A friend of mine is asking for some technical help with a VPN that she was told is required for HIPAA compliance so that “documents they upload are encrypted”. They are under the impression that they need a public VPN like ExpressVPN or NordVPN that they will connect to when “uploading documents to the insurance company’s website”, for example. I work in IT and this sounded strange to me as a public VPN would only be encrypting their traffic to the VPN provider’s servers and not all the way to the destination… Was there some misunderstanding on there end? If the insurance company’s website is public facing, is HTTPS sufficient to meet the encryption requirement?
Most insurance companies will have an encrypted portal for uploading and don’t require a VPN. Others will accept email which of course needs to be encrypted. A VPN would definitely be required for remote workers transferring files with their office since data must be encrypted in transit and at rest. Something like NordVPN wouldn’t qualify anyway since it’s not end to end encryption.
Yes the HTTPS connection is sufficient. As already stated the VPN providers you listed will not suffice as they are not end to end encrypted.
I would check out Perimeter 81. They offer a business VPN and sign a BAA. I have been using it with my private practice, and it has worked well. I was also able to create a Private Network for my company.
Did Perimeter 81 slow down your users? I tried one VPN for 2 desktops and 2 laptops. I had to cancel as it put everything at a slow crawl.
If I have consumer based internet for my small business, and use a VPN that is HIPAA compliant and I have a BAA on file from the VPN vender, is my internet HIPAA compliant?
can you detail how this is used?
Who do you use? I’m a one person private practice and cannot find a single VPN that will sign a BAA with me. It’s so frustrating!!!