Is Plausible HIPAA Compliant?

Before evaluating any analytics tool for healthcare, it helps to know exactly what the compliance bar looks like. Most organizations start with the question "Does this tool respect privacy?" when the real question is "Does this tool meet every requirement that HIPAA, the FTC, and state regulators actually enforce?" Those are two very different standards.

Plausible Analytics is a privacy-focused, open-source web analytics platform that takes a genuinely different approach from tools like Google Analytics. It uses no cookies, collects no personal data, weighs under 1 KB, and provides aggregate-only metrics. It was built to be GDPR-compliant by design.

That design philosophy is admirable, and it eliminates many of the problems that have cost healthcare organizations more than $193 million in settlements since 2023. But "better for privacy" and "healthcare compliant" are not the same thing. Here is the framework for evaluating whether Plausible meets the full compliance bar, and where the gaps exist.

Five Requirements Every Healthcare Analytics Vendor Must Meet

Healthcare compliance is not a single checkbox. It is a set of interlocking requirements, each of which addresses a different risk vector. Any analytics tool used by a HIPAA-covered entity or its business associates needs to satisfy all five.

1. Business Associate Agreement (BAA). Under HIPAA, any vendor that receives, processes, or stores protected health information (PHI) on behalf of a covered entity must sign a BAA. The BAA is a legal contract in which the vendor accepts liability for safeguarding that data. Without one, the covered entity bears full regulatory exposure for any data the vendor handles.

2. SOC 2 Type II with all five trust criteria. SOC 2 Type II certification means independent auditors verified sustained compliance across Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most vendors certify only Security (one of five). That is table stakes, not compliance. All five criteria demonstrate the operational rigor healthcare demands.

3. Server-side data architecture. Client-side tracking relies on JavaScript executing in the visitor's browser. The browser collects data and sends it to external servers. Server-side architecture processes data on your infrastructure first, so the browser never communicates directly with any analytics endpoint. This is the architectural difference between hoping nothing leaks and ensuring nothing can leak.

4. Consent-gated data collection. Data should only flow to analytics destinations after consent has been verified server-side. A JavaScript consent banner that gates a JavaScript analytics tag is better than nothing, but both layers run in the browser, where they can be bypassed, blocked, or rendered inconsistently.

5. Continuous compliance monitoring. A web scanner that crawls your site on an ongoing basis, detecting every cookie, script, localStorage entry, and tracking pixel across every page, is the difference between "we configured it correctly once" and "we know it is still correct today." Marketing teams add scripts. Plugins update. Tag managers load additional tags. Your compliance surface changes constantly.

How Plausible Handles Data Differently

Plausible deserves credit for the things it gets right. It was designed to collect the minimum data necessary for useful analytics, and it follows through on that promise.

The Plausible script does not use cookies. It does not generate persistent identifiers. It does not track users across sessions or across sites. It does not collect IP addresses (they are discarded after generating a salted hash for unique visitor counting, and the salt rotates daily). Visitor counts are approximations based on these rotating hashes, not tracked individuals.

The script itself is under 1 KB, compared to Google Analytics at roughly 45 KB. That size difference reflects a real difference in data collection scope: Plausible simply collects less.

For privacy-conscious organizations outside healthcare, this is often enough. Plausible satisfies GDPR requirements without a consent banner in many jurisdictions. It is a legitimate, well-engineered tool that solves the problem it was designed to solve.

The question is whether the problem it was designed to solve is the same problem healthcare organizations face.

Where Privacy-First Design Falls Short of Healthcare Compliance

Evaluating Plausible against the five-requirement framework reveals gaps that privacy-friendly design alone cannot close.

No Business Associate Agreement

Plausible does not sign BAAs. For a HIPAA-covered entity, this is the threshold issue. If any data that could constitute PHI flows through Plausible's infrastructure, the absence of a BAA means the covered entity has no contractual protection and no shared liability with the vendor.

