Web hosting providers and HIPAA compliance
Websites, and the web hosts that support them, need to be HIPAA compliant if they record or store ePHI. Even if your website doesn't offer any membership or account features, such as requiring a login to access information, something as simple as a contact form creates an opening through which ePHI might be inadvertently submitted.
If a web hosting provider receives or stores ePHI, it is considered a business associate . All business associates need to sign a business associate agreement ( BAA ) with covered entities to affirm their understanding and acceptance of the HIPAA Privacy Rule and the need to protect ePHI. Not all web hosting providers are able to guarantee ePHI is secure or are willing to sign a BAA. And, as we found, even a signed BAA is not a guarantee that a web host is doing anything special to comply with HIPAA requirements. Failure to conduct due diligence on potential web hosts and operating an insecure website could lead to fines and other corrective action for HIPAA violations .
Web hosting providers best practices
Some basic steps you can take to avoid HIPAA violations include:
Understanding what information constitutes ePHI
Requiring that all connections be encrypted (HTTPS/TLS)
If you don't use HIPAA compliant email, removing email addresses and email links to prevent ePHI from being submitted through unencrypted means
Using a secure contact form, and not a standard web form, for site visitors to send messages from your website
Using a dedicated server that you control and that does not allow access to outside parties (including your web host)
Avoiding shared hosting or other configurations where any other entity has access to your website and data
Signing a BAA with your web hosting provider
Let's take a look at some of the most popular web hosting companies and how they fare regarding HIPAA compliance.
Bluehost was one of the first web hosting companies mentioned by our earliest clients. It's one of the few web hosts recommended by WordPress.org to host WordPress websites, and it's owned by the same company that owns Constant Contact and Hostgator, another popular web host (see below).
But when it comes to Bluehost's HIPAA compliance, the company is unequivocal: “You may NOT use our Services for hosting ‘protected health information’ under the federal HIPAA law and related regulations,” the company says. “We do not sign business associate agreements.”
BlueHost is not HIPAA compliant.
Dreamhost is home to over 1.5 million websites for over 400,000 customers in over 100 countries. Founded in 1997, its longevity and affordable pricing make it a very popular choice for small business websites. Is Dreamhost HIPAA compliant? There's no official answer. Dreamhost's user forums have periodically tackled the topic of BAAs over the years, but with no real resolution. The closest thing we found to a definitive answer comes in a 2013 forum post, where an employee says, "Our hosting environment is not HIPAA compliant. Among other reasons, this is because HIPAA compliance is incompatible with shared and [Virtual Private Server] VPS hosting environments."
Dreamhost is probably not HIPAA compliant.
GoDaddy is perhaps the best-known web hosting company in America, and likely the largest web host in the world by market share, hosting more than 60 million domains. That means as many as 13 percent of all websites could very well call GoDaddy home. But does this massive popularity mean GoDaddy is HIPAA compliant? Like Dreamhost, it appears GoDaddy doesn't explicitly say whether it's HIPAA compliant. But its official blog addressed the topic in 2006, saying, "Protecting an internet connected server with HIPAA covered data or the office of a small medical practice that is connected to the internet is not something that should be left to an average site admin or website developer.” While GoDaddy offers suggestions on improving website security, it does not say its own services can meet HIPAA requirements.
GoDaddy is probably not HIPAA compliant.
Hostinger made waves when it launched in 2004 by offering free websites. Its plans now start at a dollar a month, which is certainly among the lowest priced web hosting we've seen. The strategy has garnered Hostinger nearly 30 million customers. But can Hostinger offer HIPAA-compliant web hosting? Like Bluehost, Hostinger doesn't make it hard to answer this question. The Hostinger Hosting Agreement says that it does not offer a HIPAA compliant environment, that it has the right to access your website data, and that users are "solely responsible for all and any data breaches." Hostinger is not HIPAA compliant.
