If you are using computers that run Windows XP in your chiropractic office, you need to be aware that you may soon be creating a HIPAA violation by doing so. In case you haven’t heard, Microsoft plans to end support for Windows XP on April 8, 2014 which will effectively and finally put the beloved operating system in the grave. If you are asking “what’s the big deal?” then you definitely need to read on. If you understand that this IS a big deal and that your HIPAA security may be compromised by using Windows XP, read on.
Because there is a lot of fear being promoted out there, let’s start with some clarification. The HIPAA Security Rule (for which chiropractors are obligated to keep in compliance) does not specifically require that your computers operating system is supported by its manufacturer. So, by itself, using Windows XP is no more of a HIPAA violation than the use of Windows 8 or Mac OS is an automatic security measure.
But (and it’s a big one)…chiropractors need to understand what circumstances using Windows XP may become a HIPAA security violation.
Microsoft announced that they are no longer providing security updates (aka security patches) after April 8 and as part of that announcement made the statement that:
Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information.”
In plain English this means that, for chiropractors using computers with Windows XP, you are exposed to risk and Bill Gates and co aren’t going to help you solve your problem any longer.
The problem was made worse by a statement made by the Office of Civil Rights –who administers HIPAA violations – in regards to this question (bold emphasis, mine):
The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
Back to English: chiropractors are required to protect PHI and if your operating system has a known issue (XP does) then you must consider that issue in your “risk analysis” for HIPAA Security Rule compliance.
The Chiropractic HIPAA Security Dilemma
As you may imagine, Healthcare IT consultants are having a field day screaming about this issue. However, because most in the Healthcare IT fields are consulting on huge entities such as hospitals, all of their advice may not be applicable to chiropractors. In my reading of this problem from our perspective, the situation boils down to two choices you must face:
(Option A) Update all your devices that are currently running Windows XP. This is definitely the safest and simplest route for all chiropractors. For smaller chiropractic offices, this is also likely to be fairly cost effective, especially given the fact that the vast majority of fines you may face for a HIPAA Security Violation will be significantly in excess of purchasing a few new computers. (Witness the recent $ 1.5 million fine for a lost laptop, $ 1.7 million fine for a lost hard drive, and $ 150,000 fine for a lost thumb drive). For larger offices, you may want to consult an IT professional because, as mentioned above, upgrading from Windows XP must happen on ALL devices. Getting rid of Windows XP means replacing both hardware and software. Consider replacing desktops with laptops, micro PC’s that mount to the backs of monitors, all-in-one computers, thin clients without hard drives, or tablets. Look at the new ways to purchase or ‘rent’ software like word processing, spreadsheets, presentations, online backups, and file sharing. Certainly all of that can get expensive.
(Option B) Formalize a Plan to Identify & Minimize Security Risks From Operating Windows XP: If you choose to keep running XP, then the minimum requirement for HIPAA Compliance is that you address the security risks of doing so in a formal risk analysis in writing. Addressing the risks means that as a chiropractor, you know what can happen by running XP and that you have a written plan for minimizing the risk. This plan must be described in detail in your risk analysis, including perhaps a timeline for your transition away from XP (because you are not going to be able to use the XP operating system indefinitely. Like lead paint, eventually it’s going away and won’t be found or sold anywhere).
When does running XP become a Chiropractic Compliance violation in HIPAA?
Put simply, when the chiropractor’s written risk analysis plan does not address the HIPAA Security risks of operating Windows XP. Furthermore, as your risks increase over time by using this unsecure and outdated operating system, chiropractors are required to update their risk analysis to reflect other additional risk issues that may appear in time.
The Bottom Line & Final Thoughts
For safety and simplicity, I would strongly recommend Option A – replacing your XP systems.
Here’s a couple additional thoughts:
Did your HIPAA compliance officer already warn you of this? Do you even have a HIPAA compliance officer?
The purpose of a chiropractic compliance officer is not to be the person that knows where your dusty compliance binder can be found on the shelf. They should be staying abreast of these changes and helping your office maintain compliance in the area of HIPAA, billing, coding, fee schedules, OSHA compliance, etc. Far too many chiropractic offices have left compliance on the shelf and are ignoring it at a great risk. Certainly, compliance is not the most attractive part of running a chiropractic office, but it’s required.
If you suspect that compliance issues may place your office at risk, you may want to consider our interactive compliance training, Chiropractic Audit Armor, which can help you and your staff keep updated on these issues. As a bonus feature, Audit Armor members also have FREE access to our online ICD-10 Training for Chiropractors and their Staff course as well.
Finally, if you are spending gobs of time trying to meet meaningful use, failing to be HIPAA compliant puts your chiropractic office at risk of not meeting the meaningful use security requirements and potentially mean all your meaningful use efforts have been wasted.