The 7 best HIPAA-compliant analytics tools
Contents
If you're building a healthcare app or handling protected health information (PHI), your analytics tool is more than just a product decision – it's a legal one too; using the wrong tool can expose you to serious HIPAA liability.
The good news: there are solid options. This guide covers the best HIPAA-compliant analytics tools available right now, whether you need a Business Associate Agreement (BAA), a self-hosted deployment, or both.
What is HIPAA?
Passed in 1996, HIPAA (Health Insurance Portability and Accountability Act) defines the legal requirements for securing and handling health information, and the severe penalties for failing to do so.
Data protected under HIPAA is called Protected Health Information (PHI), or ePHI if it is digitized. It includes any data that can be used to identify the past, current or future health status of an individual.
This includes test results and diagnoses, but also birthdays, ethnicity, gender and other information. Even an IP address can be considered ePHI under HIPAA.
While similar in some respects to the EU's General Data Protection Regulation (GDPR), HIPAA applies specifically to companies handling the PHI of US-based customers. Companies that also need to comply with the GDPR should see our guide to GDPR-compliant analytics.
There are two ways to be HIPAA-compliant while using analytics tools:
- Self-host your analytics, so data remains totally within your control.
- Sign a Business Associate Agreement (BAA) with a third-party analytics tool.
What is a Business Associate Agreement (BAA)?
Some services enable HIPAA compliance through the creation of a Business Associate Agreement (US Department of Health). This is a contract with a service provider to ensure that they are jointly compliant and liable for services they provide.
It's worth noting that, because BAAs expose third-parties to increased risk and scrutiny, they are often an expensive option and/or require users to purchase a higher tier of license.
Some analytics tools, such as Google Analytics, don't offer BAAs and are therefore not HIPAA-compliant.
The best HIPAA-compliant analytics tools
1. PostHog
PostHog is a developer platform that combines product analytics, web analytics, session replay, feature flags, experiments, error tracking, user surveys, and a lot more.
It gives you every tool you need to understand user behavior and, unlike typical analytics tools that rely on third-party integrations, all these tools work together seamlessly.
Being an all-in-one platform has two further benefits:
- PostHog can replace multiple products – e.g. Mixpanel for product analytics, LaunchDarkly for feature management, Sentry for error tracking, etc.
- You only need to sign one BAA to get all these tools, reducing legal complexity and risk.
PostHog and HIPAA compliance
- Self-hostable: ✔
- BAA available: ✔
- BAA plan: Platform packages – $250/mo
A BAA is available on PostHog's platform packages, which also includes priority support and generous free usage limits for all tools – e.g. 1 million free analytics events every month. You can also self-host the open-source edition of PostHog, but this isn't recommended as it's provided without guarantee or support.
Install PostHog with one command
Paste this into your terminal and make AI do all the work.
2. Mixpanel
Mixpanel is a product analytics tool with genuinely strong funnel and behavioral analysis – useful for healthcare teams tracking complex user journeys. It added session replay and feature flags in late 2025, which means more functionality under a single BAA than before.
That said, surveys and error tracking still aren't included natively, so you'd likely need additional tools – and separate BAAs – for those.
Mixpanel and HIPAA compliance
- Self-hostable: ✖
- BAA available: ✔
- BAA plan: Contact sales for pricing
A BAA is available on Mixpanel's Enterprise plan.
See also: The most popular Mixpanel alternatives
3. Countly
Countly is an analytics platform for mobile, web, and desktop applications that also offers add-ons for remote configuration, A/B testing, and user surveys. Support for app crash and error reports, and push notifications, makes it particularly well-suited to mobile app analytics.
Countly and HIPAA compliance
- Self-hostable: ✔
- BAA available: ✖
Countly doesn't offer a BAA for HIPAA compliance on its hosted cloud, but it does offer the option to either:
- Self-host the product on your own.
- Deploy it to a private cloud managed by Countly.
This makes Countly a good option if you'd prefer to self-host your analytics.
4. Freshpaint
Freshpaint isn't an analytics tool per se, it's more of an analytics event tracker and customer data platform (CDP) that's specifically designed for healthcare companies.
Freshpaint sits between data sources (e.g. data warehouses) and third-party data destinations and ensures no PHI is passed between them. This means you can continue to use non-HIPAA compliant tools, such as Google Analytics, safe in the knowledge you're not accidentally passing PHI into them.
Freshpaint and HIPAA compliance
- Self-hostable: ✖
- BAA available: ✔
- BAA plan: Contact sales for pricing
Freshpaint is a cloud-only product specifically designed for healthcare companies, so it offers a BAA (available on the Compliance plan, which requires a custom quote).
5. Piwik PRO
Piwik PRO is a commercial analytics and customer data platform spun out of the open-source analytics tool, Matomo. As such, it's more a web analytics tool than other options in this list, though you can use it on mobile and web apps. Because it's based on Europe, Piwik PRO is popular among companies also seeking GDPR compliance – it has a built-in compliance manager to assist with this, too.
