DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
According to Microsoft, a virtual private network (VPN), establishes a digital connection between someone's computer and a remote server owned by a VPN provider, creating a point-to-point tunnel that encrypts personal data, masks a user's IP address, and lets the computer user sidestep website blocks and firewalls on the internet. This ensures that a user's online experiences are private, protected, and more secure.
Per Microsoft, by its very definition, a VPN connection is:
- Virtual because no physical cables are involved in the connection process.
- Private because through this connection, no one else can see your data or browsing activity.
- Networked because multiple devices—your computer and the VPN server—work together to maintain an established link.
Does HIPAA Require the Use of a Virtual Private Network?
A VPN is a type of transmission security measure, under the HIPAA Security Rule transmission security standard. The HIPAA regulations do not require the use of a virtual private network. However, covered entities and business associates should consider using one. The regulations provide that organizations, as a transmission security integrity controls measure, "Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of" when it is reasonable and appropriate to do so.
Typically, to implement the transmission security integrity controls measures, covered entities and business associates must ensure that all wired and wireless transmissions of ePHI utilize secure protocols (encryption) and that all remote access of ePHI is by secure methods only. VPN can be used to ensure remote access is by secure methods only.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article