HIPAA-Compliant VPN: What Healthcare Businesses Need to Know

If your business handles Protected Health Information (PHI) — patient records, appointment data, billing information, test results — HIPAA requires you to protect it. That protection includes how it travels across networks.

Using an unencrypted connection to transmit PHI isn't just risky. It's a HIPAA violation — one that carries fines ranging from $100 to $50,000 per incident.

What HIPAA Says About Data Transmission

The HIPAA Security Rule (45 CFR §164.312) includes a specific technical safeguard requirement for transmission security:

Encryption is the recognized standard for meeting this requirement. When a covered entity or business associate transmits PHI over any network — including remote work connections, cloud access, and mobile devices — that transmission must be encrypted.

Who This Affects

HIPAA applies to "covered entities" and "business associates." If you're in any of these categories and your employees work remotely or use any external network, you need encrypted transmission:

• Medical practices, hospitals, and clinics
• Health insurance providers
• Healthcare clearinghouses
• Medical billing companies
• IT providers serving healthcare clients
• Legal firms handling healthcare cases
• Any business that processes, stores, or transmits PHI

The 3 HIPAA Security Rule Requirements a VPN Must Meet

Technical Safeguards

The HIPAA Security Rule's Technical Safeguards are the most directly relevant provisions for VPN use. Under 45 CFR §164.312, covered entities and business associates must implement technical policies and procedures that restrict access to ePHI to only those persons or software programs that have been granted access rights. For a VPN, this translates into three concrete controls: encryption, access control, and audit controls.

Encryption is the cornerstone. Any VPN transmitting PHI must use a recognized, modern cipher — AES-256 is the industry standard and the baseline any HIPAA-conscious VPN provider should offer. Access control means that the VPN itself must require authentication before granting access to the network. Simple username/password combinations are increasingly considered insufficient; multi-factor authentication (MFA) is now the expectation for any system that touches PHI. Audit controls require the VPN platform to generate logs of who connected, when, and from where — records that are indispensable during a HIPAA audit or breach investigation.

Many organizations make the mistake of treating their VPN as a single checkbox. In reality, the technical safeguards demand an integrated approach: encryption protects data in flight, access controls prevent unauthorized users from entering the tunnel in the first place, and audit logs create the evidentiary trail that demonstrates your controls were working. Without all three, your VPN deployment has a gap that OCR investigators will find.

Administrative Safeguards

Technical tools alone cannot satisfy HIPAA. The Administrative Safeguards under 45 CFR §164.308 require covered entities to implement policies and procedures that govern how their workforce uses the technology. Two of the most operationally significant requirements are workforce training and a formal risk analysis.

Workforce training means every employee who touches PHI — or any system that could expose PHI — must understand why encrypted connections are mandatory, how to use the VPN correctly, and what to do if they suspect a breach. Training is not a one-time event; HIPAA expects it to be ongoing and documented. If an employee bypasses the VPN to send patient records through a personal email account, the absence of documented training makes your organization significantly more liable.

Risk analysis is equally critical. HIPAA requires a thorough, accurate, and organization-wide assessment of the potential risks and vulnerabilities to ePHI. Your risk analysis should specifically evaluate the transmission pathways where PHI travels — including remote work scenarios, mobile device usage, and third-party vendor connections. The output of that risk analysis should directly inform which VPN controls you implement and how strictly you enforce them. Without a documented risk analysis that references your VPN infrastructure, you are missing a foundational administrative safeguard.

Physical Safeguards

Physical Safeguards under 45 CFR §164.310 address the physical controls around the devices and facilities that store or access ePHI. While VPNs are software solutions, they operate on hardware, and HIPAA requires that hardware to be controlled. Device controls include policies specifying which devices are authorized to connect to the VPN, how those devices are managed when they are lost or stolen, and how they are decommissioned when an employee leaves.

