There has been a lot of speculation around the use of Windows XP as it relates to HIPAA violations. Many IT consultants are saying if dentists’ information systems are operating on Windows XP after April 8, 2014, they are in violation of HIPAA.
The HIPAA Security Rule does not specifically require the use of operating systems that are manufacturer-supported so continuing to use Windows XP after April 8 is not in itself a HIPAA violation. What dentists need to know is when and under what circumstances operating on Windows XP can become a HIPAA violation.
Here is what is happening.
Microsoft announced that it will no longer provide support (including security patches) for Windows XP after April 8. According to Microsoft, “Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information.” Although Microsoft later announced it would provide some updates, the original, this announcement, combined with IT consultants’ awareness of HIPAA, has led to dire warnings for small health care providers who face potentially thousands of dollars in computer and software upgrades and data migration.
Covered entities should take a little comfort in what the HIPAA enforcer has to say about operating systems. The U.S. Department of Health and Human Services (HHS) has the following question and answer on its website.
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
Note the italicized phrase. If dentists need to continue using Windows XP past April 8, the minimum requirement for HIPAA compliance is that they address the risks in their risk analysis. Addressing the risks means the dentist knows what can happen and that they have a plan to minimize the risk (they must describe the plan in the risk analysis). That plan also can include a timeline for making the switch away from Windows XP because dentists cannot continue to use that operating system indefinitely.
So when does using Windows XP past April 8 become a HIPAA violation? When a dentist’s written risk analysis does not address the risks associated with using an unsupported operating system. As the risks increase over time, dentists are obligated to keep the risk analysis updated. For additional information on risk analysis, risk management, and other HIPAA Security rule guidance material, visit this HHS website.
For more information and resources on HIPAA from CDA, visit cda.org/privacy-hipaa or call CDA Practice Analyst Teresa Pichay at 916.554.5990.