Hi, not sure best place to post this. I work for a smallish (110 employee) technologically incompetent nonprofit. We still do all of our documentation on paper. We looked at software packages for electronic clinical records but it got axed as the economy worsened. Now they have spoken with a 'consultant' and are looking at operating our own servers on-site so we can have secure HIPAA compliant email and 'someday' add in electronic records. The consultant convinced them that this will be necessary regardless so we can have our own VPN. I'm not especially knowledgeable, but isn't this backwards from all technological trends? Isn't the future "the cloud". Are our own on-site servers necessary to have a VPN and securely access data over the internet? Isn't it possible now to do this securely through a browser connected to servers operated by people who have a clue what they're doing? Is there any benefit to a small poor company that needs HIPAA compliant security operating its own servers?