The counterargument is that Plausible does not collect PHI. No names, no email addresses, no IP addresses stored, no cookies. If there is no PHI, there is no need for a business associate relationship.

That argument has a structural weakness. Page URLs are collected by Plausible, and on healthcare websites, URLs carry health context. A visit to /oncology/treatment-options or /behavioral-health/intake-form reveals the visitor's health interests. Under the December 2022 HHS OCR guidance, even IP addresses on unauthenticated public pages could constitute PHI when combined with health context. Plausible discards IP addresses after hashing, but the page URLs themselves travel from the visitor's browser to Plausible's servers, and those URLs can contain health information.

Without a BAA, the covered entity absorbs all risk associated with that data flow.

No SOC 2 Type II Certification

Plausible is a small, independent company focused on building a privacy-respecting analytics tool. It does not hold SOC 2 Type II certification. For most of Plausible's customer base, this is not a concern. For healthcare organizations that need to demonstrate to auditors that every vendor in their data pipeline meets independently verified security and privacy standards, the absence of SOC 2 creates a gap in the audit trail.

Client-Side JavaScript Execution

Plausible's tracking works through a JavaScript snippet that loads in the visitor's browser. The script is lightweight and privacy-respecting, but it is still client-side code. When a patient visits a healthcare website with Plausible installed, the browser executes the Plausible script, collects the page URL (along with referrer, screen size, and country derived from the IP), and sends that data to Plausible's servers at plausible.io.

This means page URLs containing health context leave the visitor's browser and travel to a third-party server. The data minimization is real: Plausible collects far less than Google Analytics. But the architectural pattern is the same. Data originates in the browser and transmits to an external endpoint.

Server-side analytics architectures avoid this entirely. Data processing happens on the healthcare organization's own server before anything reaches an analytics platform. The browser never sends health-contextual URLs to a third party.

No Consent-Gated Dispatch

Plausible's position is that consent banners are unnecessary because the tool does not collect personal data. Under GDPR, this is a defensible position. Under HIPAA and the FTC Health Breach Notification Rule, the analysis is different. Healthcare organizations increasingly need the ability to gate data collection behind verified consent, particularly as state privacy laws expand patient rights.

Plausible does not offer consent integration or server-side consent verification. The script loads and collects data for every visitor, which is fine when the data is truly non-sensitive. On healthcare websites, where the pages themselves carry health meaning, unconditional collection creates risk.

What $193 Million in Settlements Teaches About "Low-Risk" Tools

The enforcement record is worth examining because every major case involved tools that organizations believed were low-risk or standard practice.

Advocate Aurora Health installed Meta Pixel and Google Analytics on its website and patient portal to "better understand patient needs." The stated purpose was reasonable. The result was exposure of approximately 3 million patients' data and a $12.25 million settlement. The tools were doing exactly what they were designed to do. The problem was that what they were designed to do was incompatible with healthcare compliance requirements.

Sutter Health implemented Google Analytics and the Meta Pixel on its MyHealthOnline patient portal, resulting in a $21.5 million settlement covering California residents who logged in between June 2015 and March 2020. Five years of data exposure before anyone addressed it.

Kaiser Permanente ran third-party tracking code across websites, patient portals, and mobile apps from 2017 to 2024. The code transmitted health information to Google, Microsoft, Meta, and X without member consent, affecting 13.4 million members and producing a $47.5 million settlement.

Plausible is categorically different from Meta Pixel and Google Analytics. It collects less data, does not build advertising profiles, and does not share data with ad platforms. These distinctions matter. But the enforcement pattern reveals a deeper principle: regulators and courts evaluate what data leaves the organization's control, not whether the vendor's intentions are good. The question is always whether PHI reached a third party without proper safeguards, not whether the third party used it maliciously.

