Tailscale and HIPAA Compliance

Ensuring HIPAA compliance can be challenging for any organization, but it’s particularly demanding in remote work environments. Tailscale can support your HIPAA compliance requirements by providing secure peer-to-peer communications for your remote workers, including reliable access control and authentication.

Written by James Walker

The Health Insurance Portability and Accountability Act—or HIPAA as it’s more commonly known—defines the legal requirements for protecting sensitive patient data in healthcare-related environments. It’s primarily designed to prevent a patient’s medical records from being shared without their consent.

HIPAA compliance is mandatory for organizations that electronically transmit healthcare data. Maintaining compliance requires organizations to implement protections that prevent data leaking outside their organization, both when it’s at rest (such as when stored in a database) and in transit (as it’s transferred over a network). But this often conflicts with modern remote working practices, where employees routinely connect from unknown networks and devices.

In this article, you’ll learn how to identify and address potential HIPAA violations when managing a remote workforce. You’ll see how Tailscale can provide secure peer-to-peer communications for your remote workers, including reliable access control and authentication.

HIPAA compliance and remote workers

HIPAA sets out the requirements for healthcare providers’ electronic protected health information (ePHI) relating to their patients. The HIPAA Security Rule defines the technical, physical, and administrative standards that apply to the storage and utilization of this data.

This rule states that organizations must “ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.” In addition, providers have to take steps to identify and mitigate any “reasonably anticipated” threats that could affect the information’s security and integrity. In the context of remote work, the risks associated with insecure public networks are likely to constitute a reasonably anticipated threat.

Minor HIPAA violations incur a minimum penalty of $127, but the maximum permitted for criminal activity is $250,000—usually accompanied by a jail term. It’s imperative to proactively prevent violations from occurring by implementing technical mitigations and educating remote workers on how to maintain security standards.

How Tailscale promotes HIPAA-compliant remote work

Maintaining HIPAA compliance for remote work starts with secure remote access to your organization’s shared resources. Creating a virtual private network (VPN) allows employees to connect your environments and databases without the risk of exposing them to unauthorized users. VPNs help enable HIPAA-compliant remote work by ensuring sensitive ePHI records can’t easily leak outside your organization even when users connect from untrusted physical networks.

Tailscale is a zero-config VPN solution that creates a mesh network for your devices and environments without compromising data protection. It empowers you to quickly start a private network with peer-to-peer encryption. Data is encrypted the entire time it’s in transit, with encryption keys never leaving your machines. Remote workers can securely connect to central infrastructure without the risk of sensitive data leaking from your network.

Tailscale can’t inspect your traffic as it flows from one device to another, or through our traffic relay. We do receive some metadata, including the public IP addresses of your network endpoints, but this is essential to providing the service. Because Tailscale is largely open source, you can always see how its encryption and networking systems are implemented.

Tailscale alone doesn’t guarantee that your ePHI data access procedures will be HIPAA compliant. Your ability to fully meet the requirements depends on why and how you store data as well as the ways in which users interact with it.

However, Tailscale can be used to support remote working in situations where you’re already subject to HIPAA. Tailscale allows remote staff to access the data they need securely. And it preserves HIPAA safeguards and prevents information from being captured or decrypted as it’s transmitted through the network.

How Tailscale mitigates the risk of violating HIPAA

Ensuring HIPAA compliance can be challenging for any organization, but it’s particularly demanding in remote work environments. It’s easy to lose oversight of how data is being handled, as you don’t know where individuals are connecting from, whether their device is secure, or if they’re inadvertently—or intentionally—copying data to private destinations.

Here are three ways remote work can lead to an HIPAA violation—and how Tailscale can mitigate these risks.

Failure to encrypt or secure data

Comprehensive data encryption should be essential for all modern software, especially where sensitive data such as healthcare records are involved. Unfortunately, failure to use encryption is still a contributing factor to the severity of many data breaches.

To maintain HIPAA compliance, data should be encrypted both at rest and in transit. Without both components, data that’s encrypted in your database only when it’s at rest could still be exposed if an attacker is eavesdropping on network communications while the data is in transit. Remote working significantly increases the likelihood of this kind of violation.

Tailscale uses the state-of-the-art WireGuard protocol to secure traffic flowing through your private network. Using Tailscale lets you confidently access sensitive ePHI data without the risk of bad actors intercepting communications. Tailscale is largely open-source—and WireGuard is regularly reviewed by security experts—so you can verify that encryption meets your requirements.