Facility access controls govern who can physically reach the servers, workstations, and network equipment that process PHI. For organizations using on-premises VPN gateways, this means locking server rooms, maintaining visitor logs, and restricting physical access to authorized personnel. For cloud-hosted VPN infrastructure, it means verifying that your VPN provider's data centers meet equivalent physical security standards — a question worth asking in writing before you sign any contract.

The intersection of physical and technical safeguards becomes especially important for mobile workers. A clinician accessing patient records from a laptop in a hospital break room, a billing specialist working from home on a shared family computer, or an IT administrator using a personal tablet to connect to a clinical system — each of these scenarios carries physical risks that no VPN can fully mitigate on its own. Physical Safeguards require you to define acceptable use policies, enforce device management, and ensure that the physical environment where PHI is accessed meets a reasonable standard of security.

What Makes a VPN HIPAA-Compliant?

HIPAA doesn't mandate a specific VPN product, but any VPN used to transmit PHI must meet the following criteria:

The Remote Work HIPAA Problem

Before the pandemic, most healthcare data stayed within secured office networks. Remote work changed that permanently. Now:

• Medical billing staff work from home on consumer internet connections
• Nurses and clinicians access patient records from their phones
• IT staff connect to healthcare systems from coffee shops and airports
• Telehealth platforms transmit clinical data over residential networks

Every one of these scenarios requires encrypted transmission of PHI. Every unencrypted transmission is a potential HIPAA violation.

Real-World HIPAA Breach Scenarios Involving Unencrypted Connections

Medical Biller Working From a Coffee Shop

A medical billing specialist at a mid-sized physician group regularly works remotely. On a Tuesday morning, she settles into a local coffee shop with her laptop and logs into the practice management system to process a batch of claims — each containing patient names, dates of service, diagnosis codes, and insurance identifiers. The coffee shop's Wi-Fi is open and unencrypted. A threat actor on the same network runs a passive packet-capture tool and intercepts the credentials used to log into the billing platform.

Within 48 hours, the attacker uses those credentials to access the billing system and exfiltrate records for over 3,000 patients. The physician group receives a breach notification obligation under HIPAA and is required to report to HHS. The subsequent OCR investigation finds no VPN policy, no workforce training records, and no documented risk analysis. The result: a six-figure fine and a corrective action plan lasting two years. The entire breach was preventable with a mandatory VPN policy enforced at the device level.

Nurse Accessing Patient Records on Hotel Wi-Fi

A traveling nurse working for a staffing agency checks into a hotel during a multi-week assignment at a regional hospital. That evening, she uses the hotel's guest Wi-Fi to access the hospital's electronic health record system and review care plans for her patients the next day. Hotel networks are notoriously insecure — many use outdated WPA2 configurations, share credentials across hundreds of guests, and lack any network-level monitoring. The nurse's session, including patient names, medication orders, and clinical notes, travels over this network in an unencrypted state.

Under HIPAA, the hospital is a covered entity, and the staffing agency is likely a business associate. Both organizations share responsibility for ensuring that PHI transmitted by their workforce is encrypted. When the hotel network is later found to have been compromised by a point-of-sale malware infection that also captured network traffic, the hospital must determine whether patient data was exposed. The investigation is expensive, the reporting obligations are immediate, and the reputational damage to the staffing agency's healthcare clients is lasting. A VPN requirement in the business associate agreement would have prevented the exposure entirely.

IT Admin Connecting to Healthcare Systems Remotely

An IT administrator responsible for maintaining a network of urgent care clinics receives an after-hours alert about a server issue at one of the locations. Working from a home office without a VPN, he uses an RDP connection directly exposed to the internet to access the clinic's server — a practice that is unfortunately common and widely exploited. His credentials were included in a credential-stuffing list sold on a dark web forum following an unrelated breach at a retail website where he reused his password.

