Windows, Apple, and Google are recording your moves on their operating systems. When you download an app, for instance, they track data points such as what you downloaded, what you paid, what you paid with, and where you were when you downloaded it.
Windows 10 tracks more user data than ever. This may impact HIPAA and HITECH compliance.
Windows has been opaque about what data the new operating system collects. And has made privacy somewhat elusive. For example, Windows 10 sends Microsoft user data even when configured for maximum privacy.
That was exactly what prompted a user named HealthCareProfessional to ask on the Microsoft Question Forum whether Windows 10 was HIPAA and HITECH compliant.
“I have a healthcare business, and a violation of HIPAA and HITECH rules could bankrupt me. If I violate them knowing that I was committing a violation — as in installing software that openly and plainly states that it will snoop through my private files and emails — then I face not only fines but jail time. I have not been able to find anything on the net that says I will be able to turn off ALL of the intrusive snooping ability that has been built into Win 10, and what I’m seeing is warning that if things are turned off, I will lose a lot of the functionality of the new system. I’m stuck in a catch-22, though: by law I have to maintain my computer systems with the most up-to-date versions of my software, but I’m not about to install something that could send me to jail.”
1. Microsoft has not released instructions for configuring Windows 10 to meet HIPAA and HITECH compliance requirements.
In response Microsoft moved the question from the question forum to the discussion forum.
2. HIPAA and HITECH compliance for other Windows products requires a BAA.
When I looked for information regarding Windows 10 and HIPAA and HITECH compliance, I found the Microsoft Azure HIPAA/HITECH Act Implementation Guidance and HIPAA/HITECH Act Implementation Guidance for Microsoft 365 and Microsoft Dynamics CRM Online.
These guides instruct businesses who want to store PHI (personal health information) in Microsoft Azure, Office 365, and Microsoft Dynamics CRM Online to sign a Business Associate Agreement (BAA). Office 365 users can get a BAA with the Business level subscriptions, as well as with the Office 365 Enterprise subscriptions.
For Azure: “Microsoft currently offers the BAA only to its Enterprise Agreement (volume licensing) customers and only for the services listed in the Scope section below. Customers should contact their Microsoft account manager to sign the BAA.” The guides also instruct businesses on where and how to store PHI.
3. Microsoft refuses to take responsibility for compliance.
From the HIPAA/HITECH Act Implementation Guidance for Microsoft 365 and Microsoft Dynamics CRM Online:
“It is ultimately the customer’s responsibility to determine the level of security that is appropriate for its requirements.”
4. Microsoft products aren’t compliant by default.
“While customers can use Office 365 and CRM Online and remain compliant with HIPAA and the HITECH Act, using Office 365 and CRM Online does not on its own achieve HIPAA compliance.”
5. Only Windows 10 Enterprise allows you to turn off data collection.
Shops using the common home user versions of Windows, Windows 10 Home and Windows 10 Pro cannot customize data collection and reporting.
Bottom line: Until Windows releases instructions for HIPAA and HITECH compliance, do not upgrade to Windows 10 if you deal with PHI.