We’ve been reaching out to dental practices in our backyard of San Francisco recently and we’ve run across some of them using DreamHost for their email service. DreamHost was started in 1997 by four friends in a college dorm room. It has since grown to host over 1.5 million websites. If a HIPAA entity is using Dream Host for their web hosting and Dream Host also handles their email, the question naturally arises: Is DreamHost a HIPAA Compliant Email provider?
We’ve covered in previous posts that a Business Associate Agreement is a written contract between a covered entity and a Business Associate. It is required by law for HIPAA compliant email. We searched the DreamHost website and its discussion forum and we found an answer about their support for HIPAA entities: "Can Dreamhost email be considered HIPAA compliant?" "No. Especially if PHI was sitting on Dreamhost’s servers in the case of IMAP. You would ideally need signed Business Associate contract from your vendor. AFAIK, Dreamhost facilities do not practice HIPAA compliance, therefore no BA contract."
Thanks to their discussion forum, this is pretty straightforward: DreamHost is not in the business of providing HIPAA compliant email.