Attackers using those credentials gain access to the RDP session and, through it, to the clinic's patient database. The HIPAA risk here is compounded: not only was PHI transmitted without encryption, but the administrative access the IT admin held meant attackers could reach every record in the system. HIPAA's technical safeguards require that even administrative access to systems containing ePHI be protected by encryption and access controls. A VPN with MFA, combined with a policy prohibiting direct RDP exposure, would have made this attack vector inaccessible.

Telehealth Session Over Residential Internet

A licensed therapist conducting telehealth appointments from a home office uses a general-purpose video conferencing platform that is not covered by a HIPAA Business Associate Agreement. The platform routes sessions through servers in multiple jurisdictions, and the therapist's home router is running firmware that hasn't been updated in three years — a version known to have an exploitable vulnerability. During sessions, the therapist and patient discuss diagnoses, medications, and treatment plans, all of which constitute PHI under HIPAA.

A VPN alone does not resolve every risk in this scenario — the platform choice and the BAA gap are separate issues — but the absence of a VPN means that traffic between the therapist's device and the platform's servers is not independently encrypted at the network layer. If the router's vulnerability is exploited and traffic is intercepted at the network level, session metadata and potentially audio and video content could be captured. HIPAA requires covered entities to assess the full chain of transmission. Telehealth providers who assume that the video platform handles all encryption obligations, without verifying and documenting that assumption, are taking on significant compliance risk.

HIPAA Violation Costs Are Real

How to Implement a HIPAA-Compliant VPN Policy

Understanding the requirements is step one. Operationalizing them is where most organizations struggle. The following six steps provide a practical implementation roadmap that addresses both the technical and administrative dimensions of HIPAA VPN compliance.

Step 1: Risk Assessment. Before selecting or configuring a VPN, conduct a formal risk analysis that maps every pathway where ePHI travels across your network — including remote work, mobile access, third-party vendor connections, and cloud applications. Your risk analysis should identify which of those pathways are currently unencrypted, who has access to them, and what the potential impact of interception would be. Document the findings. This document becomes the foundation of your HIPAA compliance program and the primary evidence you present during an audit.

Step 2: Select a Compliant VPN. Choose a VPN provider that offers AES-256 encryption, a documented no-logs policy, US-based infrastructure (to avoid foreign data routing complications), and a willingness to sign a Business Associate Agreement. The BAA is non-negotiable — it establishes that the VPN provider understands its obligations under HIPAA and accepts shared responsibility for protecting PHI that passes through its infrastructure. Get the BAA in writing before you transmit any patient data.

Step 3: Implement Access Controls. Configure the VPN to require multi-factor authentication for every user. Maintain a current list of authorized users and revoke access immediately upon employee termination or role change. Segment network access so that VPN users can only reach the systems their role requires — a billing specialist does not need access to clinical imaging servers, and a front-desk coordinator does not need access to the pharmacy management system.

Step 4: Train Your Workforce. Issue a written VPN use policy and require every employee who handles PHI to read and acknowledge it. Training should cover why unencrypted connections are prohibited, how to connect to the VPN on each supported device, and the specific steps to take if a device is lost, stolen, or connected to a suspicious network. Repeat training annually and document each session — training records are among the first items OCR requests during an investigation.

Step 5: Document Everything for Your Audit Trail. HIPAA compliance is not just about having the right controls — it's about proving you have them. Maintain records of your risk analysis, your VPN configuration settings, your BAA with the VPN provider, your access control lists, your training logs, and any security incidents and how they were handled. Store these records for a minimum of six years as required by HIPAA's documentation retention standard.

Step 6: Review Annually. HIPAA requires that your risk analysis and security measures be reviewed periodically and whenever environmental or operational changes occur. Set a calendar reminder to review your VPN policy, access control lists, and audit logs at least once per year. When you add new remote workers, adopt new clinical applications, or change VPN providers, treat that change as a trigger for an immediate review. Compliance is a continuous process, not a one-time project.

