We’re planning to use a cloud-based Business Intelligence tool for analyzing/visualizing our customer data in our Postgresql database. There is an excellent HIPAA compliant tool to do this, by Mode Analytics, but we’re also exploring non-HIPAA compliant. options, such as https://www.periscopedata.com and https://chartio.com/
Obviously we will not introduce PHI into these third party systems, so I wanted some thoughts on the best way to safely give them access to our (sanitized/anonymized) data.
One solution would be to create Postgresql view sits above our main tables but has a limited (ie non-PHI) schema. The 3rd party service’s database user would have a role that only allows read-only access to this view. Is this a sensible way of ensuring compliance? Any flaws in this approach?
An alternative solution would be to run an (hourly) export of sanitized data from our main database into an entirely separate database instance.
Does anyone have any suggestions/recommendations for us?