Poor access control policies

When employees work remotely, they need to be able to access data relevant to their role from outside the physical bounds of the organization. However, it’s vital that access controls are tightly enforced so users cannot access anything more than they require.

For example, some remote workers might not actually interact with data that’s in scope of HIPAA regulations. If they’re given access anyway, an attacker that intercepts network communications could obtain an access key that’s unnecessarily capable of triggering a HIPAA violation.

Tailscale addresses this by supporting robust access control lists (ACLs) that let you precisely define what users and devices can interact with on your network. ACLs allow you to grant regular users access to your main corporate server so that you only expose your ePHI server to the subset of users who require it. Enforcement is automatic and rule changes are quickly propagated to the devices in your network.

Lack of multi-factor authentication

Multi-factor authentication (MFA) significantly enhances your overall security posture by requiring users to present multiple proofs of their identity. This is commonly achieved using a combination of something the user knows, such as a password, and something they have, like a smartphone app or a biometric scan.

With Tailscale, organizations can require MFA to access any service that’s part of your network. Tailscale authenticates users through your existing SSO identity provider (such as Google, Microsoft, or Okta). By configuring your provider to require mandatory MFA, it’ll be enforced whenever a user logs into your Tailscale network.

This model means you can even use Tailscale to add MFA to legacy services that don’t normally support it, such as remote desktop devices, Windows file shares, Citrix servers, and your own applications. Requiring users to access these services through Tailscale ensures they’ve had to authenticate using the MFA requirements configured for your identity provider.

While MFA is not a requirement of HIPAA, it can help you implement an acceptable authenticating policy that can more robustly defend against remote access attempts. Requiring MFA for all remote work gives you increased confidence that every login and data retrieval request has been executed by a fully authenticated and genuine user. It’s highly unlikely that more than one of a user’s configured factors will be compromised simultaneously.

Tailscale customers and HIPPA

Instacart uses Tailscale as a solution for maintaining compliance with HIPAA regulations, which was necessary for enabling prescription medication delivery via Instacart. Tailscale’s ACLs and exit nodes gave Instacart fine-grained control over who could access their HIPAA-compliant environment, making compliance management more effortless.

Bamboo Health, which operates within the privacy and security requirements set forth under HIPAA, automates user management and simplifies remote access with Tailscale.


Remote work and HIPAA compliance is a daunting topic. Accessing ePHI data from outside an organization’s physical walls raises the possibility of exposure when unsecured networks are used.

Tailscale supports your HIPAA compliance by creating a secure private network between your devices. It lets you manage ePHI data access using ACLs and your existing identity provider. Tailscale also never captures or stores your data, providing confidence that ePHI records are safe during transit in remote work scenarios. Try Tailscale for free.

Get started with Tailscale today.

Frequently Asked Questions

Do you have questions about using Tailscale for ePHI? Here are three common queries we are asked.

Can Tailscale help me withHIPAA compliance?

Yes. Use of Tailscale can support your HIPAA-compliant systems. 

Tailscale does not capture or store your data, and all connections are end-to-end encrypted. We receive some metadata necessary to provide the service, but this doesn’t affect the integrity of your data. Several customers already use Tailscale in their HIPAA-compliant environments. You can find more information about Tailscale’s data collection in the privacy policy.

What is Tailscale's role in accessing ePHI from unsecured networks?

Tailscale is an enterprise-grade VPN that securely connects devices across physical and virtual networks. With Tailscale, users can privately transfer data between remote environments without exposing their data to anyone else on the network.

Access to ePHI must be safeguarded to maintain HIPAA compliance. Directly accessing ePHI over an unsecured network could lead to an HIPAA violation because other devices might be able to capture the data.

Tailscale establishes a private tunnel to the remote device as if you were physically connected to it. This allows remote workers to access ePHI data on servers, without creating a compliance vulnerability.

How Easy Is It to Set Up Tailscale for Remote Work?

Tailscale is a zero-config VPN solution. Its automated setup procedure means it’s quick and easy to configure for remote work and other use cases.

You can get started with Tailscale in three simple steps:

  1. Sign up for a Tailscale account using your existing identity from a provider such as Microsoft, Google, or Okta.

  2. Download the Tailscale application and install it on each of the devices you’ll use in your network.

  3. Log into your Tailscale account. Devices in your network can automatically discover each other, and each receive their own IP addresses.

Your devices are now part of a private Tailscale network (called a tailnet), and read for secure remote working. You can further limit the risk of accidental data exposure by configuring additional security features, such as access control lists (ACLs) and firewall integrations.