosting Feels Like a Safe Harbor

Matomo On-Premise is genuinely different from Google Analytics, Mixpanel, or Amplitude in one important respect: when you self-host Matomo, visitor data stays on your servers. There is no data flowing to Matomo's corporate infrastructure, no third-party vendor processing your analytics, and no need for a BAA because Matomo (the company) never touches your data.

This matters. The enforcement cases that produced $193 million in settlements all involved data leaving the healthcare organization's control and reaching companies like Meta and Google. Advocate Aurora Health installed Meta Pixel and Google Analytics on its patient portal to "better understand patient needs" and exposed data on approximately 3 million patients. Sutter Health implemented Google Analytics and the Meta Pixel on its MyHealthOnline patient portal, leading to a $21.5 million settlement covering California residents who logged in between June 2015 and March 2020.

Self-hosted Matomo eliminates the specific failure pattern behind these cases. That is a real advantage and it deserves acknowledgment.

But eliminating third-party data sharing is not the same as achieving HIPAA compliance.

What Self-Hosting Actually Shifts

When you self-host Matomo, you are not removing compliance requirements. You are accepting full responsibility for them. Every safeguard that a compliant analytics vendor would provide becomes your obligation to build, maintain, and document.

Encryption. HIPAA requires encryption of PHI at rest and in transit. Your Matomo database stores URLs, page titles, search terms, and user behavior patterns. On a healthcare website, those URLs alone can reveal conditions, treatments, and provider relationships. You need TLS for data in transit and encryption at rest for the database, backups, and any log files that contain visitor data.

Access controls. HIPAA's minimum necessary standard requires role-based access controls. Who on your team can access Matomo dashboards? Can a marketing analyst see the same raw data as a compliance officer? Matomo's built-in permissions system is functional, but configuring it to meet HIPAA's access control requirements takes deliberate effort.

Audit logging. Covered entities must maintain logs of who accessed what data and when. Matomo does not provide HIPAA-grade audit logging out of the box. You will need to layer this on top using your infrastructure's own logging capabilities.

Patching and vulnerability management. Open-source software requires active maintenance. Matomo releases security patches regularly, and applying them is your responsibility. A self-hosted analytics instance that falls behind on updates becomes an unpatched system holding PHI.

Disaster recovery and backup. HIPAA's availability requirements apply to any system containing PHI. Your Matomo instance needs documented backup procedures, tested recovery processes, and defined recovery time objectives.

None of this is impossible. Organizations with strong DevOps and security teams do it every day. But it is a meaningful operational commitment, and the compliance burden does not disappear simply because you control the servers.

The Client-Side Tracking Blind Spot

There is a subtler architectural concern that self-hosting does not address. Even when data stays on your servers, Matomo's default tracking mechanism relies on a JavaScript snippet running in the visitor's browser. This client-side code collects URLs, page titles, referrers, screen resolutions, and browsing behavior before sending it to your Matomo server.

The data collection itself happens in the browser. That means:

• URLs containing PHI are captured at the source. If a patient visits a page like /conditions/hiv-testing/schedule-appointment, that URL is captured by the JavaScript tracker before it reaches your server. Even though the data goes to your infrastructure rather than Google's, the tracking code still captures potentially sensitive health information.

• Page titles and search queries can contain PHI. A patient portal search for a specific medication or condition becomes an analytics data point. Self-hosting means that data point stays on your servers, but it is still being collected and stored.

• Matomo plugins can reintroduce third-party data flows. The Matomo marketplace offers plugins for heatmaps, session recording, A/B testing, and integrations with other platforms. Each plugin needs evaluation for whether it introduces data flows to external services. A single plugin that phones home or loads an external script can undermine the entire self-hosting advantage.

Server-side tracking architectures solve this problem differently. Instead of relying on client-side JavaScript to collect and transmit data, server-side architectures process data on your server before it reaches any analytics platform. The browser never executes tracking code that captures sensitive URLs or page content. This is the architectural difference between controlling where data goes and controlling what data gets collected in the first place.

Matomo Cloud: A Different Compliance Profile

It is worth distinguishing between Matomo On-Premise and Matomo Cloud, because they carry different compliance implications.

Matomo Cloud is a hosted service where Matomo (the company) processes your data on their infrastructure. For healthcare use, Matomo offers HIPAA compliance features on their Business plan, including a BAA. This puts Matomo Cloud in a different category from the self-hosted option: Matomo becomes a business associate, accepts liability under HIPAA, and takes on responsibility for infrastructure security.

However, even with a BAA, healthcare organizations should evaluate the same factors they would with any analytics vendor: What does the BAA actually cover? Does Matomo hold SOC 2 Type II certification, and if so, does it cover all five trust criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) or just Security? Does the cloud offering provide server-side tracking, or does it still rely on client-side JavaScript? What ongoing monitoring is in place to detect compliance drift?

A BAA is necessary but not sufficient. It is the starting point of vendor evaluation, not the conclusion.

