Windows XP and HIPAA Compliance – Are the Two Compatible?

“Microsoft recently announced that, after April 8, 2014, it will not longer provide security updates or technical support for Windows XP. Microsoft’s statement that “businesses that are governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements” has spurred a certain level of panic among health care providers that utilize Windows XP.

While running Windows XP without security updates or “patches” will open healthcare entities to increased vulnerabilities under HIPAA, it is important to understand exactly what a covered entity’s obligations are under the Security Rule.

The U.S. Department of Health and Human Services provides the following question and answer on its website:

Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?

Answer: No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).

Therefore, while covered entities must meet certain requirements for storing e-PHI, simply operating Windows XP after April 8, 2014 is not a per se HIPAA violation so long as the covered entity engages in a detailed risk analysis which identifies the known vulnerabilities, the potential effects of such vulnerabilities and includes a plan to address these issues. To the extent a covered entity plans to use Windows XP after April 8, 2014, such an analysis should be undertaken promptly.”


For the full article, visit the source website:

For the Microsoft official announcement visit this website:

Please spread the word about the above to your clinical colleagues and any persons operating businesses both small and large.

Leave a Reply