How to Achieve HIPAA Compliance in ClickHouse

Galaxy Glossary

How to make ClickHouse HIPAA compliant?

Shows the security settings and SQL policies you must enable to run ClickHouse in a HIPAA-regulated environment.

Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)

Oops! Something went wrong while submitting the form.

Description

Example H2

Example H3

What does HIPAA require for databases?

HIPAA mandates encryption in transit and at rest, strict access control, audit logging, data retention rules, and documented procedures for backups and disaster recovery.

How do I encrypt data at rest in ClickHouse?

Create a storage policy that targets an encrypted disk or S3 bucket with server-side encryption. Reference that policy in every table holding Protected Health Information (PHI).

Step 1 — Define an encrypted disk

Add to storage_policy.xml: <disk name="enc" type="encrypted" key="${ENCRYPT_KEY}" path="/var/lib/clickhouse/encrypted/"/>

Step 2 — Use the policy in tables

SETTINGS storage_policy='encrypted' forces the table’s parts onto the encrypted volume.

How do I enable TLS for data in transit?

Generate a certificate, then set tcp_port_secure and openSSL options in config.xml. Require users and applications to connect on https or tcps ports only.

How do I implement access control and RLS?

Create roles, grant granular privileges, then add row-level policies to hide PHI from non-privileged users. Pair roles with short-lived, unique service accounts.

Example role policy

CREATE POLICY phi_filter ON secure_customers USING has_role('hipaa_reader');

How do I audit PHI access?

Set query_log and part_log retention to HIPAA-approved periods. Ship logs to a WORM (write-once, read-many) store so they cannot be altered.

Which settings support backup & retention?

Use BACKUP TABLE to encrypted S3 with versioning, and set ttl_only_drop_parts=true to avoid accidental data loss.

Practical example: securing the Customers table

The example below creates an encrypted table, applies a row-level filter, and grants least-privilege roles used by analytics jobs.

Best-practice checklist

✅ Encrypt every disk and network hop
✅ Enforce least privilege via roles
✅ Log every query
✅ Encrypt backups and test restores
✅ Document incident-response and BAA coverage

Common mistakes and fixes

Mistake 1: Forgetting to encrypt backups → always use S3/KMS or server-side encryption.
Mistake 2: Sharing service accounts → create unique users with expiration dates.

Why How to Achieve HIPAA Compliance in ClickHouse is important

How to Achieve HIPAA Compliance in ClickHouse Example Usage


-- Analytics job that can only read non-PHI columns
SET role hipaa_reader;
SELECT id, created_at
FROM secure_customers
WHERE created_at >= now() - INTERVAL 30 DAY;

How to Achieve HIPAA Compliance in ClickHouse Syntax


-- Encrypted table example
CREATE TABLE secure_customers (
    id UInt32,
    name String,
    email String,
    created_at DateTime,
    phi String
) ENGINE = MergeTree
ORDER BY id
SETTINGS
    storage_policy = 'encrypted',               -- at-rest encryption
    metadata_encryption_key = '${ENCRYPT_KEY}', -- encrypt metadata
    ttl_only_drop_parts = true;                 -- safer deletes

-- Role & RLS
CREATE ROLE hipaa_reader;
GRANT SELECT ON secure_customers TO hipaa_reader;
ALTER TABLE secure_customers
    ADD POLICY phi_filter
    USING has_role('hipaa_reader');

-- Force TLS
<tcp_port_secure>9440</tcp_port_secure>
<openSSL>
    <certificateFile>/etc/clickhouse/server.crt</certificateFile>
    <privateKeyFile>/etc/clickhouse/server.key</privateKeyFile>
</openSSL>

Common Mistakes

Encrypting tables but forgetting to encrypt object-store backups. Fix by enabling S3 server-side encryption or KMS keys for every BACKUP target.
Using shared service accounts, causing impossible audit attribution. Fix by creating unique, short-lived users or roles per service and enabling query_log.