No, Bluehost isn’t HIPAA-compliant. Its website states that customers shouldn’t use its services to store protected health information (PHI).
Bluehost doesn’t offer the privacy and security features required to comply with federal HIPAA regulations. While some web hosts provide higher-priced plans to support covered entities with HIPAA compliance, Bluehost doesn’t offer any plans that meet HIPAA standards.
Bluehost provides customers with a variety of security features, including SSL certification and HTTPS protocol. While these security features are necessary steps for HIPAA compliance, they aren’t enough. HIPAA compliance requires access control and audit control for digital security. Additionally, facility controls must include physical safeguarding of server equipment.
It’s a breach of the user agreement to store PHI on Bluehost servers. The company is transparent that its services aren’t authorized for patient health data and identifiable medical information. No Bluehost tools, including shared hosting, dedicated hosting, and email, should be used for PHI.
Since Bluehost doesn’t provide HIPAA-compliant services, the company won’t sign a business associate agreement (BAA). Covered entities that need web hosting services for PHI should choose a different service that meets HIPAA requirements.