IPOWER is a web, domain name, and email hosting provider. Many healthcare organizations use such solutions to help them better connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with companies that are HIPAA compliant.
In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. IPOWER states on its website that it is not HIPAA compliant and will not sign a BAA.
IPOWER is a web hosting and domain registration service. Originally created as iPower, it was acquired by the Endurance International Group (EIG) in 2011 and rebranded as IPOWER. EIG also owns similar companies Bluehost, Constant Contact, and Hostgator, among others.
Through a control panel, IPOWER provides a comprehensive suite of online services for small and medium-sized businesses worldwide. In all, it offers access to over 200 tools and services on a variety of plans.
Learn about: HIPAA compliant web hosts to consider for your practice
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to IPOWER and its ability to be HIPAA compliant. IPOWER is a business associate of a healthcare organization if it accesses or displays PHI, such as a name.
Related: How to know if you're a business associate
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. We haven’t checked in with IPOWER since 2015. Then, the company’s user agreement clearly stated that it was not HIPAA compliant. As of January 11, 2024, its updated Terms of Service on January 11, 2024, still emphasizes that “IPOWER Services do not comply with [HIPAA].”
According to its HIPAA Disclaimer at the bottom of the terms, IPOWER will not sign a BAA. Moreover, users must “agree that IPOWER is not a Business Associate or subcontractor or agent of yours pursuant to HIPAA.” It is necessary to note that EIG does not mention a BAA or HIPAA anywhere on its website. Moreover, EIG company Bluehost also asserts that it will not sign a BAA either.
Maintaining a website is complex, and covered entities need to ensure that their websites are HIPAA compliant. While web hosts can be HIPAA compliant as business associates, that is not always the case. Covered entities must consider the administrative, physical, and technical safeguards that a vendor utilizes to protect PHI. With the increasing importance of data privacy and security, all healthcare business associates who collect, store, or process PHI are subject to HIPAA regulations.
Within its HIPAA Disclaimer, IPOWER adds that users “are solely responsible for compliance with all applicable laws governing the privacy and security of personal data, including medical or other sensitive data.” IPOWER further adds that it is not “appropriate” to store PHI as the company does not control or monitor users’ data. Storing or permitting access to PHI is, in fact, grounds for immediate account termination.
The BAA is a necessary component of HIPAA compliance and IPOWER states that it will not sign an agreement.
Conclusion: IPOWER is not HIPAA compliant.
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA: