Signed BAA
A real Business Associate Agreement on every plan.
A signed BAA, SOC 2 Type II, encryption everywhere, US-based hosting, and full audit logging. Ghost Metrics is built so protected health information is safe at every layer.

Our pipeline strips and hashes identifiers at the edge, so protected health information never lands in our database. The strongest safeguard is simply never holding it.
Role-based access, granular audit logs, and a signed BAA on every plan give your compliance and security teams exactly what they need to sign off.

The safeguards healthcare requires, included by default.
A real Business Associate Agreement on every plan.
Identifiers are redacted before anything is stored.
Encrypted at rest and with TLS 1.2+ in transit.
Hosted entirely within US-based infrastructure.
Granular, exportable logs of every data access.
Independently audited security controls.
Federal guidance lays out a compliant path for website tracking: route it through a vendor that signs a BAA, strips the PHI, and shares only de-identified data downstream. That vendor is Ghost Metrics.
“…the regulated entity can choose to establish a BAA with another vendor, for example a Customer Data Platform vendor, that will enter into a BAA with the regulated entity to de-identify online tracking information that includes PHI and then subsequently disclose only de-identified information to tracking technology vendors that are unwilling to enter into a BAA.”

Quoted from public HHS guidance. Ghost Metrics is not affiliated with or endorsed by HHS.
See how Ghost Metrics keeps PHI safe at every layer.