Many people have questions about HIPAA and typical web hosts. Is GoDaddy web hosting HIPAA compliant? Can I host my healthcare website or webapp on a webhost, such as 1&1, GoDaddy, HostGator?
Are Basic Webhosting Plans HIPAA Compliant?
When it comes to webhosting, basic hosting plans for the most part, are not HIPAA compliant. In order to maintain compliance, hosts must guarantee that they are properly implementing the physical and technical safeguards required by HIPAA. This often involves providing a dedicated server with a wide range of other security components that are not provided by basic plans.
Does Your Website/Web Application Fall Under HIPAA Guidelines?
Remember that websites and applications only fall under HIPAA guidelines if they handle data with protected health information (PHI).
This means that basic informational websites and landing pages do not need to meet HIPAA requirements. It is however recommended you implement SSL/TLS on any site pages where you pass data.
When website signups and logins interface with patient services, HIPAA compliance becomes an issue that organizations must take into account. Learn more about what HIPAA encompasses at our HIPAA Knowledge Center.
How Do I Find HIPAA Compliant Hosting?
When looking for options for HIPAA compliant hosting. Take note of the following:
- Many popular cloud platforms operate on a “Shared Responsibility Model”, meaning that the cloud service is responsible for certain compliance safeguards and your organization is responsible for others.
- Choose a vendor that will sign a Business Associate Agreement (BAA).
This agreement clarifies that the vendor handles protected health information (PHI) in a secure manner and in-line with HIPAA regulations.
- Implement applicable physical, technical, and administrative safeguards in your own organization.
Just signing BAA agreements with vendors does not make your organization HIPAA compliant. Your organization must confirm proper implementation of safeguards, such as proper auditing/logging, backup, recovery and annual risk assessments.
- When using basic cloud and webhosting options that do not sign BAAs, keep protected health information (PHI) off of their services. Checkout how Dash allows organizations to maintain HIPAA compliance with Google Cloud Platform and Amazon Web Services (AWS).
The Bottom Line
Basic plans from webhosts such as GoDaddy, 1&1, and HostGator are suitable for consumer websites, such as blogs, marketing and sales websites. These solutions can be convenient for static websites and basic content, but are not fit for building HIPAA compliant services.
Login and signup portals that interface with healthcare applications should be hosted on a cloud service that is HIPAA compliant. For simplicity, it may be easiest to build and deploy all websites and applications to one HIPAA compliant service and implement all required technical, physical, and administrative safeguards required by HIPAA.