Since HostGator is owned by the same company as Bluehost above, it would make sense that Hostgator's ability to comply with HIPAA would be similar. It is. Like Bluehost, Hostgator states in its Terms of Service, "we are not HIPAA compliant." Further, it says, "we do not sign Business Associate Agreements" and adds that using its services to store or handle ePHI is "expressly prohibited." It doesn't get much more clear than that.
Hostgator is not HIPAA compliant.
We have many dental practices among our clients, and they were the first to tell us about JustHost, which advertises web hosting packages starting at $4 per month. While that makes them an attractive option for most businesses, covered entities need to ask, " Is JustHost HIPAA compliant?" Let's quote directly from the JustHost Acceptable Use Policy: "Storing personal or sensitive information, including without limitation, 'Protected Health Information' as defined under the U.S. Health Insurance Portability and Accountability Act ('HIPAA'), is prohibited under this AUP." In fact, JustHost has a special HIPAA Disclaimer that reads, "You may NOT use our Services for hosting 'protected health information' under the federal HIPAA law and related regulations."
JustHost is not HIPAA compliant.
Squarespace is known for its beautiful website designs and for offering a wide variety of business features, including ecommerce tools. With a custom-built website design tool and dozens of templates, Squarespace makes it easy to make your website stand out from the crowd, and easy to update and modify your site without requiring any special coding skills. But is Squarespace HIPAA compliant? The fact that Sqarespace provides a HIPAA guide in its support site is an encouraging sign, as well as its willingness to sign a business associate agreement. However, a closer look reveals that only one component of a Squarespace website is covered by these options: Squarespace Scheduling. And that requires a more expensive service plan. Still, Squarespace Scheduling does handle many of the interactions a customer or client would have with a covered entity, such as booking appointments.
Squarespace can be HIPAA compliant.
Weebly is probably not HIPAA compliant.
Wix is probably not HIPAA compliant.
WP EngineWordPress is one of the most popular content management systems in the world, and WP Engine built its business on its strengths. WordPress is only one of the technologies embraced by the company, which says it uses more than 30 additional open-source technologies in its operations. But a good company is not necessarily a secure company as far as ePHI is concerned. Is WP Engine HIPAA compliant? The company’s Acceptable Use Policy addresses HIPAA in a section titled “Regulated and Sensitive Information":
You are not permitted to use or cause the Services to store or process sensitive or otherwise regulated health or financial information, including Protected Health Information (as that term is defined under HIPAA). […] You acknowledge and agree that we are not responsible for any liabilities arising from your violation of this restriction.
WP Engine is not HIPAA compliant.
Are any of the big-name web hosts HIPAA compliant?
After a thorough review of some of the most popular web hosting companies, it is clear the vast majority are not HIPAA compliant. This is not surprising, as almost all web hosting companies share resources among multiple customers, and give their employees the ability to access data stored on customer websites. Since they cannot guarantee that customers will be the only entities that can access website information, they cannot guarantee HIPAA compliance. As a result, large healthcare organizations typically design, build, and maintain their own website infrastructure, rather than relying on third-party providers. But this is not a feasible approach for smaller firms. That said, Squarespace does offer a HIPAA compliant scheduling feature, and will sign a BAA. But covered entities will need to take multiple additional precautions to ensure ePHI is protected and not unintentionally collected or exposed.
HIPAA compliance extends beyond the web
It is technically possible for web hosting providers to be HIPAA compliant if they are willing to enter into a BAA and configure their systems to meet HIPAA guidelines. Otherwise you must steer clear of storing, transmitting, or even coming close to sharing any ePHI. Website and email hosting often go hand in hand, and it's very important to make sure your email security is also sufficient. Paubox Email Suite enables you to send HIPAA compliant email without the need for clumsy portals, special apps, or additional logins. And it seamlessly integrates with Google Workspace, Microsoft 365, or Microsoft Exchange . Every email you send is encrypted using industry-leading TLS 1.3 encryption technology. Our solution blocks email threats like ransomware, malware, and phishing attacks along with robust spam filtering and detection of domain name spoofing with our patented ExecProtect feature.