The HIPAA Security Rule (45 C.F.R. § 164.308 (a)(5)(ii)(B) requires that all software used by Covered Entities and Business Associates be kept current and up to date with updates from the software vendor. If a vendor no longer supports a software program, it cannot be used. On January 14, 2020, Microsoft will end all support for Windows 7. After that date, simply having a Windows 7 computer on your network will be a HIPAA violation. Windows 7 HIPAA compliance won’t be possible.
From Microsoft’s Windows 7 Web page:
Is Windows 7 HIPAA Compliance still possible?
Yes, if you are using Windows 7 now, you can still achieve compliance. However, after January 14th, 2020 that won’t be possible. As stated above, even having a single Windows 7 computer on your network at the time will be an instant violation of HIPAA regulations. Extended support for Windows 7 will end and no new updates will be available from Microsoft. This includes updates for any new security holes that are found in Windows 7 after that date.
Because of its popularity, many Covered Entities and Business Associates are still using Windows 7. Migrating a large number of computers will take time and planning. The main issue will be ensuring it’s done before attesting for Meaningful Use.
No meaningful use using Windows 7
Where this becomes very serious is when a Covered Entity goes to attest under MIPS for Meaningful Use. Meaningful Use requires that Covered Entities also attest that they are HIPAA compliant. If a Covered Entity is using a Windows 7 computer next year and goes to attest, this will be an issue. Especially since the entity is stating they are compliant when it’s not possible that they are.
What do you need to do?
Here are some steps you can follow to get migrated over to Microsoft Windows 10 and remain in HIPAA compliance.
- Perform a Risk Assessment: If you haven’t already done so, do a thorough Risk Assessment of your practice (or business). This will reveal all of the computers that are running Windows 7.
- Assess your current hardware: Will you need new hardware? If so, how will you go about purchasing them? If your current computers will be able to handle Windows 10, then you can move forward.
- Plan your Windows 10 Migration: If you need to purchase new computers, get them ordered. If your computers are good, then download the Windows 10 update. Microsoft doesn’t publish it widely, but you can still upgrade to Windows 10 at no charge if you are using Windows 7.
- Dispose of old Windows 7 computers: Your old Windows 7 computers will still have Protected Health Information on them. The hard drives need to be wiped with a secure wipe method before you dispose of them. If you engage an outside service, make sure they provide you with a certification of destruction to add to your own HIPAA documentation. This will validate that you performed your due diligence to destroy the PHI that may have been on the old hard drives.
Other Microsoft software that is not HIPAA compliant
If you are one of the 5% still using Windows XP, its time to upgrade. Support for Windows XP ended in 2014. Windows XP was such a stable and good operating system, very much like Windows 7, that many people didn’t want to leave it. However, there have been no security updates for Windows XP for many years and it cannot be considered safe. On top of that, it is very much a HIPAA violation.
Windows Vista, one of Microsoft’s least popular operating systems, is used less than 1% of the time. Its support ended in April 2017. If you are still using Vista, this is a HIPAA violation.
Windows 8 was a popular operating system and it still holds 5% of the market. Extended support for Windows 8 will be available until 2023.
Another issue waiting to bite practices and their business associates will be servers running Windows Server 2003 and 2008. Windows Server 2003 was retired in 2015 and Windows 2008 will be retired at the same time as Windows 7, January 14, 2020. Servers are often used for longer periods than workstations and because of this, they are forgotten. If you are using a server with either of these operating systems, it is time to upgrade. The issue is, however, that the servers will also likely need to be replaced. Servers that old won’t be able to run the newer Microsoft operating systems for servers. Installing a new server is a much more prolonged process than changing your workstations. It involves relocating practice management and EMR data, setting up a new domain for your office and setting up security for compliance.
The HIPAA Security Rule requires that all Covered Entities or Business Associates use software that is supported by the vendor. If the software is no longer supported, it is not HIPAA compliant. On January 14, 2020, Microsoft will retire support for Windows 7, one of its most popular operating systems. If your practice (or business for Business Associates) is still using Windows 7 on your network, the time is now to start planning your migration to Windows 10. 2020 is just a few months away and will be here soon enough. Start taking action now so that you won’t have a Windows 7 HIPAA compliance issue in your practice. Windows 10 upgrades are still available for free for users of Windows 7, so there is no reason not to upgrade. If you are still using Windows 7 after January 14, 2020, and attest for MIPS, then you will have another issue since part of attesting is stating your HIPAA compliance.