What are the HIPAA issues with Microsoft given that their OS license legally allows them access to the machines
running them? Isn't this an interesting Catch-22!? The issue here, for those of you who aren't familiar with it, is that by agreeing to the license terms and applying Windows 2000 service pack three, you essentially give Microsoft the ability to "silently" update the operating system. This leads to the obvious issue of letting an unauthorized third party to not only make random software configuration changes (not good per HIPAA), but to also give this third party potential access to protected health information (PHI) -- again, a HIPAA no-no. The HIPAA Privacy Rule and the proposed HIPAA Security Rule mandate "reasonable" efforts to keep PHI confidential. I'm no lawyer, but I'm guessing this depends on how you -- and more importantly -- the courts define reasonable. Perhaps the fact that you cannot keep your security holes plugged if you don't install service pack three (and beyond) will take precedence over the slight chance that Microsoft could have unauthorized access to PHI or the fact that Microsoft is making configuration changes to your computer systems at will.
I'm not sure that there is a good solution. Maybe the final Security Rule will address this type of issue and all will be well in the eyes of the Department of Health and Human Services. Perhaps the courts will see this Microsoft mandate as being reasonable. If neither of these proves to be the case in the future, you may want to consider operating system alternatives for computer systems that store PHI or perform critical services. Only time will tell.
For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: Windows 98 and HIPAA
Best Web Links: Health Care/Health Services
Featured Topic: HIPAA update
Dig deeper on HIPAA
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.