CyberFence for Healthcare Compliance

Carlos Perez is the Founder of CyberFence. Before launching CyberFence, he worked at Avanade, Accenture, and Microsoft, keeping enterprises safe. But he saw a clear problem — enterprise-level protection wasn't reaching the people who needed it most. CyberFence was built to close that gap — bringing powerful, enterprise-grade security into a simple, modern platform designed for businesses & everyday users.

CyberFence Teams provides:

• AES-256 VPN encryption for all PHI in transit
• US-based server infrastructure — no foreign data routing
• Zero-logs policy — we don't store user activity data
• Unlimited devices and users — every employee covered
• Compliance documentation for your HIPAA audit trail
• Business Associate Agreement (BAA) available upon request
• Web Shield — blocks malware and phishing attempts targeting healthcare staff

Beyond HIPAA: NIST, CMMC, and SEC

CyberFence also supports compliance with:

• NIST Cybersecurity Framework — used by government contractors and federal agencies
• CMMC (Cybersecurity Maturity Model Certification) — required for DoD contractors
• SEC Cybersecurity Rules — disclosure and risk management requirements for financial firms

Questions to Ask Your VPN Provider Before Signing

Not every VPN marketed as "HIPAA-compliant" actually meets the full set of requirements. Before committing to a VPN vendor for your healthcare organization, ask these eight questions — and require written answers you can include in your compliance documentation.

1. Will you sign a Business Associate Agreement? If the answer is no or hesitant, stop the conversation. A BAA is a legal requirement for any vendor that processes, transmits, or stores PHI on your behalf. A VPN provider unwilling to sign one either doesn't understand HIPAA or is unwilling to accept its obligations under it.
2. What encryption standard do you use, and does it apply to all traffic including the control channel? AES-256 is the baseline. Some providers use strong encryption for the data tunnel but leave the control channel — where authentication happens — vulnerable. Confirm that encryption is end-to-end and covers all aspects of the connection.
3. What is your logging policy, and what data do you retain about user sessions? A true no-logs policy means the provider retains no records of user activity, connection timestamps, or IP addresses. However, your organization may actually need session logs for HIPAA audit control purposes — clarify whether the provider offers audit logging for your administrative use while maintaining a no-logs policy on their end.
4. Where are your servers physically located, and who has physical access to them? US-based infrastructure avoids international data transfer complications. Ask whether the provider's data centers are SOC 2 Type II certified and whether they can provide documentation of physical security controls — these directly correspond to HIPAA's Physical Safeguards requirements.
5. Do you support multi-factor authentication, and is it enforced or optional? MFA should be mandatory, not a setting that individual users can opt out of. Confirm that your administrator can enforce MFA organization-wide and that the platform supports standard second factors such as authenticator apps or hardware keys.
6. What happens to our data if your company is acquired, goes out of business, or changes its privacy policy? VPN providers change ownership. Understand what protections are in place for your organization's data and your BAA obligations in the event of a corporate transaction. Your BAA should include provisions addressing these scenarios.
7. How do you handle security incidents, and what is your breach notification process? HIPAA requires business associates to notify covered entities of a breach involving PHI no later than 60 days after discovery. Ask the provider what their incident response process looks like, whether they have cyber liability insurance, and how they would notify you in the event of a security event affecting your organization's data.
8. Can you provide compliance documentation we can use in our HIPAA audit trail? A HIPAA-ready VPN provider should be able to supply documentation of their security controls, encryption standards, and data handling practices in a format you can include in your compliance records. If they cannot, you will have difficulty demonstrating to an OCR auditor that your VPN selection was due-diligent.

The Bottom Line

If your business handles Protected Health Information, using an unencrypted connection isn't just risky — it's a liability. HIPAA requires encrypted transmission of PHI, and VPN encryption is the most practical way to ensure every remote connection meets that standard.

CyberFence is designed by a cybersecurity firm that understands compliance requirements. Contact us about the CyberFence Teams plan for healthcare — including Business Associate Agreement availability.