You have misread my post: HIPAA does not prohibit remote access but individual institutions may do so, at their own discretion, in implementing the regulations. About 75 per cent of the agencies with whom I work have chosen not to grant vendors remote access to servers containing patient-sensitive data.