Let’s get started
Take your business to next level
Become part of our growing family of +600,000 users and get the tools you need to make smart choices for your website. Simple, powerful insights are just a click away.
Yes—WP Statistics stores analytics entirely inside your own WordPress database and, out‑of‑the‑box, avoids collecting Protected Health Information (PHI). There are no third‑party servers, no fingerprinting cookies, and no personal identifiers. HIPAA compliance is therefore mostly a matter of where you host the site and how you control access—not of tweaking the plugin itself.
Quick rule of thumb: If you don’t log PHI, you’re outside HIPAA. WP Statistics helps you stay outside by default; the rest comes down to hosting and policy.
HIPAA applies only if such data could identify a patient in connection with healthcare services. The goal is simple: never store that linkage in the first place.
Below is a feature‑to‑requirement map with documentation links so your compliance officer can verify every claim.
| Built‑in control | Docs | HIPAA benefit |
|---|---|---|
| No third‑party data flow | n/a (core design) | Keeps all analytics on your server—nothing leaves your HIPAA environment. |
| IP anonymisation / hashing | https://wp-statistics.com/resources/what-are-salts-and-hashes/ | Removes direct identifiers if you decide to log IPs at all. |
| Cookie‑less | https://wp-statistics.com/resources/counting-unique-visitors-without-cookies/ | Tracks visits without persistent browser IDs. |
| URL query‑string stripping | https://wp-statistics.com/resources/managing-url-query-parameters/ | Keeps patient names or record numbers out of logs. |
| Consent integration | https://wp-statistics.com/resources/integrating-wp-statistics-with-consent-management-plugins/ | Lets you delay tracking until a visitor gives explicit permission. |
| Automatic log‑purge scheduler | https://wp-statistics.com/resources/optimizing-database-size-for-improved-performance/ | Enforces data‑minimisation by deleting old rows on a schedule you set. |
| Role‑based access | https://wp-statistics.com/resources/access-control-settings/ | Limits who can see raw data. |
Good to know: All sensitive controls are OFF by default because the plugin’s standard configuration already avoids PHI. Enable additional safeguards only if your compliance team wants extra risk reduction (e.g., hashing IPs, shortening retention).
| Task | What to produce |
|---|---|
| Annual Security Risk Analysis (SRA) | A one‑page report noting that WP Statistics stores only anonymised or non‑identifiable visit data and is limited to authorised staff. |
| Policies & procedures | A short SOP covering: who can access analytics, log‑purge schedule, breach‑notification steps. |
| Staff training | Remind content authors not to embed PHI in URLs and show admins where to adjust retention or anonymisation settings. |
| Business Associate status | VeronaLabs does not access client data during normal support, so no BAA is required. If you request DB‑level debugging, we will sign a BAA first. |
Print, tick, and file this list in your HIPAA compliance binder.
Q 1: Does WP Statistics make my whole site HIPAA compliant automatically?
No analytics plugin can do that alone. WP Statistics eliminates third‑party data leakage and avoids PII by default, but compliance still depends on hosting, policies, and staff behaviour.
Q 2: Do I need a BAA with VeronaLabs?
Only if our support team will view or handle your PHI. Standard code‑only support does not require a BAA.
Q 3: Can I keep IP logging if I hash the address?
Yes. Hashing preserves unique‑visitor counts while removing the ability to re‑identify the visitor.
Q 4: How long should I keep logs?
HIPAA sets no exact number; “minimum necessary” is the rule. 30–90 days is typical.
Become part of our growing family of +600,000 users and get the tools you need to make smart choices for your website. Simple, powerful insights are just a click away.