Microsoft XP Support Termination, HIPAA Security Rule

As of April 8, 2014, Microsoft has terminated support, including the provision of security updates and patches, for Windows XP. Some warnings about the Microsoft termination have threatened that the use of a Windows XP computer after April 8, 2014, is an automatic HIPAA violation, and have advised health care providers that are HIPAA covered entities to immediately upgrade to remain in compliance. Guidance from HHS, however, makes it clear that the Security Rule does not have any mandated minimum requirements for personal computer operating systems. Rather, the Security Rule designates requirements for information systems that contain electronic protected health information (“ePHI”), and gives covered entities flexibility as to how they will implement specifications such as audit controls, user identification and authentication, transmission security, and periodic updates, to comply with technical safeguard requirements. Covered entities must assess and analyze their particular risks, including any known security vulnerabilities, and then consider and implement the safeguards that are reasonable and appropriate in their environment. Therefore, while immediate upgrades may not be required, the continuing use of an unsupported Windows XP system should certainly be part of a covered entity’s risk analysis, and covered entities may need to update as the risks associated with that system increase.

Back to Articles