Windows XP Now in Breach HIPAA Regulations

Windows XP will no longer be HIPAA or meaningful use compliant in six weeks on some or all workstations,  so there is a deadline of April 8 for organizations to migrate to a new OS as Windows XP of face possible penalties for breaching HIPAA.

Any organization using the outdated software will be breaching The Security Rule of the Health Insurance Portability and Accountability Act of 1996. Windows XP is now old and out of date with the software first released in 2001. Microsoft has now made the decision to stop releasing patches and security updates for XP, making it obsolete. Since software updates are required under the Security Rule, companies will be forced to upgrade computer software. The cost of upgrading computer systems can be very high, but the financial sanctions organizations now face for HIPAA non-compliance are likely to be much higher.

Since the deadline for upgrading software is just three months away, it does not give institutions a long period of time to effect the appropriate changes. Healthcare organizations, government departments and all HIPAA-covered bodies now looking to put in place upgrades could face delays due to a shortage of available hardware and new installations can take time to roll out, especially with large healthcare organizations using outdated hardware as PC´s and laptops may also need to be upgraded in order to run up to date operating systems. The message being broadcast is clear, do not delay system upgrades and order software and hardware now so you can factor in delays in equipment being delivered.

The financial cost implications for healthcare organizations are considerable, although there are a number of cost effective options open which will ensure compliance that do not require all hardware to be upgraded. Mobile devices, PC’s and laptops can be leased to spread out the cost over time, and software can be rented rather than bought. Data can be stored safely in the cloud reducing the need for onsite data storage and the hardware that requires.

It is important to seek the guidance of an IT professional for advice on the best way to implement upgrades to minimize costs while ensuring HIPAA compliance and make sure that any business associate or provider is made aware of HIPAA regulations. They must also agree to complete a HIPAA business associate agreement.

It is not enough to replace only those computers with network access, as data may be savedon individual PCs. Data should be held on a central system –this can established by your IT professional – and individual PC’s running Windows XP should be replaced. If you have other programs or diagnostic tools which work using Windows XP it is advisable to contact the vendor of the software. All systems will need to be updated and any diagnostic tools or programs programmed to work with windows XP must similarly be upgraded.

Professional software packages must be used due to the extra security measures incorporated. Home software editions are not adequate for business use as they lack the necessary security measures to protect patient health data. It is also vital that computer systems are set up by qualified IT professionals. Simply purchasing the software is not enough in itself to ensure compliance and data security.

With only three months remaining until software systems need to be upgraded it is essential that action is taken quickly to ensure continued HIPAA and Meaningful Use compliance.