IPOWER is a web, domain name, and email hosting provider. Many healthcare organizations use such solutions to help them better connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with companies that are HIPAA compliant.
In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. IPOWER states on its website that it is not HIPAA compliant and will not sign a BAA.
What is IPOWER?
IPOWER is a web hosting and domain registration service. Originally created as iPower, it was acquired by the Endurance International Group (EIG) in 2011 and rebranded as IPOWER. EIG also owns similar companies Bluehost, Constant Contact, and Hostgator, among others.
Through a control panel, IPOWER provides a comprehensive suite of online services for small and medium-sized businesses worldwide. In all, it offers access to over 200 tools and services on a variety of plans.
Learn about: HIPAA compliant web hosts to consider for your practice
Is IPOWER a business associate?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
- Permitted uses and disclosures of PHI
- Safeguards for protecting PHI
- Reporting and mitigation of security incidents
- Compliance with HIPAA regulations
- Dispute resolution and termination clauses
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to IPOWER and its ability to be HIPAA compliant. IPOWER is a business associate of a healthcare organization if it accesses or displays PHI, such as a name.
Related: How to know if you're a business associate
IPOWER and the BAA
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. We haven’t checked in with IPOWER since 2015. Then, the company’s user agreement clearly stated that it was not HIPAA compliant. As of January 11, 2024, its updated Terms of Service on January 11, 2024, still emphasizes that “IPOWER Services do not comply with [HIPAA].”
According to its HIPAA Disclaimer at the bottom of the terms, IPOWER will not sign a BAA. Moreover, users must “agree that IPOWER is not a Business Associate or subcontractor or agent of yours pursuant to HIPAA.” It is necessary to note that EIG does not mention a BAA or HIPAA anywhere on its website. Moreover, EIG company Bluehost also asserts that it will not sign a BAA either.
IPOWER, web hosting, and data security
Maintaining a website is complex, and covered entities need to ensure that their websites are HIPAA compliant. While web hosts can be HIPAA compliant as business associates, that is not always the case. Covered entities must consider the administrative, physical, and technical safeguards that a vendor utilizes to protect PHI. With the increasing importance of data privacy and security, all healthcare business associates who collect, store, or process PHI are subject to HIPAA regulations.
Within its HIPAA Disclaimer, IPOWER adds that users “are solely responsible for compliance with all applicable laws governing the privacy and security of personal data, including medical or other sensitive data.” IPOWER further adds that it is not “appropriate” to store PHI as the company does not control or monitor users’ data. Storing or permitting access to PHI is, in fact, grounds for immediate account termination.
Is IPOWER HIPAA compliant?
The BAA is a necessary component of HIPAA compliance and IPOWER states that it will not sign an agreement.
Conclusion: IPOWER is not HIPAA compliant.
Understanding HIPAA compliance
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:
- Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
- Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
- Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
- Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.
Kapua Iao
