Tuesday, May 13, 2014


Dianne De La Mare

Microsoft’s decision to end technical support for Windows XP effective last month on April 8, 2014, could expose healthcare providers whose computers continue to use Windows XP to potential liability under the Health Insurance Portability and Accountability Act (HIPAA), according to some computer consultants and experts throughout the country.

However, the HIPAA Security Rule does not specifically require the use of operating sytems that are manufacturer-supported so continuing to use Windows XP after April 8th is not in itself a HIPAA violation. In fact, the US Department of Health and Human Services (HHS), Office of Civil Rights (OCR), Frequently Asked Questions (FAQs) specifically states that “The Security Rule does not specify minimum requirements…[but] any known security vlunerabilities of an operating system should be considered in the covered entity’s risk analysis.”

Microsoft also sent out an “end of support” notice stating that “Businessess that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements.” Consequently, most long term care and post acute care providers are currently conducting thorough security risk analysis (including an assessment of the potential vulnerabilities of the Windows XP operating system) and some are chosing to replace both Microsoft XP and/or Office 2003 due to the potential security risks.

To obtain a copy of the Microsoft notice go Microsoft's Website Here. To read more about this on the Health and Human Services Website go to the OCR website HERE.

No comments:

Post a Comment