Windows XP No Longer HIPAA Compliant

If your organization has not yet upgraded your IT operating systems and is still using Windows XP on some or all workstations, it has only until April 8, 2014 to migrate to a new OS as Windows XP will no longer be HIPAA or meaningful use compliant in six weeks.

Any organization found to be using the outdated software will be in violation of The Security Rule of the Health Insurance Portability and Accountability Act of 1996. Windows XP is now old and out of date with the software first introduced in 2001. Microsoft has now made the decision to stop issuing patches and security updates for XP, rendering it obsolete. Since software updates are a requirement under the Security Rule, companies will be forced to upgrade computer software. The cost of upgrading computer systems can be considerable, but the financial penalties organizations now face for HIPAA non-compliance are likely to be substantially higher.

Since the deadline for upgrading software is just 12 weeks away, it does not give institutions very long to effect the appropriate changes. Healthcare organizations, government departments and all HIPAA-covered entities now looking to implement upgrades could face delays due to a shortage of available hardware and new installations can take time to roll out, especially with large healthcare organizations using outdated hardware as PC´s and laptops may also need to be upgraded in order to run up to date operating systems. The message being issued is clear: Do not delay system upgrades and order software and hardware promptly and factor in delays in receiving equipment.

The cost implications for healthcare organizations are considerable, although there are a number of cost effective options available which will ensure compliance that do not require all hardware to be upgraded. Mobile devices, PC’s and laptops can be leased to spread the cost, and software can be rented rather than purchased. Data can be stored securely in the cloud reducing the need for onsite data storage and the hardware that requires.

Consult an IT professional for advice on the best way to implement upgrades to minimize costs while ensuring HIPAA compliance and make sure that any business associate or supplier is made aware of HIPAA regulations. They must also agree to sign a HIPAA business associate agreement.

It is not sufficient to replace only those computers with network access, as data may be stored on individual PCs. Data should be held on a central system –this can be set up by your IT professional – and individual PC’s running Windows XP should be replaced. If you have other programs or diagnostic tools which operate under Windows XP it is advisable to contact the vendor of the software. All systems will need to be updated and any diagnostic tools or programs written to work with windows XP must similarly be upgraded.

Professional software packages must be used due to the additional security measures incorporated. Home software editions are not suitable for business use as they lack the necessary safeguards to protect patient health data. It is also essential that computer systems are set up by qualified IT professionals. Simply purchasing the software is not sufficient in itself to ensure compliance and data security.

With only 12 weeks remaining until software systems need to be upgraded it is essential that action is taken promptly to ensure continued HIPAA and Meaningful Use compliance.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.