Many, primarily IT vendors, have stated that the pending doom of Windows XP, in which Microsoft will no longer support it after April 8, 2014, will constitute a HIPAA violation for covered entities that continue to use it. For example, Derrick Wlodarz, Beta News, said the following in his article “5 Big Myths Surrounding Computer Security and HIPAA Compliance,” “Myth: My Office Uses Windows XP and Server 2003, But It’s OK—We Have Great Antivirus”: “Another area that many medical practices have a false sense of security in comes in the form of still using Windows XP and to a lesser extent, Server 2003. Blogs for the medical industry have been covering this pending doom for a little while now, but seeing as Windows XP has its official death set for April 2014, offices are rushing to get this looming threat out the door. Windows Server 2003, the backbone of many medical offices, is also facing its own end-of-life scenario with a little more breathing room for offices. That product brings its long fruitful life to a conclusion in July 2015 which means medical offices running practice suites or email systems on Server 2003 need to start getting into gear for upgrading or facing the consequences. As soon as these platforms lose support from their manufacturer (Microsoft), they bring the subsequent office into non-compliance without question.”
In my opinion, although the pending doom could lead to a HIPAA violation, it is not automatic, as many vendors suggest. The Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) addresses this issue generally, in the Frequently Asked Questions section on its website, as follows: Question: “Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity? Answer: No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).”
Thus, failure to perform a risk analysis of a system using Windows XP (or any other system that the vendor will no longer support) can lead to a HIPAA violation if the covered entity does not implement reasonable and appropriate security measures to safeguard against the risks inherent in the “pending doom” of the system.