Call Now 703-327-1800

Contact    Blog       About     Resources      Medical Billing Services


Windows XP: Hidden HIPAA Violation for Medical Practices

Health Insurance Companies Process 1 in 5 Claims Wrong

Physicians Using Outdated Computer Systems at Highest Risk

If your medical practice has made any computer purchases within the past 12 years, you might currently be violating HIPAA and not even realize it.

Although technical in nature, physicians will be the ones held 100% liable – not IT staff – if the computer issue isn’t properly addressed. And with roughly 1 in 4 of the world’s PCs still using Windows XP, it’s likely that many healthcare facilities need to take corrective action immediately.

Why This Matters to Physicians & Office Staff

On April 8, 2014 Microsoft ended ongoing tech support for Windows XP, their popular 12-year old operating system. Security patches are no longer being written and there are no plans to monitor the system for ongoing weaknesses.

Using outdated software, like XP, will leave your practice more vulnerable to viruses, hackers, and identify thieves. Just think of the wealth of personal health information (PHI) housed on your computers:

• Patient names

• Addresses

• Social security numbers

• Diagnoses

• Prescriptions

• Payment methods including credit card numbers

If that data ends up in the wrong hands, it will have far-reaching, negative implications for your patients and your reputation. Not to mention, the massive fines that will drain your bank account.

Your Responsibility as a Covered Entity

As a covered entity, your medical practice has to follow certain regulations. The HIPAA Privacy Rule states covered entities fall into three specific groups:

1. Healthcare providers, regardless of practice size

• Physicians

• Clinics

• Psychologists

• Chiropractors

• Nursing homes

• Pharmacies

2. Health plans

3. Healthcare clearinghouses

If we jump to the Administrative Safeguards of the HIPAA Security Rule, covered entities – like healthcare providers – are required to have procedures in place for guarding against, detecting, and reporting malicious software. This is considered an “addressable” specification.


But what exactly does that mean?

Addressable Doesn’t Mean Optional

According to the Department of Health and Human Services (HHS), covered entities may achieve compliance of addressable specifications by choosing one of the following:

• implement the addressable specifications;

• implement one or more alternative security measures to accomplish the same purpose;

• not implement either an addressable specification or an alternative.

So, just simply having a computer in your medical practice with Windows XP doesn’t count as a violation. It’s possible that you already have alternative safeguards in place – like malware software – to protect from hackers and outside threats.

If that’s the case, that’s great. But your work isn’t done there. You’d better make sure it’s all properly documented.

According to the HHS:

…any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).

If you plan to still use Windows XP, you must – at a minimum – perform a detailed risk analysis that outlines how these new security issues will be addressed. And as those risks evolve in the future, the assessment should be updated to reflect the new plan.


Most Recent Security Breach

Despite officially ending support, Microsoft released one final emergency service patch for XP last week. Issued on May 1, they explained a security breach in the software could allow hackers to:

1. remotely access unprotected computer systems worldwide

2. gain the same user rights as the current user.

Since Microsoft was no longer monitoring the software, hackers were able to find and exploit weaknesses in the system, and gain access to private files of individuals and businesses.

Even the United States Computer Emergency Readiness Team (US-CERT) issued a warning to Windows XP users. Its counterpart in the UK, UK-CERT, did the same, urging everyone to perform system upgrades.

Without ongoing product support, this is just a temporary fix. Medical practices using Windows XP, or with older computer systems, will become a growing target for identity theft and HIPAA violations. And the severe consequences that come along with them.

Consequences of Non-compliance

Practitioners who fail to comply with HIPAA regulations can be issued both civil and criminal penalties as noted below.


Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.$100-$50,000
The HIPAA violation had a reasonable cause and was not due to willful neglect.$1,000-$50,0000
The HIPAA violation was due to willful neglect but the violation was corrected within the required time period. $10,000-$50,000
The HIPAA violation was due to willful neglect and was not corrected.$50,000 or more

*Up to $1.5M in fines may also be issued for identical violations in same calendar year.


If the civil fines aren’t enough of a deterrent, the possibility of jail time should be.

Unknowingly or with reasonable causeUp to 1 year in Jail
Under false pretensesUp to 5 years in Jail
For personal gain or malicious reasonsUp to 10 years in Jail


Recent Violations

The Office of Civil Rights (OCR) has been cracking down on security breaches recently, and issuing substantial fines too. Two examples are listed here. Had these physicians and healthcare leaders been diligent in their compliance efforts, the violations could have been prevented.

Adult & Pediatric Dermatology, P.C. (APDerm) was fined $150,000 when a flash drive containing patient information was stolen. In addition, they must also execute a corrective action plan to prevent similar issues in the future.

Concentra Health Services and QCA Health Plan, came under fire when unencrypted laptops were stolen, containing PHI of hundreds of patients. As an example of the severity of the offenses, OCR swiftly fined the two companies a total of $2 million.

Upgrade to be Safe

Although these cases focus on the theft of actual physical devices, it’s not far-fetched to see how a computer with limited security features may result in the same outcome: compromising PHI.

Depending on the size of your practice, installing new software can be costly. But given the number of physicians replacing their EHRs, upgrading the operating system at the same time makes sense. It adds yet another layer of HIPAA protection for patients and practitioners alike.

How has your medical practice addressed this major security issue? Please comment below and let us know!

is a 20 year veteran of healthcare having managed medical practices. He advises medical practices, physicians and practice administrators on how to run their practice and manage their medical billing and revenue cycle management. Manny speaks, blogs and makes videos at www.CaptureBilling.com, a blog that is tops in the medical billing and coding field. READ MORE

If You Liked This Post You Will Love These

Leave a reply

Who Are We?

Capture Billing helps medical practices by reducing their insurance accounts receivable and getting claims paid faster, allowing doctors to focus on providing quality healthcare to their patients without the stress of doing their own medical billing.

That’s why we developed Capture Billing’s Rapid Revenue Recovery System to keep our clients’ Accounts Receivables down and their revenue flowing.

Learn More


The analysis of any medical billing or coding question is dependent on numerous specific facts -- including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies (as well as coding itself) are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Learn how to outsource your Medical Billing today

CALL NOW  703-327-1800

Client Testimonials

Bob Laird


I would recommend Capture Billing to anyone who needs a billing company they can trust.

Bob Laird

Steve Rex

Family Practice

In a six month period Capture Billing increased our Practice’s income by over $100,000.

Steve Rex

Julie Reed-Humeniuk

Family Practice

Capture Billing goes over and beyond the call of duty for their clients to maximizing reimbursement.

Julie Reed-Humeniuk

CaptureBilling.com - Medical Billing Services

Capture Billing is a Medical Billing Company based in South Riding Virginia.

Join the other Doctors and Practice Managers that have benefited from our expert medical billing services.

Capture Billing & Consulting Inc.
25055 Riding Plaza #160
South Riding, VA 20152
Phone: (703) 327-1800