Cybersecurity 6 min read

HIPAA Network Segmentation Requirements: Audit Guide

HIPAA network segmentation requirements explained: what auditors actually look for, and what reasonable segmentation looks like in practice.

HIPAA network segmentation diagram showing PHI zone isolated from general office network

HIPAA network segmentation requirements are written as outcomes, not a prescribed tool list, and that is what trips most teams up at audit.

HIPAA’s Security Rule does not tell you what brand of firewall to buy, what VLAN scheme to use, or what network segmentation specifically looks like. It tells you to take “reasonable and appropriate” measures to protect electronic protected health information (ePHI) and leaves you to figure out what reasonable means for your environment. Auditors then come and check whether what you did is, in fact, reasonable. This post walks through what reasonable network segmentation actually looks like in practice, what auditors are checking for, and what we see Edmonton-area healthcare practices get wrong.

The short version. HIPAA expects you to logically separate systems that handle ePHI from systems that do not, and to have controls between them that prevent or detect unauthorized access. Most reasonable implementations involve at minimum a separate VLAN for ePHI systems, a firewall enforcing access policies between zones, monitoring of traffic between zones, and access controls that limit who can reach the ePHI zone at all. None of this is exotic. It is the same pattern PCI-DSS uses, with healthcare-specific tweaks.

What auditors penalize is not lack of cutting-edge tools. It is lack of evidence. A clinic with a basic firewall and clear documentation often passes an audit. A clinic with sophisticated tools and no documentation often fails.

What HIPAA actually says about network controls

The Security Rule’s technical safeguards (45 CFR 164.312) include access controls, audit controls, integrity protections, person/entity authentication, and transmission security. None of these explicitly say “network segmentation.” But the Risk Analysis requirement (164.308(a)(1)(ii)(A)) requires you to identify and assess potential risks to ePHI, and the Security Management Process requires you to implement security measures sufficient to reduce identified risks to a reasonable level.

For most environments, a flat network where ePHI systems share the same broadcast domain as general office workstations does not pass a competent risk analysis. The risk of lateral movement after a phishing-based compromise of a non-ePHI workstation is too high, and segmentation is the standard mitigation. Auditors expect to see segmentation as the answer to “how have you reduced the risk of unauthorized access to ePHI?”

The practical bar most auditors apply is whether the path from PHI to the general internet has at least two enforced controls between them.

What auditors actually look for

Across HIPAA audits we have supported in the last three years, the consistent themes are these. Auditors want to see a clear inventory of which systems handle ePHI. They want to see those systems on a separate network segment with firewall enforcement at the boundary. They want to see firewall rules that are restrictive (default deny, explicit allow) and documented with business justification. They want logs of traffic crossing the boundary, retained for at least 90 days. They want evidence that the segmentation has been tested, ideally with vulnerability scans run from the general network attempting to reach ePHI systems and being blocked.

What auditors do not require is microsegmentation, NAC, or any specific commercial product. They require evidence that the controls you implemented actually work as documented.

Reference architecture for HIPAA network segmentation showing four zones with controlled traffic flows

A reasonable baseline

1. Inventory ePHI systems

Document every system that stores, processes, or transmits ePHI. EMR servers, imaging systems, billing systems, backup repositories, fax servers, anywhere ePHI lands. Update this list whenever you add a new system. The inventory drives every other control.

2. Place ePHI systems on a separate VLAN with firewall control

A dedicated VLAN with a firewall (next-gen firewall preferred, basic stateful firewall acceptable) at the boundary. Default deny, explicit allows for clinical workstations and authorized administrative access only.

3. Document the firewall ruleset with business justification

Every allow rule has a one-line justification documenting which workflow it supports. “TCP 443 to EMR server from clinical VLAN, supports daily charting” is enough. “Allow everything from VLAN 10 to VLAN 20” with no justification fails the audit.

4. Log all cross-zone traffic and retain for 90+ days

Firewall logs forwarded to a SIEM, syslog server, or even a managed log retention service. The retention requirement varies by interpretation but 90 days is the practical floor most auditors accept.

