VPN for healthcare and HIPAA: what is required

The phrase "HIPAA-compliant VPN" appears all over the VPN industry. It is a meaningless phrase. HIPAA does not certify products. The Department of Health and Human Services does not issue HIPAA stamps to software vendors. A VPN cannot be "HIPAA-compliant" any more than a password can be "HIPAA-compliant."

What HIPAA does require is that covered entities (and business associates) implement specific safeguards. Encryption in transit is one of those safeguards. A VPN can provide encryption in transit. That makes a VPN one piece of a compliance posture, not the whole thing, and definitely not a magic compliance product.

The honest version is more useful than the marketing version. Here it is.

We are not lawyers and not HIPAA compliance consultants. This is informational. Validate your specific compliance posture with someone who actually does HIPAA compliance work in your jurisdiction.

What HIPAA actually requires

The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to implement safeguards to protect electronic Protected Health Information (ePHI). The safeguards are organised into three categories:

Administrative safeguards: policies, training, risk assessments, sanctions
Physical safeguards: facility access controls, workstation security, device disposal
Technical safeguards: access control, audit controls, integrity, transmission security

The technical safeguards include "transmission security" (45 CFR 164.312(e)), which requires "implementing technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network."

The transmission security standard has two implementation specifications:

Integrity controls (addressable): measures to ensure that ePHI is not improperly modified during transmission
Encryption (addressable): mechanism to encrypt ePHI whenever deemed appropriate

"Addressable" does not mean optional. It means the covered entity must assess whether the implementation is "reasonable and appropriate" for its environment. If yes, implement. If no, document why and implement an equivalent alternative.

For ePHI moving over public networks (the internet), encryption is almost always reasonable and appropriate. The HHS Office for Civil Rights has been explicit: ePHI sent unencrypted over public networks is a Security Rule violation in essentially every plausible scenario.

Where a VPN fits

A VPN provides encryption in transit between the user's device and the VPN provider's exit server. From there, traffic continues to its destination — typically over TLS, which provides its own encryption layer.

For ePHI scenarios, the relevant transmission paths:

Provider laptop to EHR system over public Wi-Fi. EHR systems are TLS-encrypted. The VPN adds an outer encryption layer. Both layers provide redundant protection; the VPN guards against TLS-downgrade attacks and against the public Wi-Fi access point seeing traffic patterns.
Provider laptop to telehealth platform. Telehealth platforms are TLS-encrypted (and many are end-to-end encrypted for the call audio/video). The VPN protects the surrounding signalling.
Provider laptop to email containing ePHI. Email-to-mail-server is TLS-encrypted by default in 2026. The VPN encrypts the connection from the laptop. The ePHI inside the email is still readable by the email provider unless additional measures (S/MIME, encrypted file attachments) are in place.

For healthcare workers travelling, working from home, or working from clinics with shared networks, a VPN is a reasonable safeguard for transmission security.

What "HIPAA-compliant VPN" actually means in marketing

When you see this phrase, the company is usually claiming one of:

They will sign a Business Associate Agreement (BAA) with you
Their service "supports HIPAA-compliant configurations"
Some less precise version of either of these

A BAA is a contract. It says the vendor (the VPN provider) will safeguard ePHI it handles and that the vendor takes responsibility under HIPAA for breaches involving that ePHI. A BAA is required when a vendor processes or stores ePHI.

Here is the relevant question: does your VPN provider actually handle ePHI? A pure-encrypted-transit VPN does not. The VPN provider sees encrypted traffic; they do not decrypt it; they do not store it; they do not have access to the ePHI inside. From a strict legal interpretation, a VPN that does no decryption arguably is not a HIPAA Business Associate at all because it does not "process" ePHI in the regulated sense.

In practice, HHS has not issued definitive guidance on whether transit-only VPNs require a BAA. Most healthcare compliance consultants take a conservative position: get a BAA where possible, treat the VPN provider as a Business Associate for safety. Some VPN providers (Atlas VPN historically, NordLayer, ExpressVPN for business tier) offer BAAs. Most consumer-tier VPNs do not.

Fexyn does not currently offer BAAs. We are working through whether to offer them; the compliance overhead is real and the technical case for whether they are required is genuinely unclear. For solo healthcare practitioners or small clinics that want a BAA-signing provider as a belt-and-suspenders measure, NordLayer's HIPAA-focused tier or a similar business-VPN-with-BAA is a better fit today.

What a VPN does not cover for HIPAA

A complete HIPAA compliance posture needs all of the following. A VPN covers exactly one piece:

Encryption at rest. ePHI on laptops, in cloud storage, on email servers, on backup media — all needs encryption. A VPN does not encrypt files on disk.

Access controls and authentication. Strong authentication on EHR, email, cloud storage. Role-based access. MFA. A VPN does not provide identity.

Audit controls. HIPAA requires logging of ePHI access. EHR systems and document management have their own audit logging. A VPN does not provide this.

Integrity controls. Mechanisms to ensure ePHI is not improperly modified.

