HIPAA and Virtual Private Networks (VPNs)

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses the HIPAA Security Rule and the use of virtual private networks (VPNs) and which part of the Security Rule is implicated by the use of virtual private networks.

What is a Virtual Private Network (VPN)?

According to the National Institute of Standards and Technology (NIST), a VPN "is a virtual network built on top of existing physical networks that provides a secure communications mechanism for data and control information transmitted between computers or networks." (Page "v".) NIST also notes that "VPNs protect communications carried over public networks, such as the internet, as well as private networks..... A VPN can provide several types of data protection, including confidentiality, integrity, data origin authentication,....... and access control."

Does HIPAA Require the Use of a Virtual Private Network?

Under the HIPAA Security Rule, HIPAA-covered entities (covered entities and business associates) should adopt and follow security measures to prevent unauthorized access to ePHI, that is transmitted over an electronic communications network.

Sensitive or protected data transmitted over a network should be protected from unauthorized access or disclosure. Data transmission safeguards must prevent modification or corruption, or alert in the event of data modification or corruption.

While HIPAA does not specifically require the use of VPNs, a properly configured VPN can be used to secure remote access to ePHI, and can be used, as noted above, to protect data confidentiality and integrity. As noted above, a VPN can provide for data origin authentication and access control.