The United States law that is known as the Health Insurance Portability and Accountability Act, or HIPAA, has many significant safeguards for confidentiality and privacy of healthcare data. This is especially true for what is known as PHI or protected health information. This is why it is critical for healthcare organizations or anyone who works with medical data to understand the required security to do their business. One of the ways this can be done is through VPN.
Specific HIPAA Points to Understand
We mentioned PHI earlier, and it’s important to understand this concept. With HIPAA, protected health information is any data that contains “individually identifiable health information” transmitted or held by a business. To break it down further, these three things are considered PHI:
- Past, present, or future payment for health care to the individual.
- Provision of health care to the individual.
- Individual’s past, present, or future mental or physical health or condition.
This does not restrict the use or the disclosure of health information that has been de-identified. The two methods to de-identify include either removal of specific identifiers of the individual and their relatives, household members, and employers or a formal determination by a qualified statistician.
Using VPN While Assuring HIPPA Compliance
A virtual private network, or VPN, can be a step toward achieving compliance, along with secure communications in the cloud. What a VPN does is provide the required encryption needed for healthcare data by tunneling the messaging data. Another way to think about this is that VPN embeds a private network within the more extensive global public Internet. The VPN uses a point to point connection, which allows for a higher level of control over the data packets that are being sent, which can protect them from falling into the hands of unauthorized individuals.
VPN and Encryption
VPN uses one of two methods to encrypt your data. This is either a symmetric key or a public key encryption. In most cases, the sending and receiving computers will have an individual key that encodes data where it sent and again where it is collected.
- Symmetric Key Encryption – With this type of encryption system, all computers and users share the same key to encrypt and decrypt a message.
- Public Key Encryption – When using a public key encryption, each computer and user will have a public-private key pair. What happens is that one computer uses its private key to encrypt a message, while the other user decrypts the message with a corresponding public key.
Considerations Related to HIPAA and VPN
In most cases and with most experts, the use of a VPN that is appropriately set up is seen as a secure and HIPAA compliant environment. That said, some have concerns about some lack of encryption at layer 2 of the OSI model, which means some VPN models may not be entirely secure. This is because they may leave MAC addresses or even service set IDs unencrypted.
However, in most cases, VPN does provide a secure line of information that meets the needed privacy standards. Company or organization users can access a database with sensitive patient data in a safe manner and from nearly anywhere with an internet connection. There can be some drawbacks, however, with endpoint security. This means that while you securely send and receive, the information is on a screen which could be problematic based on location.
VPN can be an essential part of a HIPAA compliant hosting option but is only one piece of the puzzle. Things like multifactor authentication, vulnerability scanning, offsite encrypted backups, firewalls, and log monitoring are also important and should be part of keeping security and compliance at 100%.