small business servers, VPN?


Apr 16, 2009
Hi, not sure best place to post this. I work for a smallish (110 employee) technologically incompetent nonprofit. We still do all of our documentation on paper. We looked at software packages for electronic clinical records but it got axed as the economy worsened. Now they have spoken with a 'consultant' and are looking at operating our own servers on-site so we can have secure HIPAA compliant email and 'someday' add in electronic records. The consultant convinced them that this will be necessary regardless so we can have our own VPN. I'm not especially knowledgeable, but isn't this backwards from all technological trends? Isn't the future "the cloud". Are our own on-site servers necessary to have a VPN and securely access data over the internet? Isn't it possible now to do this securely through a browser connected to servers operated by people who have a clue what they're doing? Is there any benefit to a small poor company that needs HIPAA compliant security operating its own servers?


Elite Member
Dec 24, 2005
A VPN and the location of the servers have nothing to do with each other. You can have a VPN to your own local servers or a VPN to "the cloud".

Regarding "the cloud", there are pros and cons. Certainly servers need to be managed by competent people. But tens of thousands of doctors offices host their own EMR servers.

Regardless of what you decide, a "technologically incompetent" company with 110 employees should probably develop a close relationship with a trusted IT consultant or hire one. A bunch of experts on a web site can't really make these decisions for you.
Last edited:


Diamond Member
Feb 19, 2003
As far as I am aware, HIPAA doesn't give you any hardware of software requirements. HIPAA (mostly) says who and who cannot exchange certain medical information. The email systems and document systems themselves are irrelevant as long as they secure this information. Gmail (the business service at least) for example does meet HIPAA reqs since it has user access control.

What you should read up on is the HIPAA act combined with the Personal Information acts.

Edit: What rebatemonger said also ^

110 people is not really "small" either.


Diamond Member
Aug 8, 2004
As far as I am aware, HIPAA doesn't give you any hardware of software requirements. HIPAA (mostly) says who and who cannot exchange certain medical information. The email systems and document systems themselves are irrelevant as long as they secure this information. Gmail (the business service at least) for example does meet HIPAA reqs since it has user access control.

What you should read up on is the HIPAA act combined with the Personal Information acts.

Edit: What rebatemonger said also ^

110 people is not really "small" either.

You are correct, i work in healthcare IT and this is how we see things. Now you must make all efforts to secure data, but there are not set rules AFAIK.

I also volunteer for a 501(C)3 and I moved them to the free version of google apps that is available for 501s and they love it. We still have an ASA 5510 firewall and a server (very cheap @ techsoup) for other things such as print server, dns, domain controller etc.

I like some aspects of the "cloud" but its far from proven in my book, sometimes local stuff just makes me sleep better.


Apr 16, 2009
Thanks for the replies. Yes, HIPAA doesn't specify much of anything technical to my knowledge. What I think our company most needs is cost effective maintenance of our computers and some form of EMR. What the boss is saying this will give us is "HIPAA secure" email and the ability to work on shared documents (we already have a documents server for the main office). What I'm hearing is that operating our own internet servers for email and 'someday' EMR isn't necessarily bad but I also don't hear that it is necessary. Which is my concern, that it is an expensive diversion that doesn't get us any closer to our real needs (EMR, functional computers in the field) and gives us stuff (secure email) we don't need our own servers to have anyway. Apparently they spoke with a consultant, plus the repairwoman who fixes our computers, and this is what they came up with. Any additional thoughts are welcome.


Platinum Member
Nov 12, 2003
Honestly, it's near impossible to make recommendations about these types of business decisions based on a few posts on a message board. You need to develop some solid business requirements, and then probably talk with a few consultants to determine your best course of action.

I don't know what role you play in the organization, but it sounds like you and your boss have very different visions of how technology can play a role in your business processes.


Apr 16, 2009
Thanks, I'm not trying to get business recommendations or anything like that, its not my decision anyway. I was just curious for a quick orientation to the technology so I can ask some informed questions.