On April 8, 2014, support and updates for Windows XP will no longer be available from or provided by Microsoft. If you use Windows XP in your practice, you soon may become noncompliant under the Health Insurance Portability and Accountability Act (HIPAA).
Specifically, Microsoft is suspending all security updates, patches, bug repairs, and call center troubleshooting. This means that electronic protected health information (e-PHI) on computers with XP operating systems may be at risk and could lead to a data breach.
HIPAA Security Rule section 164.308(a)(5)(ii)(B) states that you must implement "procedures for guarding against, detecting, and reporting malicious software." Obviously, if you cannot update your software to protect your systems against malicious software, it is impossible for you to comply with this HIPAA Security Rule specification.
To remain in compliance with HIPAA requirements and to protect patient e-PHI, you should do the following:
- Identify XP computers
- Analyze hardware for ability before upgrading to Windows 7 or 8
- Determine if you should upgrade or purchase a new computer
- Have a transition plan
- Make the change
If you are unable to make the switch before April 8, 2014, your HIPAA risk assessment must include a well thought-out plan for identification of at risk computers and a solid transition plan to replace these computers in a timely manner. A sample HIPAA risk assessment checklist may be found on our corporate website. For additional information related to HIPAA, see the AMA HIPAA Privacy and Security Toolkit.
Additional Reading:
- Growing HIPAA Threat - Ignore Windows XP at Your Own Peril
- Windows XP End of Support: 5 Steps to Take to Protect Your Practice
Authored by
Ann Whitehead, JD, RN
Vice President, CAP Risk Management & Patient Safety
If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.