We’ve noticed that DreamHost is a popular choice among small businesses. Founded by college students in 1997, the company now hosts over 1.5 million websites for over 400,000 customers in over 100 countries.
DreamHost and the business associate agreement
There is very little information from DreamHost itself relating to HIPAA compliance. Members of the DreamHost community message boards have tackled the topic unofficially, however.
There is some unofficial conversation in DreamHost’s message boards from 2015 vaguely mentioning the topic of signing a BAA.
Andrew F., apparently speaking for the company, answered the question Can Dreamhost email be considered HIPAA compliant? this way:
The bottom line is, we can’t give you any specific guidance here. Sorry. If you have a security/compliance team in your organization, you should talk to them.
So in other words, it appears DreamHost will not sign a BAA.
Is DreamHost HIPAA compliant?
So is DreamHost HIPAA compliant? Andrew F., again speaking for the company, answered the question this way:
Our hosting environment is not HIPAA compliant. Among other reasons, this is because HIPAA compliance is incompatible with shared and [Virtual Private Server] VPS hosting environments. It would also require that we take what amounts to a ‘hands off’ approach to our customers’ servers and data. This would prevent us from providing many of the managed services that we offer today, including our ‘hands-on’ support.
In short, because DreamHost employees can access everything its customers store on its servers, HIPAA compliance cannot be achieved.
To use any cloud service and be HIPAA compliant, you would need to have complete and exclusive control of the system. As one example, Amazon Web Services provides this option.
What about DreamHost email?
DreamHost offers email accounts and webmail access free with any hosting plan. Since DreamHost can access email messages stored on its servers, HIPAA compliance is again not possible.
Even if you implement encryption, Andrew says, “we can’t give you any specific guidance here.”
DreamHost can support Google Workspace, but that is a separate, paid service.
Also, keep in mind that Google’s BAA does not cover email sent or received in transit, which is an essential component of sending HIPAA compliant email. You must partner a paid Google Workspace account with a signed BAA along with an email solution that secures your email at all stages, such as Paubox Email Suite.
DreamHost will not sign a BAA, and its web hosting features are not HIPAA compliant, especially if your website includes a contact form or other calls to action.
Furthermore, DreamHost email is not HIPAA compliant when using its hosted webmail service.