Email containing ePHI. Regular email (even TLS-encrypted) is not HIPAA-appropriate for ePHI without additional measures. Use a secure document portal or end-to-end encrypted email for ePHI.

Workforce training. Annual HIPAA training is administratively required.

Risk assessment and risk management. Documented assessment of plausible risks and mitigations.

Breach notification policies. Written procedures for what happens when something goes wrong, including the 60-day notification requirement.

Service provider agreements (BAAs) with all entities that handle ePHI. EHR vendors, cloud storage, billing services, transcription services all need BAAs.

Physical safeguards. Locked offices, locked filing cabinets, secure device disposal.

A "HIPAA-compliant VPN" marketing claim that ignores all of these and focuses on encryption-in-transit is selling you the smallest piece of compliance and calling it the whole thing.

What an honest VPN-for-healthcare positioning looks like

Fexyn provides:

AES-256-GCM and ChaCha20-Poly1305 encryption (modern AEAD ciphers)
Strong VPN protocols (WireGuard via Bolt, VLESS Reality with Vision via Stealth)
Kernel-level kill switch on Windows (Windows Filtering Platform filters that block traffic when the VPN drops, not application-level disconnect handlers)
No-logs operation on browsing, DNS, and traffic content
Wyoming (US) jurisdiction with a no-logs structure as the data-protection mechanism (Five Eyes member; we have not yet completed a third-party no-logs audit, planned for 2026)

These are all reasonable transmission-security characteristics. They do not constitute HIPAA compliance by themselves; they constitute one component that fits into a layered compliance posture.

For healthcare workers who want VPN as one layer alongside the rest of a HIPAA-conscious setup (encrypted laptops with MFA, EHR with audit trails, secure document portal for ePHI emails, BAAs with major Business Associates, written WISP-style policies, annual training), Fexyn is appropriate.

For healthcare workers or small clinics who want a single vendor signing BAAs to simplify the compliance paperwork, NordLayer's HIPAA tier or Perimeter81's healthcare positioning are better fits today. We are honest about this.

What other VPN companies will not tell you

Most "HIPAA-compliant VPN" content on the web is paid placement. The affiliate-marketing structure of the VPN industry rewards making compliance claims that sound stronger than the underlying product can support. We are writing this piece partly because the misleading version of this content is everywhere, and partly because the honest version is more useful, even if it is less convenient.

If a VPN company tells you they are "HIPAA-compliant," ask them:

Will you sign a BAA?
What does the BAA actually cover?
What documentation can you provide for HIPAA audit purposes?
How do you handle subpoenas and law enforcement requests for ePHI-context user data?
What is your incident response process if you experience a breach?

A vendor that has good answers to all five is a real BAA partner. A vendor that has no answers is selling marketing copy.

Frequently asked

Is a VPN required by HIPAA?

Not literally. HIPAA's transmission security standard requires "addressable" encryption, meaning the covered entity must assess and either implement or document why not. For ePHI moving over public networks, encryption is almost always required; a VPN is one way to provide it.

Can I use a free VPN for healthcare work?

Generally no. The HIPAA-conscious posture requires a vendor whose data-handling practices you can verify. Free VPNs almost universally have data-collection issues that make their use for ePHI-adjacent work indefensible.

What about Telehealth specifically?

Telehealth platforms (Doxy.me, Zoom Healthcare, Healow, etc.) sign BAAs and handle the ePHI directly within their platform. The VPN protects the surrounding network connection. Use both: a HIPAA-aware telehealth platform plus a VPN for the surrounding network layer.

Should I avoid email for ePHI?

For sending ePHI to patients, use the patient portal in your EHR. That is purpose-built and audit-trailed. For internal communication about ePHI between providers, secure messaging within the EHR or a HIPAA-aware secure email service. Regular email with a VPN does not solve the email-content question; the email content is readable by the email provider.

Does Fexyn offer a BAA?

Not currently. We are evaluating. For healthcare workers who specifically need a BAA-signing VPN, NordLayer's HIPAA-focused business tier is a better fit today.

What's the actual liability picture for a VPN failure during ePHI transmission?

If you transmit ePHI over public Wi-Fi without a VPN and the transmission is intercepted, that is a HIPAA breach with the standard notification, reporting, and potential penalty consequences. If you transmit with a VPN that is functioning correctly, the encryption layer prevents the interception from yielding readable ePHI; this is exactly why transmission security is a Security Rule standard. If the VPN connection drops mid-transmission and traffic exits unencrypted, the kill-switch question becomes load-bearing. This is why we make a point about kernel-level WFP-based kill switches versus application-level handlers.

Try Fexyn free for 7 days. No card required for the trial. The How to choose a VPN guide covers the broader buying decision. Kill switch explained covers the kernel-level kill-switch implementation. VPN for lawyers covers the parallel ABA 477R picture for the legal profession.

Last reviewed 2026-05-09. Not legal or compliance advice; validate with a HIPAA compliance reviewer for your specific situation.