One Missing Signature That Puts Virtually Every GoDaddy Medical Site Out of Compliance
GoDaddy will not sign a BAA for hosting, WordPress, or its forms, which makes virtually every patient form on a GoDaddy medical site both a HIPAA violation and a breach of GoDaddy's own terms.
GoDaddy will sign a Business Associate Agreement for exactly one of its products: Microsoft 365 email. Not website hosting. Not Managed WordPress. Not its website-builder forms. None of those are offered as HIPAA-eligible, and GoDaddy will not execute a BAA that covers them. That single fact is the whole article.
Why one missing signature is the entire ballgame
HIPAA lets your practice put patient information in a vendor's hands only if that vendor has signed a BAA (45 CFR 164.502(e), 164.308(b)). With no BAA, the disclosure of PHI to that vendor is impermissible the instant it happens. The violation is not mishandling the data later. It is the data being there at all, on a platform that never agreed to protect it. So the chain is simple:
- A patient submits information through a form on your GoDaddy site.
- That information lands in and passes through GoDaddy's systems.
- GoDaddy has no BAA with you and will not sign one.
- The disclosure is impermissible. That is a violation, on every submission.
It is not only a HIPAA problem, it is a breach of GoDaddy's own agreement
Here is the part most practices never read. GoDaddy's Hosting Services Agreement (last revised 5/27/2026) states, in the "Storage and Security" section, in plain language:
"The Hosting Services are not intended to provide a PCI (Payment Card Industry) or HIPAA (Health Insurance Portability and Accountability Act) compliant environment and therefore should not be used or considered as one."
That covers all of it: Web Hosting, Managed WordPress, VPS. GoDaddy is telling you, in writing, not to use the service for HIPAA data. And where the agreement addresses Protected Health Information by name, it removes any remaining doubt:
"You will not submit through the Hosting Services any unencrypted Protected Health Information, as defined in the Health Insurance Portability and Accountability Act ("HIPAA") ("PHI"); You will not submit through the Hosting Services any encrypted PHI unless the Parties have entered into a mutually acceptable Business Associate Agreement ("BAA") in accordance with HIPAA."
Read those two lines together, because they close every door. Unencrypted PHI: prohibited outright. Encrypted PHI: prohibited unless you have a BAA, and GoDaddy will not sign one for hosting. There is no version of collecting patient information on GoDaddy hosting that its own terms permit.
So one setup exposes the practice on two fronts. A regulator can act on the HIPAA violation. And GoDaddy reserves the right to pull the site for the terms violation:
"...we reserve the right to remove your server, website, or any content temporarily or permanently if you are in violation of this Service Agreement..."
You can read the agreement yourself at godaddy.com/legal/agreements/hosting-agreement.
"But my form does not ask for medical information." Yes, it does
This is where practices talk themselves out of the problem, and it is where they are most wrong. PHI is not just diagnoses and chart notes. It is any information that identifies a person and relates to their health or their care. On a provider's website you clear that bar constantly:
- An appointment request with a name and a phone number. That alone ties an identifiable person to seeking care from you. That is PHI.
- A "Select your reason for visit" dropdown: Routine Cleaning, Tooth Pain, Cosmetic Consultation, Pediatric Visit. There is no free-text box, and it does not matter. The patient selected a clinical category. "Name plus tooth pain" is health information about an identifiable person. A dropdown is a cleaner, more structured record of health intent than a paragraph would be, not a safer one.
- A med spa's "What are you interested in?" menu: Botox, weight loss, laser. Same thing.
- A contact form on a page about a specific treatment or condition, submitted with a name. The context makes it PHI.
The myths sound reasonable and are all wrong. "There is no free-text field, so there is nothing sensitive." "We only collect name and email." If a patient tells you anything in order to be seen, that form collects PHI. On GoDaddy, that form is a violation.
WordPress on GoDaddy does not save you
Running self-hosted WordPress instead of the site builder changes nothing about the host. GoDaddy is still holding and transmitting the data, still with no BAA, and Managed WordPress is named in the same agreement as everything else. It usually stacks a second problem on top: the common free form plugins (Contact Form 7, WPForms free, and the like) email submissions in plaintext to whatever inbox you use, frequently one with no BAA either. Two impermissible disclosures from one form.
And it is usually worse than the form
Most GoDaddy practice sites also run a Meta Pixel or Google Analytics. When those load on a page where a patient is entering information, they can transmit that activity to Meta and Google, neither of whom will sign a BAA with you either. Regulators have treated exactly this pattern, tracking scripts on health-related pages, as an unauthorized disclosure of PHI. So the same page can leak in two directions at once: to the host with no BAA, and to an ad network with no BAA.
The risk, straight
No scare tactics. Here is the honest assessment, and it is high.
- Severity: high. HIPAA penalties are assessed per violation and scale with culpability, from roughly a few hundred dollars to over $70,000 per violation (the tiers adjust for inflation each year), with annual caps north of $2 million per category. "Per violation" can mean per record or per patient. One exposed intake form is not one violation. It is one per submission.
- It is not only OCR. State attorneys general enforce HIPAA too. And if PHI is actually exposed, for example through those trackers, you may trigger breach notification: telling every affected patient, and at 500 or more people, the media and HHS's public breach portal.
- Now add the terms violation. Even setting the regulator aside, your site runs on a host whose own agreement forbids this use and reserves the right to suspend or remove it.
- The condition is certain. The trigger is not. If you are on GoDaddy collecting patient information, the gap is live right now, on every submission. What you do not control is when it surfaces: a breach, a patient complaint, a departing employee, a plaintiff's attorney. The violation sits there, dated and documented, the entire time. That is what makes it high-risk: not that a penalty is guaranteed, but that the exposure is continuous and the downside is severe.
Why "virtually," and not "every"
There are narrow ways to be the exception. If your GoDaddy site collects nothing from patients, or your intake is an embedded form from a vendor that has signed a BAA with you, or your form posts to a separate HIPAA-eligible database rather than to GoDaddy, you may be clear. Those setups exist. They are rare, and they are easy to confirm. If you are not certain yours is one of them, assume it is not.
What compliant actually looks like
The fix is specific, not complicated. Patient information can only be collected and stored on tools that will sign a BAA and are configured to hold PHI. In practice that means moving intake off the GoDaddy form onto a BAA-backed form and host, and getting tracking scripts off any page where patients enter data. Your marketing pages can stay where they are. Your intake cannot.
Find out where you stand
We run a free exposure check for practices. Give us your public website and we will tell you exactly where patient information is being collected or leaked without a BAA behind it. No pitch, just the findings.
This article is general information, not legal advice. Your specific obligations depend on your setup, which is what an audit clarifies.