HIPAA Compliance Deadline for Windows Server 2003 Upgrade Fast Approaches

Microsoft has announced it will be stopping issuing patches and software updates for Windows Server 2003 on July 15, 2015. Any HIPAA-covered entity that is still running the outdated software on any of its servers after this date will be in violation of the HIPAA Security Rule, and could face a financial penalty from the Department of Health and Human Services’ Office for Civil Rights (OCR).

Microsoft advises users to upgrade to Windows Server 2012 R2 in order to maintain security standards and receive continued support, upgrades and patches.

Upgrades Must be Planned and Time is Fast Running Out


When Microsoft stopped issuing patches for Windows XP, all users had to be moved onto new operating systems; a task that required a considerable amount of planning, a considerable number of man hours and a not insignificant financial outlay. While a HIPAA-covered entity will have fewer servers than desktops/laptops, upgrading servers has potential to cause even more disruption, especially in large organizations operating a number of servers and an even higher number of virtual servers.

Server upgrades require the equipment to be taken out of action for a period of time, data needs to be migrated and access to data cannot be interrupted. With less than a month remaining until the deadline, any organization that has yet to make the change must start planning now. Time is fast running out.

Failure to Upgrade Windows Server 2003 Before July 15, 2015 is a HIPAA Violation


Once Microsoft pulls the plug on Windows Server 2003 and stops issuing security updates and patches the platform will be considered obsolete. Hackers will be able to work on the system and exploit security loopholes. Without patches of servers, any PHI stored on computer networks accessible through that server will be vulnerable to attack. This would be a violation of 45 CFR §164.308 (a) (1) (i)/(ii) of the Security Rule.

A failure to update software could be considered willful neglect of HIPAA Rules. That carries a fine of up to $1.5 million, per year that the software remained unpatched.

Office for Civil Rights Financial Penalties for Obsolete Software


The OCR is not averse to issuing financial penalties to HIPAA-covered entities that fail to install software patches and upgrades. Last year the agency fined Anchorage Community Mental Health Services $150,000 for a data breach that exposed the PHI of 2,700 individuals.

The resolution agreement stated that the penalty was issued for “failing to implement technical security measures to guard against unauthorized access to e-PHI” and for not ensuring that “information technology resources were both supported and regularly updated with available patches.”

Further information on HIPAA physical, administrative and technical safeguards can be found in our free HIPAA compliance guide.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.