5. Test the segmentation annually

Run a vulnerability scan from the non-ePHI side aimed at ePHI systems. Confirm the firewall blocks unauthorized access. Document the test and the result. This is what auditors mean when they ask “how do you know your controls work?”

6. Authentication and access control on ePHI systems

Multi-factor authentication on any account that can access ePHI. Role-based access so users only see the records they need. Account review every quarter. This pairs with segmentation because segmentation alone does not prevent insider threats or compromised credentials.

Common audit findings

From audits we have observed, six findings repeat. First, flat networks where ePHI systems share VLANs with general workstations. Second, firewalls in place but with default-allow rules that effectively make segmentation cosmetic. Third, firewall logs not retained long enough to support an investigation. Fourth, no documented inventory of ePHI systems, so the scope of compliance is undefined. Fifth, vendor remote access tools that bypass the segmentation by establishing outbound tunnels. Sixth, wireless networks where guest Wi-Fi is on the same broadcast domain as ePHI systems.

Each is fixable in days, not months, but each leads to a finding that has to be remediated and reported in your next audit.

Top six common HIPAA audit findings related to network segmentation and how each is remediated

What the official guidance does not emphasize

HIPAA guidance is general by design, but two practical issues rarely make it into the documentation. First, vendor remote access. Many medical practices have remote support tunnels for their EMR vendor, imaging vendor, or practice management vendor. These tunnels often bypass the firewall entirely and provide an unmonitored path into the ePHI zone. Auditors increasingly want documentation of every vendor’s access path and evidence of monitoring.

Second, IoT devices. Newer medical equipment (digital sensors, blood pressure monitors, smart scales) often connects via Wi-Fi and reports to a manufacturer cloud. If those devices land on the same network as ePHI systems, they expand your attack surface in a way that is rarely on the architecture diagram. Segment IoT separately from clinical workstations and ePHI systems.

The implementation order

For practices starting near zero, the implementation sequence we use is: ePHI inventory first, segmented VLAN second, firewall and rule documentation third, logging fourth, MFA on ePHI accounts fifth, annual test sixth. This order delivers the highest risk reduction first, even if budget runs out before all six are done.

FAQ

Does HIPAA apply if we are based in Canada?

Only if you handle ePHI of US patients or contract with US healthcare entities. Canadian practices typically follow PIPA (Alberta), PIPEDA (federal), or the equivalent in their province. The principles are similar. Segmentation, access control, and logging are reasonable expectations under all of them.

Is microsegmentation required?

No. Coarse VLAN-based segmentation with firewall enforcement satisfies most auditors. Microsegmentation is a higher bar that organizations choose for additional defense in depth, not because HIPAA requires it.

Can a single firewall handle both segmentation and internet edge?

Yes, as long as you have separate interfaces or zones for the ePHI segment and rules that enforce isolation. Two physical firewalls is not required.

Related posts

Audit coming up

If you have a HIPAA, PIPA, or PHIPA-related audit on the calendar in the next 90 days and you are not sure where you stand on network segmentation, our team does focused readiness assessments specifically for medical practices in Western Canada. Tell us about your environment and we will produce a one-page gap report you can act on.

Last verified April 2026 by the aaanetworkx compliance practice.

Keep reading

Related articles

Cybersecurity for Edmonton accounting firms protecting client financial data and tax records
May 29, 2026

Cybersecurity Edmonton Accounting Firms: 2026 Guide

Read article 6 min read
IoT device cybersecurity vulnerabilities illustration
April 13, 2026

Enterprise IoT Security: How to Protect Your Edge Network from Cyber Threats

Read article 4 min read
FortiGate SSL VPN error 455 showing a FortiClient unable to complete authentication
May 22, 2026

FortiGate SSL VPN Error -455: Causes, Fix, Prevention

Read article 5 min read

Ready for IT that just works?

Talk to an Edmonton technician today — free 30-minute consult, no obligation.

Book my free assessment