HIPAA implications for organizations running Microsoft
What are the HIPAA issues with Microsoft given that their OS license legally allows them access to the machines running them?
Isn't this an interesting Catch-22!? The issue here, for those of you who
aren't familiar with it, is that by agreeing to the license terms and applying
Windows 2000 service pack three, you essentially give Microsoft the ability to
"silently" update the operating system. This leads to the obvious issue of
letting an unauthorized third party to not only make random software
configuration changes (not good per HIPAA), but to also give this third party
potential access to protected health information (PHI) -- again, a HIPAA no-no.
The HIPAA Privacy Rule and the proposed HIPAA Security Rule mandate "reasonable"
efforts to keep PHI confidential. I'm no lawyer, but I'm guessing this depends
on how you -- and more importantly -- the courts define reasonable. Perhaps the
fact that you cannot keep your security holes plugged if you don't install
service pack three (and beyond) will take precedence over the slight chance that
Microsoft could have unauthorized access to PHI or the fact that Microsoft is
making configuration changes to your computer systems at will.
I'm not sure that there is a good solution. Maybe the final Security Rule will
address this type of issue and all will be well in the eyes of the Department of
Health and Human Services. Perhaps the courts will see this Microsoft mandate
as being reasonable. If neither of these proves to be the case in the future,
you may want to consider operating system alternatives for computer systems that
store PHI or perform critical services. Only time will tell.
For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: Windows 98 and HIPAA
Best Web Links: Health Care/Health Services
Featured Topic: HIPAA update
This was first published in November 2002