Is GoDaddy HIPAA Compliant?
GoDaddy is not HIPAA compliant for its web hosting services, however organizations that subscribe to a Business Professional or a Premium Security Microsoft 365 account through GoDaddy can take advantage of a HIPAA compliant email service that allows them to send and receive emails containing Protected Health Information using their domain name.
GoDaddy is a domain name registrar and web hosting company that provides tools to help build and promote websites, host marketplaces, and collect payments. The company also offers advanced security features to protect websites from malicious bots, brute force hacks, and DDoS attacks. Other add-ons perform updates for plugins, backups, and search engine optimization.
Despite its advanced security features, and the option to host websites on dedicated servers, GoDaddy does not support HIPAA compliance for its web hosting services. This is because GoDaddy leases most of its data centers and is not responsible for their physical security. Therefore, GoDaddy is unable to comply with the physical safeguards of the HIPAA Security Rule.
What this means for HIPAA covered entities and business associates is that it is not possible to use a GoDaddy hosted website to collect and transmit Protected Health Information (PHI) unless a plugin is used that bypasses GoDaddy’s servers. In this case, the use of the plugin must comply with GoDaddy’s terms of service (specifically clause #5) and hosting agreement (specifically clause #10.3).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
What it is possible for HIPAA covered entities and business associates to do is to purchase a domain name from GoDaddy and use the domain name to send and receive emails containing PHI. In order to do this, organizations must subscribe to a Business Professional or a Premium Security Microsoft 365 account through GoDaddy and agree to the Microsoft Business Associate Agreement.
The GoDaddy HIPAA Compliant Email Service
The GoDaddy HIPAA compliant email service operates through a version of Microsoft Outlook that supports HIPAA compliance. It is a good option for individuals and smaller organizations that require emails to be HIPAA compliant – but nothing else – because the cost-per-user can be up to half of that of a HIPAA compliant Microsoft 365 subscription depending on whether email archiving is required.
The process for setting up the GoDaddy HIPAA compliant email service consists of purchasing a domain name from GoDaddy and subscribing to a Business Professional or a Premium Security Microsoft 365 account (the difference between the two being the email archiving service). Then connect the domain name to the Microsoft 365 account in the GoDaddy admin portal and create an email address.
To qualify the email service as HIPAA compliant, click “Add-Ons” in the navigation pane on the left side of the admin portal screen. Next to “HIPAA compliant email”, select “Get Started”. Read and agree to the Business Associate Agreement and enter your contact details so Microsoft can contact you in the event of a data breach. Finally, click “Accept & Send”. The account is immediately available to send emails containing PHI via the new domain name.
Although there is not a lot involved in setting up a GoDaddy HIPAA compliant email service, it is important to secure devices on which emails will be received to prevent unauthorized access. It is also important to be aware that Microsoft’s Business Associate Agreement only covers the email service. It does not cover any of the other Microsoft apps included in the GoDaddy subscription (i.e., Word, Excel. Teams, etc.).
Further Information about the GoDaddy Email Service
The GoDaddy email service allows individuals and smaller organizations covered by HIPAA to create and use a domain-based email address (i.e., [email protected]) to send and receive emails containing PHI at a reasonable cost. Emails can be accessed via office.com or the Outlook app, all email content is encrypted, Advanced Email Security is included in the price, and users each receive 50 GB of storage space.
Larger organizations may find it difficult to comply with the audit requirements of the Security Rule (§164.312(b)). Alternatively it may be necessary to link the GoDaddy HIPAA compliant email service with other HIPAA compliant apps to support collaboration (i.e., OneDrive). In this case it would be better to subscribe to a Microsoft 365 account that supports compliance and includes HIPAA compliant email. Organizations unsure of the best option for their situation should speak with a compliance advisor.
