Microsoft recently announced that, after April 8, 2014, it will not longer provide security updates or technical support for Windows XP. Microsoft’s statement that “businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements” has spurred a certain level of panic among health care providers that utilize Windows XP.
While running Windows XP without security updates or “patches” will open healthcare entities to increased vulnerabilities under HIPAA, it is important to understand exactly what a covered entity’s obligations are under the Security Rule.
The U.S. Department of Health and Human Services provides the following question and answer on its website:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
Answer: No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
Therefore, while covered entities must meet certain requirements for storing e-PHI, simply operating Windows XP after April 8, 2014 is not a per se HIPAA violation so long as the covered entity engages in a detailed risk analysis which identifies the known vulnerabilities, the potential effects of such vulnerabilities and includes a plan to address these issues. To the extent a covered entity plans to use Windows XP after April 8, 2014, such an analysis should be undertaken promptly.
Paul J. Welk
Paul is chair of Tucker Arensberg Attorneys Health Law/Health Information Technology Industry Group and focuses his practice on corporate and healthcare law. In this capacity, he represents physical therapists, physicians, dentists, not-for-profit organizations, professional organizations and other business corporations and entities.
Some of the recent transactions and clients he has worked on include the representation of:
- Multiple state physical therapy professional associations on a variety of issues
- Multiple physical therapy private practices with development and implementation of ownership succession plans
- A venture capital company with the $13 million dollar stock acquisition of a target company
- Multiple physical therapy providers in successful third party payer appeals
- Multiple buyers of the assets and associated real estate of dental practices
- Multiple physical therapy providers regarding the transfer of partial ownership interests and the negotiation of governance and shareholder documents
- Multiple physical therapy providers with asset and stock acquisitions and divestitures
- A manufacturing company with the successful negotiation of a shareholder dispute and stock purchase
- A service provider with negotiation of a $5 million annual service contract
- A publicly traded company regarding the merger of two wholly owned subsidiaries
- Two publicly traded companies regarding the ongoing review of distribution, supply and service contracts
- A seller of a skilled nursing facility and related real estate
- Multiple regional rehabilitation provider networks on a variety of issues, including formation and ongoing operations
- A large physician practice in its sale to a health system
Areas of Practice: Business and corporate law, health law, mergers and acquisitions
Articles and Presentations: Paul regularly lectures and writes on topics related to business and healthcare law and is the founding author of Legal Impact, a regular column in the American Physical Therapy Association Private Practice Section’s Impact Magazine.
Memberships and Activities: Paul is a member of the American and Pennsylvania Physical Therapy Associations and past Chair of the American Physical Therapy Association Committee on Risk Management and Member Benefits. He is also a member of the Bloomsburg Medical Supply Ethics Committee, the Duquesne University School of Physical Therapy Advisory Board, the Pennsylvania Bar Association, and the American Health Lawyers Association. He is an adjunct instructor at the St. Francis University School of Physical Therapy and a licensed physical therapist in the Commonwealth of Pennsylvania.
Jurisdictions: Paul is licensed to practice law in Pennsylvania.
Education and Background: Paul received his Bachelor of Science and Master of Physical Therapy degrees with honors from Duquesne University and his law degree with honors from the University of Pittsburgh. He served as associate editor of the University Of Pittsburgh School Of Law Journal of Law and Commerce and received the CALI Excellence for the Future and Esther F. Teplitz Awards for academic performance in the health law curriculum. Paul is a graduate of the University Of Pittsburgh School Of Law’s Health Law Certificate Program.
Latest posts by Paul J. Welk (see all)
- Phase 2 of HIPAA Audits Underway - March 25, 2016
- Websites and The Americans With Disabilities Act – An Often Unrecognized Risk - March 14, 2016
- HHS Publishes Guidance on Patient Access to Records under HIPAA - February 2, 2016
- Provider of Physical, Speech, and Occupational Therapy Services Agrees to $38,000,000 False Claims Act Settlement - November 12, 2014
- A Free Ride To PT – What’s The Risk? - October 15, 2014