Is Looker HIPAA Compliant? BAA, Security, and Setup Guide

Overview of HIPAA Compliance

HIPAA does not certify software as “compliant.” Instead, compliance depends on how you design, configure, and operate your analytics program when handling Protected Health Information (PHI). For a BI platform like Looker, your goal is to implement controls that meet the HIPAA Privacy, Security, and Breach Notification Rules while limiting PHI exposure to only what is necessary.

In practice, this means enforcing least privilege, encrypting data in transit and at rest, auditing access, documenting policies, and validating that your technical safeguards support HIPAA Security Rule audits. When Looker is deployed in an appropriate environment under a signed Business Associate Agreement (BAA) and hardened according to best practices, it can be used to analyze PHI responsibly.

Business Associate Agreement and Coverage

A Business Associate Agreement defines each party’s responsibilities for safeguarding PHI. If you will store, process, or transmit PHI through Looker or its managed services, you must have a BAA in place before onboarding any PHI. The BAA should clearly identify covered services, data locations, subcontractors, breach notification timelines, and the customer’s obligations.

To obtain coverage, work with your account team to execute a BAA and verify that every component touching PHI—hosting, storage, messaging, and monitoring—is a covered service. For self-managed deployments, ensure your infrastructure providers (e.g., cloud, database, message queues) are also under BAAs. Keep a system-of-record mapping that proves PHI flows only through covered paths.

Looker Security Features

Looker includes controls that help you enforce strong security baselines for healthcare analytics. While you remain accountable for configuration, these capabilities support secure operation when handling PHI.

• Access Control Permissions and RBAC: Assign fine-grained permissions, limit model and Explore access, and apply row- and column-level security to restrict PHI by role.
• Encryption and transport security: Enforce SSL encryption (TLS 1.2+) for all browser, API, and database connections. Use strong ciphers and disable legacy protocols.
• Auditability: Enable detailed activity logging and version control for LookML to support HIPAA Security Rule audits, change tracking, and separation of duties.
• Authentication and SSO: Integrate SAML or OIDC, require MFA via your IdP, and apply device posture checks for administrators.
• Data minimization features: Use persistent derived tables (PDTs) and views to expose only the minimum PHI required; prefer masked or tokenized columns where possible.
• Secure API Integration: Use short-lived tokens, IP allowlisting, and signed webhooks for automated workflows; rotate credentials and avoid embedding secrets in code.

Customer Responsibilities for PHI Protection

Security is a shared duty. You must harden your data model, connections, and operations to keep PHI within covered boundaries and limit exposure throughout the analytics stack.

Practical setup steps

• Classify data: Tag columns containing PHI and ePHI; prefer de-identification or pseudonymization. Keep raw identifiers in isolated schemas.
• Design for least privilege: Map roles to minimum required Explores and fields. Apply row-level filters to segment access by site, department, or provider.
• Control caching and downloads: Disable result caching for sensitive Explores when appropriate, restrict CSV/JSON downloads, and watermark scheduled deliveries.
• Harden connections: Use TLS with server certificate validation for every database. Rotate keys and service accounts on a fixed cadence.
• Logging and retention: Forward logs to a secure SIEM, redact PHI from logs, and set retention aligned to policy and legal holds.
• Change management: Use Git for LookML with protected branches, peer review, and CI checks to block accidental exposure of PHI.

FIPS 140-2 Compliance Mode

FIPS 140-2 validates cryptographic modules used to protect data. Many healthcare programs target FIPS 140-2 Level 1 for application tiers. Enabling a FIPS posture ensures TLS handshakes and cryptographic operations use validated libraries, but note that FIPS alone does not make a deployment HIPAA compliant.

How to approach FIPS in practice

• OS and libraries: Run Looker on an operating system configured for FIPS mode and ensure your JVM, OpenSSL/crypto providers, and system daemons use FIPS-validated modules.
• Transport security: Enforce TLS 1.2+ with FIPS-validated ciphers for browser, API, and database connections; disable non-FIPS suites.
• Endpoints and proxies: Verify load balancers, API gateways, and reverse proxies also use FIPS-validated crypto. Document evidence for audits.
• Change control: Treat crypto updates as controlled changes and revalidate after upgrades.

Database Security Best Practices

Your database is the system of record for PHI; harden it to reduce blast radius and simplify audit defense. Combine network, identity, and encryption controls to enforce end-to-end protection.

• Network isolation: Place databases in private subnets with deny-by-default rules; allow access only from application subnets or proxies.
• Encryption: Use encryption at rest with customer-managed keys and enforce SSL encryption for all client connections, including Looker.
• Least privilege: Grant dedicated, scoped service accounts to Looker; avoid using owner or superuser roles for analytics.
• Data modeling: Expose PHI through views that mask or hash identifiers; restrict direct table access.
• Monitoring and auditing: Enable query auditing, failed login alerts, query timeouts, and throttling to detect anomalies.
• Backups and DR: Encrypt backups, test restores, and set retention consistent with policy and legal requirements.

Looker Deployment Considerations

Decide early whether you will use a hosted service or self-manage Looker. For hosted options, confirm BAA coverage, data residency, sub-processors, and incident response. For self-managed, you control hardening, patching, certificates, scaling, and monitoring—so automate compliance checks and keep runbooks current.

• Network design: Place Looker behind a WAF and reverse proxy, use private networking to databases, and restrict admin access via bastion or VPN with MFA.
• Identity and auth: Enforce SSO (SAML/OIDC), role-based provisioning, conditional access, and session timeouts; disable local passwords for admins.
• Secrets management: Store database credentials and API tokens in a vault or KMS; rotate on schedule and on employee exit.
• Operations: Establish patch cadence, vulnerability scanning, and configuration drift detection. Use immutable images and infrastructure-as-code.
• Data egress: Control schedules and webhooks; require encryption for email attachments or prefer secure destinations with access controls.

Conclusion

Looker can support HIPAA-aligned analytics when you pair a valid Business Associate Agreement with strong configuration, strict access control, SSL encryption, FIPS-aware cryptography, and hardened databases. Treat PHI as an exception, expose only what users need, and document controls so you can pass HIPAA Security Rule audits with confidence.

FAQs

Does Looker provide a HIPAA-compliant environment?

No software is “HIPAA compliant” by itself. Looker can be part of a HIPAA-ready environment when used under a signed BAA and configured to protect PHI—encryption, access controls, auditing, and data minimization are essential. Your organization remains responsible for end-to-end compliance.

How can I obtain a BAA for Looker?

Engage your account team to execute a Business Associate Agreement and confirm the scope of covered services, data locations, and subcontractors. Ensure every component that stores, processes, or transports PHI under your deployment is included before onboarding any PHI.

What security measures does Looker implement for HIPAA compliance?

Key controls include role-based Access Control Permissions, row/column security, SSL encryption for data in transit, SSO integration (SAML/OIDC), detailed auditing for HIPAA Security Rule audits, Git-backed change control for LookML, and Secure API Integration using scoped, rotated credentials.

How should customers configure Looker to protect PHI?

Classify PHI, expose only masked or pseudonymized fields, enforce least-privilege roles, enable TLS end-to-end, restrict downloads and caching for sensitive Explores, forward redacted logs to a SIEM, and manage secrets in a vault with regular rotation. Validate FIPS 140-2 Level 1 crypto where required and document controls for auditors.