Bluehost has stated that it does not enable HIPAA compliance and that customers shouldn’t use its services to store protected health information (PHI).
Bluehost provides customers with a variety of security features, including SSL certification and HTTPS protocol. While these security features are necessary steps for HIPAA compliance, they aren’t enough. HIPAA compliance requires access control and audit control for digital security. Additionally, facility controls must include physical safeguarding of server equipment.
The company is transparent that its services aren’t authorized for patient health data and identifiable medical information.
Covered entities that need web hosting services for PHI should choose a service that meets HIPAA requirements.