If you use Windows XP in your practice, you soon may become noncompliant with the Health Insurance Portability and Accountability Act (HIPAA). Microsoft is discontinuing support for the operating system April 8, placing patient information within this system at risk.
All security updates, bug fixes, patches and call center troubleshooting support will be suspended next month, so the continued use of the system may expose patients’ electronic protected health information (e-PHI) to risks. These security risks could lead to data breaches that may require your practice to notify patients as well as government officials, and could expose your practice to liability for violating state data security laws. In such cases, HIPAA regulations require physicians to conduct an analysis that assesses potential risks and vulnerabilities to e-PHI.
To stay in compliance with HIPAA regulations and ensure the e-PHI in your practice is protected, you should upgrade your operating systems or replace your computers that store or otherwise receive, maintain or transmit e-PHI. Also be sure to work with your vendors to analyze your risk and determine appropriate actions. Some options include:
• Replacing hardware with new technology
• Migrating “thick clients” to “thin clients” and running in a virtualized desktop infrastructure
• Assessing whether servers can support terminal services
If you are unable to make these changes by April 8, your HIPAA risk assessment must include a well-documented plan to evaluate out-of-compliance computers and a clear plan for transitioning to a system that does provide appropriate protection, such as Windows 7 or 8. This plan should identify each computer out of compliance, where it is located in the network and the timeframe intended to replace it. All virus and security software—no matter what operating system it is running on—should be up to date.
Additional HIPAA resources and training are available from the AMA Store, including AMA HIPAA School.