With the coming Windows 7 end of life, owners of computers that use the popular OS will need to take action of some sort. We’ve heard plenty of reasons why people have been dragging their feet, everything from financial burdens to just plain stubbornness, but there is one very real reason for some to be reluctant to upgrade: HIPAA compliance.
What is HIPAA?
For those who aren’t aware, HIPAA stands for Health Insurance Portability and Accountability Act. Passing as a law in 1996, it covers a wide range of healthcare-related issues. However, for this article, we’ll focus on the privacy aspects.
In essence, the law states that healthcare providers at every level need to do everything reasonably possible to keep patient information private. This is the reason why you can’t just call a hospital and ask for someone’s medical condition. On the surface, this is completely reasonable and almost taken for granted, but the administrative workload to stay compliant can be burdensome. Also, being out of compliance in any way can result in severe fines and even the loss of licenses. For this and other ethical reasons, it’s understandable why healthcare providers are overly cautious about making sure they follow HIPAA regulations to the letter.
Where Does Windows 10 Fit into This?
Anytime patient data is at play, extra care must be taken to safeguard the information. For instance, printed forms and files containing medical records must be shredded, and any hardware that holds sensitive information must be certified HIPAA compliant. What sometimes gets overlooked is the OS these data storage systems run on. While other versions of Windows have been HIPAA compliant, Windows 10 isn’t — at least not out of the box. Microsoft has gone out of their way to not give a direct answer about Windows 10’s compliance, though with other products —such as Office 365 — they’ve made a point to advertise the compliance. It appears that even when customers wanted more information about this on their online forums, administrators would delete the threads.
The main issue at hand is the new(ish) requirement to have a Microsoft account tethered (through the cloud) to each copy of Windows 10. For the average user (especially blog writers) there are numerous benefits to having an account that is integrated into the cloud. For instance, OneDrive is designed to automatically save documents as they’re being created, which is a great safety net if your computer were to crash midway through writing a document. But you don’t want that function if you’re dealing with sensitive patient information. To compound that issue even further and to enhance the customer experience, Windows 10 sends information from the computer to their servers to learn more about you and your interests. That way, news articles and other features designed around your interests are presented to you. This can involve private information being sent to a third party, even if the user is unaware. An important thing to remember about HIPAA compliance: ignorance is not an excuse.
What’s the Bottom Line?
Given the above reasons, it’s understandable why medial offices are slow to upgrade to Windows 10. However, some modifications can be done to bring an updated computer into compliance.
Use a Local Account
When you first set up the computer, the default setting will be to use a Microsoft account. As previously mentioned, while great for some users, it should be not be done for computers used in healthcare. Creating a local account will alleviate this problem by not giving Microsoft's servers the ability to link with your documents, calendars and other programs that may contain private information. Keep in mind that you’ll get a lot of pushback at first from Windows for doing this, but it is possible.
Disable “Wi-fi Sense”
This is one of the new features in Windows 10 that can come in handy for some but needs to be turned off for HIPAA compliance. Wi-fi Sense is a way to allow other computers to access the wireless internet network without a password. You can send it to someone right next to you or even your Facebook friends. However, once someone has access to the network, they may have access to private information.
Disable Sharing of Private Information with Apps
Newer versions of Windows, like most modern technology, utilize apps for countless purposes. In fact, Microsoft now has its own App Store. Many of these apps require that user information be shared with them. While this creates an obvious problem, most medical office computers probably wouldn’t be using these apps in the first place, so it shouldn’t be an issue for most users. But it’s still something to be aware of.
Be Careful with Shared Crash Information
When most computers crash nowadays, information is automatically sent to the servers of the operating system (usually Microsoft or Apple) who use this information to both get you back to where you were before the crash and to collect information to see if perhaps an update is in order. While transferring this information, patient data may be sent along as well. For this reason, be sure to select only ‘basic information’ or ‘none at all’ be sent in the event of a crash.
It should be reiterated that Microsoft has been deliberately silent on this matter. The above tips are only suggestions by experts and not to be treated as the final word regarding HIPAA compliance in Windows 10. If you have any questions about this, especially if you’re running multiple computers and servers in your company, contact your IT professional so they can certify HIPAA compliance on your network to protect both your patients and your company.