Capterra Medical Software Blog

EHR & Medical Practice Management software advice for doctors and staff

HIPAA Compliance and Windows 10: 5 Things You Need to Know

Share This Article

Windows, Apple, and Google are recording your moves on their operating systems. When you download an app, for instance, they track data points such as what you downloaded, what you paid, what you paid with, and where you were when you downloaded it.

HIPAA Compliance and Windows 10

Windows 10 tracks more user data than ever. This may impact HIPAA and HITECH compliance.

Windows has been opaque about what data the new operating system collects. And has made privacy somewhat elusive. For example, Windows 10 sends Microsoft user data even when configured for maximum privacy.

That was exactly what prompted a user named HealthCareProfessional to ask on the Microsoft Question Forum whether Windows 10 was HIPAA and HITECH compliant.

“I have a healthcare business, and a violation of HIPAA and HITECH rules could bankrupt me.  If I violate them knowing that I was committing a violation — as in installing software that openly and plainly states that it will snoop through my private files and emails — then I face not only fines but jail time.  I have not been able to find anything on the net that says I will be able to turn off ALL of the intrusive snooping ability that has been built into Win 10, and what I’m seeing is warning that if things are turned off, I will lose a lot of the functionality of the new system.  I’m stuck in a catch-22, though: by law I have to maintain my computer systems with the most up-to-date versions of my software, but I’m not about to install something that could send me to jail.”

1. Microsoft has not released instructions for configuring Windows 10 to meet HIPAA and HITECH compliance requirements.

In response Microsoft moved the question from the question forum to the discussion forum.

2. HIPAA and HITECH compliance for other Windows products requires a BAA.

When I looked for information regarding Windows 10 and HIPAA and HITECH compliance, I found the Microsoft Azure HIPAA/HITECH Act Implementation Guidance and HIPAA/HITECH Act Implementation Guidance for Microsoft 365 and Microsoft Dynamics CRM Online.

These guides instruct businesses who want to store PHI (personal health information) in Microsoft Azure, Microsoft 365, and Microsoft Dynamics CRM Online to sign a Business Associate Agreement (BAA). Office 365 users can get a BAA with the Business level subscriptions, as well as with the Enterprise O365 subscriptions.

For Azure: “Microsoft currently offers the BAA only to its Enterprise Agreement (volume licensing) customers and only for the services listed in the Scope section below. Customers should contact their Microsoft account manager to sign the BAA.” The guides also instruct businesses on where and how to store PHI.

3. Microsoft refuses to take responsibility for compliance.

From the HIPAA/HITECH Act Implementation Guidance for Microsoft 365 and Microsoft Dynamics CRM Online:

“It is ultimately the customer’s responsibility to determine the level of security that is appropriate for its requirements.”

4. Microsoft products aren’t compliant by default.

“While customers can use Office 365 and CRM Online and remain compliant with HIPAA and the HITECH Act, using Office 365 and CRM Online does not on its own achieve HIPAA compliance.”

5. Only Windows 10 Enterprise allows you to turn off data collection.

Shops using the common home user versions of Windows, Windows 10 Home and Windows 10 Pro cannot customize data collection and reporting.

Bottom line: Until Windows releases instructions for HIPAA and HITECH compliance, do not upgrade to Windows 10 if you deal with PHI.

Looking for Medical Practice Management software? Check out Capterra's list of the best Medical Practice Management software solutions.

Share This Article

About the Author

Cathy Reisenwitz

Cathy Reisenwitz helps B2B software companies with their sales and marketing at Capterra. Her writing has appeared in The Week, Forbes, the Chicago Tribune, The Daily Beast, VICE Motherboard, Reason magazine, Talking Points Memo and other publications. She has been quoted by the New York Times Magazine and has been a columnist at Bitcoin Magazine. Her media appearances include Fox News and Al Jazeera America. If you're a B2B software company looking for more exposure, email Cathy at cathy@capterra.com . To read more of her thoughts, follow her on Twitter.

Comments

I appreciate that you’re discussing this – I have had difficulty getting any info from Microsoft about whether or not healthcare practices will need to use Win10 Enterprise rather than Pro to achieve compliance. Managing Enterprise and volume licensing ups the support and management game considerably when it comes to computers for a small practice. I am not a luddite, have enjoyed Windows 8.1 on my SP3, and liked much of what I initially read and saw about Windows 10 (I ran the insider version on an older laptop at home). Despite being an inside, I was surprised at how much data logging goes on in Windows 10 Pro, even with privacy settings in place. So like you, I concluded that I cannot use it in my practice until certain questions about security and compliance are answered.

I know someone with some 30 years in IT, who tells me flatly that MS’s focus is larger enterprises and consumers. Small businesses are not really its target demographic anymore.