Bridging the Gap Between Privacy and Compliance

The gap between Plausible's privacy-first design and full healthcare compliance is not a criticism of the tool. It is a reflection of how demanding healthcare compliance actually is. Plausible solves the surveillance problem (no tracking individuals, no profiling, no ad targeting). Healthcare compliance requires solving a different problem: ensuring that no data with health context leaves your organization's control without contractual protections, verified security standards, and continuous monitoring.

A compliant analytics architecture for healthcare needs several things working together.

Server-side data processing ensures the browser never sends page URLs to third-party analytics servers. Data flows from your server to your analytics platform, and you control exactly what gets sent.

A real BAA means your analytics vendor accepts HIPAA liability for the data they process. This is not optional when health-contextual data is involved.

SOC 2 Type II across all five trust criteria gives your compliance team independently verified proof that the vendor meets healthcare-grade security, availability, processing integrity, confidentiality, and privacy standards.

Consent-gated dispatch ensures data only flows to analytics destinations after consent is verified server-side. Not a JavaScript check that can be bypassed, but a server-side gate that prevents data from moving until consent is confirmed.

Continuous web scanning catches the compliance drift that every enforcement case demonstrates: the scripts and pixels that accumulate over months and years without anyone noticing. Your analytics tool might be configured correctly, but what about the chatbot your marketing team added last month, or the A/B testing snippet that loaded a third-party cookie?

FAQ

Does Plausible collect protected health information?

Plausible does not collect names, email addresses, or IP addresses, and it uses no cookies. However, it does collect page URLs, and on healthcare websites, those URLs can carry health context (such as condition pages, treatment information, or appointment scheduling paths). Whether this constitutes PHI depends on the specific pages being tracked and the regulatory framework being applied. The HHS OCR guidance on tracking technologies takes a broad view of what qualifies as PHI in web tracking contexts.

Can Plausible sign a Business Associate Agreement?

No. Plausible does not currently offer BAAs. Their position is that a BAA is unnecessary because the tool does not collect personal data. For organizations subject to HIPAA, the absence of a BAA means the covered entity absorbs all regulatory risk for any data that flows through Plausible's servers, including page URLs with health context.

Is Plausible safer than Google Analytics for healthcare websites?

Plausible collects significantly less data than Google Analytics, does not use cookies, does not track individuals, and does not share data with advertising platforms. From a privacy perspective, it is meaningfully better. From a healthcare compliance perspective, both tools share the same architectural limitation: client-side JavaScript that sends page URLs to a third-party server. Plausible sends less data, but the data still leaves your organization's control without a BAA or SOC 2 certification backing the relationship.

Can I self-host Plausible to avoid third-party data flows?

Plausible offers a self-hosted Community Edition. Self-hosting keeps all data on your infrastructure and eliminates the need for a BAA with Plausible. However, self-hosting shifts the compliance burden to your team. You become responsible for encryption at rest and in transit, access controls, audit logging, security patching, and backup management. The tracking mechanism also remains client-side JavaScript, so the browser still collects and transmits health-contextual URLs to your self-hosted instance.

What should healthcare organizations use instead of Plausible?

Healthcare organizations should look for analytics platforms that combine server-side architecture (so the browser never sends data to analytics endpoints), a comprehensive BAA, SOC 2 Type II certification across all five trust criteria, consent-gated data dispatch, and continuous web scanning. These requirements work together as a system. No single feature, whether it is privacy-friendly design, a BAA, or self-hosting, is sufficient on its own.

Healthcare analytics compliance requires more than choosing a privacy-friendly tool. It requires server-side architecture, contractual protections, independent security verification, and continuous monitoring working together. Learn how Ours Privacy approaches healthcare analytics with SOC 2 Type II certification across all five trust criteria, server-side tracking, and built-in web scanning.

Related reading:

• HIPAA Compliant Analytics Tools

• Is Google Analytics HIPAA Compliant?

• Is Matomo HIPAA Compliant?

• Is Mixpanel HIPAA Compliant?