DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
According to Microsoft, a virtual private network (VPN), establishes a digital connection between someone's computer and a remote server owned by a VPN provider, creating a point-to-point tunnel that encrypts personal data, masks a user's IP address, and lets the computer user sidestep website blocks and firewalls on the internet. This ensures that a user's online experiences are private, protected, and more secure.
Per Microsoft, by its very definition, a VPN connection is:
- Virtual because no physical cables are involved in the connection process.
- Private because through this connection, no one else can see your data or browsing activity.
- Networked because multiple devices—your computer and the VPN server—work together to maintain an established link.
Does HIPAA Require the Use of a Virtual Private Network?
HIPAA-covered entities (covered entities and business associates) should adopt and follow security measures to protect the confidentiality and integrity of electronic protected health information (ePHI) that is transmitted over a network.
Sensitive or protected data transmitted over a network should be protected from unauthorized access or disclosure. Data transmission safeguards must prevent modification or corruption, or alert in the event of data modification or corruption.
An organization may implement the following security measures for electronic protected health information (ePHI) in transit, by taking the following measures:
1. Sensitive or protected data, including ePHI, should be securely encrypted during transmissin, unless a patient explicitly requests to (and consents to) receive such data unsecurely. Patients who request to unsecure data transmissions should be made aware of the risks of such transmissions (including interception in transit) before being sent such transmissions.
2. Remote access to ePHI should be secure, such as over a Virtual Private Network (VPN).
3. End-to-end email encryption
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article