The Ongoing Monitoring Gap

Whether you choose Matomo On-Premise or Matomo Cloud, there is one compliance dimension that neither option addresses on its own: continuous monitoring of your website's full tracking surface.

Installing Matomo is just one part of your website's analytics infrastructure. Marketing teams routinely add scripts, plugins update automatically, third-party tags load other tags through tag managers, and your site's tracking surface changes without anyone noticing. Every enforcement case in the reference data involved tracking that had been running for months or years before anyone at the organization realized data was being shared improperly.

Kaiser Permanente ran third-party tracking code that transmitted health information to Google, Microsoft, Meta, and X from 2017 to 2024, affecting 13.4 million members. That is seven years of undetected data leakage.

A web scanner that crawls your site on an ongoing basis and detects every cookie, script, localStorage entry, and tracking pixel across every page is the difference between "we set it up right once" and "we know it's still right today." This applies regardless of whether your primary analytics tool is self-hosted, cloud-hosted, or anything else. The compliance risk is not just your analytics tool. It is everything else running on your pages.

Evaluating Matomo for Your Healthcare Organization

If you are considering Matomo for a HIPAA-regulated environment, here is a framework for the evaluation:

For Matomo On-Premise:

• Can your team commit to ongoing patching, encryption, access controls, and audit logging?

• Do you have documented procedures for database encryption at rest and backup management?

• Have you audited every Matomo plugin for third-party data flows?

• Is your tracking configuration filtering or excluding URLs that could contain PHI?

• Do you have a process for continuous monitoring of your entire website's tracking surface, beyond just Matomo?

For Matomo Cloud (Business plan with BAA):

• Does the BAA cover all data flowing through the platform, or are there carve-outs?

• What SOC 2 certifications does Matomo hold, and how many trust criteria are covered?

• Does the tracking architecture rely exclusively on client-side JavaScript?

• What ongoing compliance monitoring does the platform provide?

For either option:

• Are consent workflows integrated with data collection, ensuring data only flows after verified consent?

• Is bot traffic being filtered to prevent non-human data from inflating analytics?

• Can you demonstrate to auditors exactly what data is being collected, where it is stored, and who has access?

Healthcare compliance is not a product feature you install. It is an ongoing operational discipline. Matomo provides a legitimate foundation for privacy-respecting analytics, but the compliance work sits on top of that foundation, and it requires sustained attention whether you self-host or use the cloud offering.

FAQ

Does Matomo On-Premise require a BAA?

No. Because you host Matomo on your own infrastructure and Matomo (the company) never accesses your data, there is no business associate relationship. However, this means you are solely responsible for all HIPAA safeguards: encryption, access controls, audit logging, and security patching. The absence of a BAA is not a compliance shortcut; it simply means the entire compliance burden falls on you rather than being shared with a vendor.

Can Matomo Cloud sign a BAA for healthcare organizations?

Matomo offers HIPAA compliance features and a BAA on their Business plan for Matomo Cloud customers. If you choose the cloud option, evaluate the BAA carefully: confirm it covers all data flowing through the platform, check what SOC 2 certifications Matomo holds, and verify the scope of their compliance commitments. A BAA is the starting point of due diligence, not the end.

Does self-hosting Matomo eliminate all tracking risks on my healthcare website?

No. Matomo controls only its own data collection. Your website likely has other scripts, pixels, tag manager configurations, cookie consent banners, chatbots, and third-party integrations that operate independently. Each of these can collect and transmit visitor data. Continuous scanning of your entire website's tracking surface is necessary to identify risks beyond your analytics platform.

Is Matomo's JavaScript tracking code a compliance concern even when self-hosted?

It can be. The JavaScript tracker runs in the visitor's browser and captures URLs, page titles, search queries, and browsing behavior. On healthcare websites, these data points can contain PHI. While the data goes to your servers rather than a third party, you still need to configure the tracker to exclude sensitive URL parameters, filter PHI from page titles, and ensure the collection itself aligns with your consent workflows.

How does Matomo compare to server-side analytics architectures for healthcare compliance?

Matomo's default implementation uses client-side JavaScript, which means the browser collects and transmits data to your analytics server. Server-side architectures process data on the server before it reaches any analytics platform, giving you more control over what gets collected and preventing the browser from ever handling sensitive data directly. For healthcare organizations with strict compliance requirements, server-side architectures provide stronger guarantees about data handling at the point of collection.

Building a compliant analytics stack for healthcare requires more than choosing the right tool. It requires server-side architecture, continuous monitoring, and consent-gated data flows working together. Learn how Ours Privacy approaches healthcare analytics with SOC 2 Type II certification across all five trust criteria, server-side tracking, and built-in web scanning.

Related reading:

• HIPAA Compliant Analytics Tools

• Is Google Analytics HIPAA Compliant?

• Is Plausible HIPAA Compliant?

• Is Mixpanel HIPAA Compliant?