CDP for Healthcare — HIPAA-Compliant Patient Data Unification (2026) — CDP.com

CDP Institute guidance on using CDPs in healthcare settings, with focus on HIPAA BAA requirements and vendor selection.

Key facts surfaced (2026-05-06, via search):

• BAA is mandatory. Any CDP vendor that creates, receives, maintains, or transmits PHI on behalf of a healthcare org is a Business Associate under HIPAA. BAA must be in place before sharing any PHI.
• Vendors with documented HIPAA postures (2026):
  • Hightouch — HIPAA-compliant; signs BAA; no data storage.
  • Ours Privacy — Specialized HIPAA CDP + privacy platform. Prevents PHI from reaching non-compliant tools.
  • Freshpaint — Healthcare-focused analytics CDP; intercepts events before they reach non-HIPAA tools.
  • Piwik PRO — Privacy-focused analytics + CDP for healthcare; signs BAA.
  • Treasure Data — Enterprise CDP with documented HIPAA compliance.
  • Tealium — Enterprise tag management + CDP with HIPAA BAA availability.
• Traditional CDPs often refuse BAAs due to duplicative data storage model creating unmanageable PHI liability.

Relationship to existing KG nodes:

• Evidence for vendor.hightouch (HIPAA) and vendor.ours-privacy candidate nodes.
• Relevant to org-dim/industry.healthcare.md.
• Addresses "HIPAA-compliant CDP vendors" queue topic.