Remote Desktop is itself encrypted on new versions of Windows. HIPAA does not mandate any specific security protocols. The descriptions are quite general. But as with any security method, you want to encrypt the handshake (login) and the tunnel (data exchange).
Newer versions of Remote Desktop have this built-in. You have NLA (SSL/TLS) for the login/authentication and NTLM encryption for the tunnel/transport. I find many people say that VPN is a necessity don't actually know why it was required in the first place. Originally RDP didn't encrypt the handshake or the tunnel. Now it does both.
VPN was used because it did both. L2TP/IPSEC was the solution back then. In a similar manner, L2TP encrypted the handshake and IPSec encrypted the tunnel. Newer protocols like SSL VPN and OpenVPN have taken over but the same principles apply. Nowadays, VPN just adds another layer of security which is the primary benefit. It's not because RDP is unencrypted which wouldn't be HIPAA compliant.
You can configure RDP to force both and deny any connection that isn't encrypted and to force higher levels of encryption. There are additional RDP settings like account lockout policies that make it pretty difficult even if you were sitting in the office hooked up to an ethernet jack.
.png "ACUF Donor I")