A correction: Office 365 users can get a BAA with the Business level subscriptions, as well as with the Enterprise O365 subscriptions. The quote above is for Azure (a separate service). That being said, a partner told me that I would need the E3 subscription to get everything I needed to achieve compliance (for Office 365). And again, managing Enterprise O365 requires a significant amount of support and knowledge.

Thanks for that correction! Let me know if it still doesn’t read right.

Using a product like Spybot Anti-Beacon turns off more telemetry than the many manual settings allows. Windows 10 Pro setup like this appears to meet the spirit and letter of HIPPA. Microsoft would be liable for a severe class action lawsuit if they left thousands of offices exposed for breaking the law. What the boneheads at Microsoft need to do to increase adoption of Windows 10, something they drastically want, is to make a complete public statement about HIPPA compliance, and if necessary include a single click compliance button for Windows 10 Pro to assure everyone that patient data is safe. If they really have screwed up by having the default Windows 10 Pro settings send actual files and patient names (so meting that Microsoft denies), and don’t give a damn, then let the billion dollar lawsuits begin!

I have to advise all my physician/medical-related clients that Windows 10 Pro is not HIPAA-compliant, no matter what the settings are (which you cannot really defeat, the updates reset your settings), because BY CONTRACT, MSFT arrogates to itself the right to slurp all your private offline data in order to police a uniquely-imposed CODE OF CONDUCT.

This CODE applies not only to Win10, but pretty much any other ‘service’ (like Bing, Cortana, mail, Office 365, One Drive, Skype) MSFT now panders.

Issues are explained at length, along with the links to MSFT’s own original materials, here: http://brainout.net/frankforum/viewtopic.php?f=7&t=59

Additionally, I’ve been trying to publicly disclose the danger, replete with pastes of the offending provisions (principally, Paragraph 3 of aka.ms/msa which you’ll have to paste into your browser to read wholly), in ZDnet, latest admittedly-vitriolic posts here: http://www.zdnet.com/article/microsoft-updates-privacy-statement-addressing-concerns-from-critics/

The vitriol comes from having done this warning, to no avail, for four months. Instead, that last link shows a quite pathetic whitewashing of the whole issue. Since the writer is a paid spokesperson for MSFT, the issue is clearly being stubbornly ignored by them. They are trying to paint complaints as ‘conspiracy nutters’, ‘tinfoil hatters’ and bullying us as if we cannot read. So there, extensive pastings of the offending EULA provisions are provided. And, not refuted.

So you know where to reach me, if you want details. Anonymity protects my clients, but you can reach me, as provided above.

As a Medicare plans agent, I was horrified that Windows 10 resists HIPPA compliance. After upgrading. Another $150? Although Office 365 supposedly is HIPPA compliant, how can I be certain if it’s running on Windows 10?
I’m seriously considering going Linux, despite the additional learning curve. Sadly, Government mandates HIPPA compliance, then leaves Microsoft alone. Sounds like a dual revenue stream strategy rather than consumer protection.

[…] Until Windows releases instructions for HIPAA and HITECH compliance, do not upgrade to Windows 10 if you deal with PHI. (http://blog.capterra.com/hipaa-compliance-and-windows-10-5-things-you-need-to-know/) […]

First of all having your system on a domain with firewall protection will do more for compliancy than the OS itself. Basically comparinf the comsumer Windows versus the Enterprise is night and day. The enterprise version on Windows 10 with a secure network should be compliant. HIPAA is the organization that decided is Windows 10 is compliant not MS.

HIPAA isn’t an organization, it’s a law…

I am not going to speak to the operating system issue specifically but at this point if you are using Windows 10 Enterprise you can turn off content going back to Microsoft, preferably by configuring with Group Policy so the users can’t change the settings.

However, the quotes you have pulled out off the Office 365 documentation were not in context without comment. As my organizations Security Compliance Officer, I have spent quite a bit of time during our implementation of Office 365 to discover all I could about the security and compliance of Office 365 Enterprise. What I found was that in themselves the services are HIPAA compliant, and generally more secure than hosting storage locally. What is implied by Microsoft is that they only provide a small part of being HIPAA compliant, which specifically impacts the user education component of HIPAA. If a user fails to use the encrypt function in email when sending PHI, the organization is failing HIPAA compliance, not Microsoft, because they provide a solution for encrypted email. The same is true for sharing document on OneDrive when a user shares PHI with another person without a business need to access it. That doesn’t even touch the other aspects of HIPAA compliance which have nothing to do with Office 365, such as physical security, logging each users access credentials, etc. Each covered entity has to take responsibility for their compliance, Microsoft only supplies a specific set of tools for which they received HIPAA compliance certification (amongst others).

As for Gray Cloud’s comment, if you are using the Enterprise Solution it doesn’t matter if your users have an E1 or an E3 license, the product itself is HIPAA compliant. Your users can fail to be compliant, but that is not the fault of the product.

Comment on this article:


Your privacy is important to us. Check out our Privacy Policy.