Tableau Server and HIPAA Compliance

Looking for Tableau Cloud?

Tableau Cloud is HIPAA compliant, with capabilities for health care organizations to use Tableau with improved data security measures and privacy compliance needs as part of the U.S. health care law.

Read the blog

Subject Area: Architecture

Level of complexity: Advanced

Approximate Time to complete: 30 minutes

Companion Workbook (twbx): n/a

Additional Resources on the web:

Is Tableau Server HIPAA compliant? The short answer: not out of the box, but it can be. Since Tableau Server itself is not a database and merely a reporting and query tool, is compliancy is contingent on the end user and database governance. This means that if the database you are pulling the information from is HIPAA compliant and the user has followed HIPAA compliant actions, then Tableau Server is HIPAA compliant. However, the issues of compliancy come down to the end user and the data governance of the database it is connecting to. A database could be HIPAA compliant but if the end user is able to pull information off the database through poor data governance then it would no long be HIPAA compliant. This change is dependent on the end user on what they choose to query and what the data administrator allows them to pull. A failure at either level of data query, database or user, breaks the HIPAA compliancy.

Besides ensuring compliancy at the database level and human error, Tableau Server allows a number of security features to maintain HIPAA compliancy.

1. Create a user filter to ensure row level data security. User filters allow users only to see the data associated with their permission at a row level. Tableau Server allows you to use a dimension to create these filters and apply them to the security permission. For more information, refer to this article:

2. Hide dimensions/columns in a data extract. By excluding dimensions in Tableau Desktop is helpful in cleaning out the data source of information that should not be seen by the user or is sensitive. Excluding a column also increases performance and makes sure that only releveant data is given to the end user.

3. Disabling "view underlying data" in a Tableau Server View. By disabling the view of the underlying data, the visualizations make the underlying data anonymous thus ensuring security. Administration of this feature is easily done through Tableau Desktop when publishing to Server.

4. Restrict workbook downloading. Similar to restricting the view of underlying data, we can disable the download of workbooks and their data when publishing to Server.

5. Use Tableau Server administrative views to see what information people are accessing. Tableau Desktop can be used to find out what information and views your users are accessing. Use the following link to learn how to customize your own administrative dashboard.

To summarize, the best practices of maintaining HIPAA compliance making sure that your end users are accessing only the data they should be. Tableau Server offers a number of ways to easily manage this data governance but ultimately it rests on the shoulder of the end user and the IT database administrator to make sure that Tableau Server is used in a HIPAA compliant manner.