Keep Your Data Private and Secure with HIPAA Compliance for Tableau Cloud

Tableau Cloud is now HIPAA compliant, with capabilities for health care organizations to use Tableau with improved data security measures and privacy compliance needs as part of the U.S. health care law.

Image with text reading "HIPPA Compliant" with a picture of the Tableau logo held by Astro--the Salesforce mascot

Trust is the key to any relationship, especially between patients and healthcare professionals. Every day, patients place their trust in healthcare providers, payers, and other medical professionals to help safeguard their health information, including as required by the Health Insurance Portability and Accountability Act (HIPAA). At Tableau, we recognize the importance of data security and privacy to our customers, especially those in the healthcare and life sciences industries. For years, those customers have relied on Tableau Server for enterprise analytics and data security. Our number one value is trust, and we continuously invest in improvements to security and data compliance. Today, we are pleased to announce that we’ve rolled out new capabilities in our flagship SaaS offering, Tableau Cloud, that will help our customers to meet the strict HIPAA standards for safeguarding patients’ protected patient information (PHI).

Gartner forecasts that through 2025, 90% of organizations that fail to control cloud use will inappropriately share sensitive data. These potential security failures underscore the importance of a proper compliance program to ensure that data stored in the cloud is private and secure. This is especially true in the healthcare sector.

What is HIPAA and how does it impact Tableau Cloud?

HIPAA is a U.S. healthcare law that regulates matters ranging from allowing workers to transfer their employer-sponsored health insurance coverage to standardizing health care information for electronic medical billing. It empowers the U.S. Department of Health and Human Services (HHS) to issue and enforce rules protecting the privacy and security of PHI. HIPAA has three main pillars:

The HIPAA Privacy Rule, which governs the use and disclosure of PHI primarily by entities regulated under HIPAA (called “covered entities” and their “business associates”).
The HIPAA Security Rule, which specifies safeguards for protecting the confidentiality of electronic PHI.
The HIPAA Breach Notification Rule, which requires notification to HHS following the occurrence of a breach of unsecured protected health information

It has become increasingly important for both covered entities and business associates to ensure proper safeguards and processes are in place to protect PHI as part of their normal business operating procedures. Further, the frameworks established by HIPAA and other compliance certifications that Tableau Cloud has met allow us to help our regulated industry customers satisfy their own stringent compliance obligations. In turn, this reinforces that improved data security measures and meeting privacy compliance needs are a winning strategy for everyone involved—for our customers and their own end customers, as well as for Tableau as a SaaS provider.

As additional organizations move to Tableau Cloud, you can feel assured that Tableau is always looking to identify its customers' compliance needs and looking to solve them in the form of new certifications catered to all types of customers.

HIPAA compliance represents more than just compliance with privacy and security standards for the health care sector. This achievement is also representative of the critical role Tableau Cloud serves in our mission to create a secure and trustworthy SaaS platform for our customers.

(See Figure 1 for examples of safeguards put into place to satisfy HIPAA requirements)

Image of a chart with four columns: Administrative, Physical Safeguard, Technical Safeguards, and Documentation Safeguards listing HIPPA safeguards and requirements

Figure 1. Safeguards and Requirements for HIPAA

Aligning with HIPAA Requirements for Tableau Cloud

As Tableau has shifted to a SaaS-first model, we've worked diligently to ensure Tableau Cloud can be provided in a HIPAA-compliant manner to meet the needs of our healthcare and life sciences customers. Tableau’s HIPAA safeguards have been implemented in all Tableau Cloud points of delivery by default, and include:

Storing user passwords in a salted and hashed format.
Enabling audit logging that allows system administrators to track certain change activity in Tableau Cloud.
Providing customer administrators with configurable tools to maintain strict password security policies which govern access.
Continually monitoring for potential threats, risks, and vulnerabilities.
Allowing customers to delete or update their data at their desired cadence.
Providing customer administrators with configurable tools to define user profiles and permission sets governing data visibility.
Providing customer administrators with configurable tools to define a company-wide sharing model, a role hierarchy, and security rules governing data access.
Encrypting all ePHI data in transit and at rest.
Documented incident management policies and procedures to ensure that potential security events are Identified, Reported, Triaged, and Tracked.

This past year, Tableau Cloud made significant progress in ensuring improved data security and privacy for our customers. We obtained TISAX and ISO 27001/27017/27018 compliance certifications and built on the governance and infrastructure foundations from our SOC 2/3 certification. This foundational work has led to this announcement on our achievement of HIPAA compliance for Tableau Cloud, representing another essential piece to completing our mission of providing enhanced data security and privacy in the cloud.

For additional information on the new security safeguards provided in Tableau Cloud, please visit our Tableau compliance website and resources.

Want to experience this level of security and compliance? Start a free trial of Tableau Cloud.