US HIPAA for self-hosted Metabase


#1

Hello! I was previously at TodayTix, where I built out Metabase as the primary BI tool. I’m looking to do the same at my new job (Roman Men’s Health) and set up Metabase asap (like, right now - we’ve got deadlines!). However, I need to double-check on some data privacy concerns.

We are a mail order pharmacy and are subject to very very strict US HIPAA data privacy requirements. We are looking for an explicit answer to the following question: If we self-host Metabase (using EC2), does any of our data leave our network and get sent anywhere else? We can only use Metabase if the answer is no, otherwise we all risk getting arrested!

Really appreciate your timely response.

Thanks!


#2

Well, the Metabase website has an article detailing what usage info they collect. You can turn this off entirely in the admin settings. https://www.metabase.com/docs/latest/information-collection.html

I’m not familiar with the regs, but would just a simple reply here of “no, we don’t send data outside your network” from the developer be enough to deem Metabase HIPAA-compliant? Not saying you shouldn’t believe them, but the regulations might require more than just that…

Also keep in mind that it’s open source, so you or anyone can dig into the code to verify and see how it works.