PiwikPRO and HIPAA compliance
- Self-hostable: ✔
- BAA available: ✔
- BAA plan: Contact sales for pricing
PiwikPRO offers HIPAA compliance as part of its PRO Enterprise plan, either by signing a BAA or by self-hosting, giving you maximum flexibility.
6. Amplitude
Amplitude sits somewhere between PostHog and Mixpanel. It's a product analytics tool at its core, but also has extra features such as session replay, feature flags, A/B testing, and Guides & Surveys. It also has anomaly detection, which will automatically flag when certain metrics fall outside expected trends, and creating insights based on natural language questions like "signups in the last 30 days."
Amplitude and HIPAA compliance
- Self-hostable: ✖
- BAA available: ✔
- BAA plan: Contact sales for pricing
Amplitude offers a BAA on its Enterprise plan, which includes advanced security features and custom data governance controls. You can also use its product analytics tool on top of a Snowflake data warehouse, which may be an option for HIPAA compliance if you're already storing analytics data in Snowflake.
See also: The most popular Amplitude alternatives
Which HIPAA-compliant analytics tool should you choose?
- Want one platform for product analytics, session replay, feature flags, and more – with a single BAA covering everything? PostHog
- Need a focused product analytics tool with a BAA and strong funnel analysis? Mixpanel
- Want to self-host your analytics without signing a BAA? Countly
- Already using non-HIPAA-compliant tools and need a PHI firewall in front of them? Freshpaint
- Need web analytics and a CDP with both BAA and self-hosting options? Piwik PRO
- Want retention-focused product analytics with a BAA and warehouse-native options? Amplitude
Install PostHog with one command
Paste this into your terminal and make AI do all the work.
FAQ
Who does HIPAA apply to?
HIPAA applies to "covered entities," such as healthcare providers who transmit any health information in electronic form, health plans, and healthcare clearinghouses. Mobile apps fall under HIPAA if they store protected health information (PHI) and share it with any covered entity.
HIPAA also applies to "business associates," which, according to the US Department of Health and Human Services, are "a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate."
Under HIPAA, the analytics tools in this guide would all be considered business associates.
What is PHI (Protected Health Information)?
Protected Health Information (PHI) is any information about health status, provision of healthcare, or payment for healthcare that can be linked to an individual.
This includes medical records, laboratory results, billing information, and any other information that identifies an individual and relates to their past, present, or future physical or mental health condition, treatment, or payment for healthcare services.
Is self-hosting analytics better than signing a BAA?
There's no objectively correct answer. In theory, self-hosting is preferable as it means you don't share any data with third-parties, and thus don't need to sign a BAA at all.
But self-hosting also presents additional risks. You're wholly liable for ensuring your analytics infrastructure is secure, which can be challenging without internal expertise. If that's the case, it may be better to rely on a HIPAA-compliant business associate who has experience hosting analytics at scale.
Does Google Analytics support HIPAA compliance?
No. Google Analytics does not offer a BAA and is not suitable for use with protected health information.
If you're in healthcare, you'll need to either use a HIPAA-compliant analytics tool or route your data through a healthcare-specific CDP like Freshpaint that filters out PHI before it reaches non-compliant destinations.
Is Heap HIPAA compliant?
No – Heap does not offer a BAA and is not HIPAA compliant. This has been a long-standing limitation, and it didn't change when Contentsquare acquired Heap.
Contentsquare itself also does not sign BAAs, meaning neither the standalone Heap product nor the broader Contentsquare platform (which also includes Hotjar) is suitable for handling PHI.
If you need session replay or product analytics with HIPAA compliance, you'll need to look at alternatives like PostHog, Mixpanel, or Amplitude.
What are the best HIPAA-compliant analytics tools in 2026?
Based on our research, the best HIPAA-compliant analytics tools right now are:
- PostHog – Best all-in-one platform with a single BAA covering product analytics, session replay, feature flags, experiments, and more
- Mixpanel – Best for focused product analytics and funnel analysis with BAA support
- Countly – Best for teams that want to self-host without a BAA
- Freshpaint – Best for teams that need a PHI-safe layer in front of existing non-compliant tools
- Piwik PRO – Best for web analytics with both BAA and self-hosting options
- Amplitude – Best for retention-focused analytics with warehouse-native HIPAA options
How is PostHog different from other HIPAA-compliant analytics tools?
PostHog is the only tool in this list that covers the full product development stack – product analytics, web analytics, session replay, feature flags, A/B testing, surveys, error tracking, LLM analytics, logs, and more – all under a single BAA. All products offer generous free tiers and usage-based billing with no surprise overages.
That matters for HIPAA compliance because every additional vendor means another BAA to negotiate, another data-sharing agreement to manage, and another potential liability surface.
Subscribe to our newsletter
Product for Engineers
Read by 100,000+ founders and builders
We'll share your email with Substack
PostHog is an all-in-one developer platform for building successful products. We provide product analytics, web analytics, session replay, error tracking, feature flags, experiments, surveys, LLM analytics, data warehouse, CDP, and an AI product assistant to help debug your code, ship features faster, and keep all your usage and customer data in one stack.