Hi @nicola
Metabase is self-hosted software, and none of your data is sent anywhere. As far as I know, that should comply with HIPAA, but I’m not a lawyer and don’t know every single requirement in HIPAA.
Also read this: US HIPAA for self-hosted Metabase
Does that answer the question?
And yes, you can use a user with limited privileges, so Metabase only has access the data you want it to see.