Does HIPAA Require a VPN?
HIPAA does not explicitly require VPNs. However, HIPAA's Security Rule requires that Protected Health Information (PHI) transmitted over networks be encrypted. A VPN is one way to satisfy this requirement for remote access scenarios. The requirement applies to: telehealth consultations conducted over public networks, remote access to EHR systems from home or traveling, and transmission of patient data between provider locations over the public internet.
What a VPN Actually Protects
A VPN encrypts the traffic between your device and the VPN server. This protects against: network-level eavesdropping (particularly relevant on public Wi-Fi), your ISP logging your traffic, and man-in-the-middle attacks on unencrypted connections. It does not protect against: malware on your device, phishing attacks that steal your credentials, or breaches at the VPN provider itself. A VPN is one layer of a defense-in-depth strategy, not a complete compliance solution.
Healthcare-Specific VPN Requirements
For healthcare compliance, your VPN configuration should include: end-to-end encryption (AES-256 minimum), a kill switch that prevents data transmission if the VPN drops, a Business Associate Agreement (BAA) with the VPN provider if PHI passes through their servers. Not all consumer VPN providers will sign a BAA. Enterprise solutions (Cisco AnyConnect, Palo Alto GlobalProtect) are designed for this use case and come with appropriate compliance documentation.
Consumer VPNs vs. Enterprise VPNs for Healthcare
For individual practitioners accessing EHR systems: a consumer VPN with a kill switch (ExpressVPN, NordVPN, ProtonVPN) provides adequate encryption for most remote access scenarios. For organizations with multiple staff accessing PHI remotely: an enterprise VPN solution with centralized management, audit logging, and a BAA is the appropriate choice. The EHR vendor typically mandates which connection methods are approved -- check their requirements first.