When it comes to website hosting providers, GoDaddy is the 800-lb. gorilla in the industry. Founded in 1997, GoDaddy now hosts over 13 percent of all websites. Its 7,000 employees keep an estimated 20 million customers and their 60 million websites online. If you're looking for a company to host your website, GoDaddy seems like a popular and solid choice. But if your business is a covered entity under HIPAA, it's a more complicated decision.
GoDaddy and HIPAA compliant web hosting
The official GoDaddy blog actually addressed HIPAA compliant web hosting back in 2016. Author Scott Knauss of the company's Network Operations Center provides a good overview of data breaches, HIPAA, and healthcare industry websites. "Protecting an internet connected server with HIPAA covered data or the office of a small medical practice that is connected to the internet is not something that should be left to an average site admin or website developer," he writes. Ultimately, Knauss recommends that covered entities "have someone who’s familiar with HIPAA and system security review [their] setup annually" and points out ten ways to tighten online security practices. But he does not mention GoDaddy's own web hosting services or how they measure up. However, we know that because GoDaddy, like most mainstream web hosts, co-locates multiple customers on a single server, and because its employees have access to all servers, it cannot be HIPAA compliant.
Is GoDaddy email HIPAA compliant?
As we've previously written, it is possible for a covered entity to use GoDaddy for HIPAA compliant email. Indeed, the only business associate agreement that GoDaddy provides relates to its email service. Note, however, that it involves GoDaddy's integration with Microsoft's Office 365. If you're considering this option, you'll first want to look into how Paubox compares with Office 365. Microsoft's HIPAA compliant solution is much more complex than HIPAA compliant email provided by Paubox.
The only BAA that GoDaddy will sign relates to its email service. It also co-locates multiple customers on a single server, which many employees have access to. Therefore, like most mass-market, consumer website hosting companies, GoDaddy does not offer HIPAA compliant web hosting. As we're finding in our ongoing research into building HIPAA compliant websites, how you build your site is a more important consideration than where you host it.