Health Insurance Companies Process 1 in 5 Claims Wrong.

Windows XP: Hidden HIPAA Violation for Medical Practices

Old XP computer with monitor, keyboard and a note saying HIPAA violation.Physicians Using Outdated Computer Systems at Highest Risk

If your medical practice has made any computer purchases within the past 12 years, you might currently be violating HIPAA and not even realize it.

Although technical in nature, physicians will be the ones held 100% liable – not IT staff – if the computer issue isn’t properly addressed. And with roughly 1 in 4 of the world’s PCs still using Windows XP, it’s likely that many healthcare facilities need to take corrective action immediately.

Why This Matters to Physicians & Office Staff

On April 8, 2014, Microsoft ended ongoing tech support for Windows XP, their popular 12-year old operating system. Security patches are no longer being written and there are no plans to monitor the system for ongoing weaknesses.

Using outdated software, like XP, will leave your practice more vulnerable to viruses, hackers, and identity thieves. Just think of the wealth of personal health information (PHI) housed on your computers:

• Patient names

• Addresses

• Social security numbers

• Diagnoses

• Prescriptions

• Payment methods including credit card numbers

If that data ends up in the wrong hands, it will have far-reaching, negative implications for your patients and your reputation. Not to mention, the massive fines that will drain your bank account.

Your Responsibility as a Covered Entity

As a covered entity, your medical practice has to follow certain regulations. The HIPAA Privacy Rule states covered entities fall into three specific groups:

1. Healthcare providers, regardless of the practice size

• Physicians

• Clinics

• Psychologists

• Chiropractors

• Nursing homes

• Pharmacies

2. Health plans

3. Healthcare clearinghouses

If we jump to the Administrative Safeguards of the HIPAA Security Rule, covered entities – like healthcare providers – are required to have procedures in place for guarding against, detecting, and reporting malicious software. This is considered an “addressable” specification.

But what exactly does that mean?

But what exactly does HIPAA addressable specifications mean?Addressable Doesn’t Mean Optional

According to the Department of Health and Human Services (HHS), covered entities may achieve compliance of addressable specifications by choosing one of the following:

• implement the addressable specifications;

• implement one or more alternative security measures to accomplish the same purpose;

• not implement either an addressable specification or an alternative.

So, just simply having a computer in your medical practice with Windows XP doesn’t count as a violation. It’s possible that you already have alternative safeguards in place – like malware software – to protect from hackers and outside threats.

If that’s the case, that’s great. But your work isn’t done there. You’d better make sure it’s all properly documented.

According to the HHS:

…any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).

If you plan to still use Windows XP, you must – at a minimum – perform a detailed risk analysis that outlines how these new security issues will be addressed. And as those risks evolve in the future, the assessment should be updated to reflect the new plan.

Most Recent Security Breach

Despite officially ending support, Microsoft released one final emergency service patch for XP last week. Issued on May 1, they explained a security breach in the software could allow hackers to:

1. remotely access unprotected computer systems worldwide

2. gain the same user rights as the current user.

Since Microsoft was no longer monitoring the software, hackers were able to find and exploit weaknesses in the system, and gain access to private files of individuals and businesses.

Even the United States Computer Emergency Readiness Team (US-CERT) issued a warning to Windows XP users. Its counterpart in the UK, UK-CERT, did the same, urging everyone to perform system upgrades.

Without ongoing product support, this is just a temporary fix. Medical practices using Windows XP, or with older computer systems, will become a growing target for identity theft and HIPAA violations. And the severe consequences that come along with them.

Consequences of Non-compliance

Practitioners who fail to comply with HIPAA regulations can be issued both civil and criminal penalties as noted below.

CIVIL PENALTY STRUCTURE

TIER PER VIOLATION*
Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation. $100-$50,000
The HIPAA violation had a reasonable cause and was not due to willful neglect. $1,000-$50,0000
The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.  $10,000-$50,000
The HIPAA violation was due to willful neglect and was not corrected. $50,000 or more

*Up to $1.5M in fines may also be issued for identical violations in same calendar year.

CRIMINAL PENALTY STRUCTURE

If the civil fines aren’t enough of a deterrent, the possibility of jail time should be.

TIER JAIL SENTENCE
Unknowingly or with reasonable cause Up to 1 year in Jail
Under false pretenses Up to 5 years in Jail
For personal gain or malicious reasons Up to 10 years in Jail

HIPAA Violation Physician

Recent Violations

The Office of Civil Rights (OCR) has been cracking down on security breaches recently, and issuing substantial fines too. Two examples are listed here. Had these physicians and healthcare leaders been diligent in their compliance efforts, the violations could have been prevented.

Adult & Pediatric Dermatology, P.C. (APDerm) was fined $150,000 when a flash drive containing patient information was stolen. In addition, they must also execute a corrective action plan to prevent similar issues in the future.

Concentra Health Services and QCA Health Plan, came under fire when unencrypted laptops were stolen, containing PHI of hundreds of patients. As an example of the severity of the offenses, OCR swiftly fined the two companies a total of $2 million.

Upgrade to be Safe

Windows XP Computers need to be upgraded to be HIPAA compliant

Although these cases focus on the theft of actual physical devices, it’s not far-fetched to see how a computer with limited security features may result in the same outcome: compromising PHI.

Depending on the size of your practice, installing new software can be costly. But given the number of physicians replacing their EHRs, upgrading the operating system at the same time makes sense. It adds yet another layer of HIPAA protection for patients and practitioners alike.

How has your medical practice addressed this major security issue? Please comment below and let us know!

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

3 thoughts on “Windows XP: Hidden HIPAA Violation for Medical Practices”

  1. blank
    g-suite customer support

    Some physicians are using the outdated versions of the OS like Windows XP on their computer for their medical practices as well as the official uses. So it is violating HIPAA while they are doing the medical [practices on that. so physicians should be concern about this.

    1. blank

      We definitely agree that medical practices should be implementing safeguards to be sure that they aren’t at risk of violating HIPAA. It may be costly, but it is definitely critical!

Learn how to outsource your Medical Billing today

CALL NOW 703-327-1800

Client Testimonials

Bob Laird
OBGYN COO

I would recommend Capture Billing to anyone who needs a billing company they can trust.

Bob Laird

Steve Rex
Family Practice

In a six-month period Capture Billing increased our Practice’s income by over $100,000.

blank

Julie Reed-Humeniuk
Family Practice

Capture Billing goes over and beyond the call of duty for clients to maximize reimbursement.

blank
Scroll to Top