Telehealth Security: Using a VPN

There has been much debate on whether or not telehealth offers a secure means of communicating with patients, especially with many providers seeing patients virtually from their home offices. This has left many to wonder if using their home WiFi poses a security risk. Although there are security implications when using a personal WiFi for business use, connecting to a virtual private network (VPN) provides an easy solution to this problem with VPN security standards. By using a VPN service and following VPN requirements, telehealth security is preserved, while enabling telehealth providers the flexibility to work from anywhere.

Is your organization secure?
Find out now with our HIPAA compliance checklist.

Telehealth and VPN 

A virtual private network (VPN) is a service that extends a private network over a public network. When using a VPN to connect to the internet, all data passing through the VPN is encrypted (encryption masks data, making it unreadable to unauthorized users). As such, connecting to a VPN provides the most secure connection and prevents even the most advanced hacker from accessing data.

VPNs for HIPAA are generally provided by a firewall vendor as a part of a network security package, allowing remote users to safely connect to their corporate firewall from remote locations. This allows users to connect to any WiFi connection available, then enable their VPN service. 

By logging onto a VPN before opening a telehealth platform, the session is encrypted as soon the telehealth platform is launched. VPN can quickly and easily provide telehealth security whether sessions are conducted from a home office or another remote location. 

For example, if a healthcare provider was traveling and needed to conduct a telehealth session from their hotel room, using the hotel’s public WiFI, the provider could connect to the hotel WiFi and then activate their VPN service to provide a secure telehealth session.

Telehealth Security and Subscription VPN Services

While there are VPN services offered as a standalone product, the vast majority are not suitable for working with protected health information (PHI). Companies that offer standalone HIPAA compliant VPN services include features such as network security, access controls, audit controls, and integrity controls. 

These standalone VPN services are considered business associates under HIPAA, as they have the potential to access PHI as part of the service they provide for their clients. Therefore, for HIPAA compliant VPN use, telehealth providers must have a signed business associate agreement (BAA) with the VPN service provider before using the service. 

A BAA mandates the security and privacy measures the business associate is required to have in place. It also limits the liability for each signing party, as each party is responsible for monitoring and maintaining their HIPAA compliance.