Is Your Medical Practice OS HIPAA Compliant?
If you’ve followed our blog lately, you may have noticed a post we released just a couple of weeks ago titled “ICD-10 Effects on Healthcare Operations and Information Technology”. We discussed the consequences for failing to conduct an IT readiness assessment and the importance of making sure your practice can smoothly transition from the old ICD-9 coding system to the new ICD-10 coding system. Your ICD-9 codes will need to be carefully inventoried and your system software may require updating.
However, before conducting an ICD-9 inventory and updating your new system software, there is something you should keep in mind that some medical practices have overlooked in the past. The new ICD-10 codes and your existing electronic medical records and practice management systems may require you to upgrade your computer’s operating system (OS). For the sake of this blog we will primarily reference the Microsoft Windows OS as it is more than likely the most common OS used by medical practices.
Operating in the Past
Is your medical practice operating in the past? You may be surprised to discover that your computers may be running an OS that is nearly a decade old. Some practice management consultants have alarmingly discovered that their clients are still using the Windows XP version of the Microsoft OS. To put this in perspective, the first edition of Windows XP was released October 25, 2001. That means it is old enough to have gone through FOUR presidential terms and was around before the iPhone. In today’s ever exponential advancement in technology, this just doesn’t make the XP operating system old – it makes it downright ancient.
So what’s the HIPAA Problem?
When we say operating with an old OS can be a HIPAA violation, we really mean that it can be – not that it technically is. The problem with old operating systems – beyond the fact that they may not be able to support contemporary software – is one of security. Microsoft ceased their support of the Windows XP OS on April 8, 2014. When an OS provider ends their support it means that updates, patches, and security support also stops. This makes an OS extremely vulnerable to hackers, malware, viruses, and other nefarious programs.
Microsoft made this statement specifically in regards to the vulnerabilities of medical practices:
“Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognized control failure by an internal or external audit body, leading to suspension of certifications, and/or public notification of the organization’s inability to maintain its systems and customer information.”
This means that those who continue the use of an old OS do so at their own risk and have no recourse when it comes to updating security protections. As a health practitioner you are required by HIPAA to be able to protect personal health information (PHI). If you have a security breach and the health information of your patients is stolen, you may be investigated to determine your HIPPA Security Rule Compliance. If it’s found that your OS has a known issue, you may be found at fault and penalized for non-compliance.
Protect your Patients and your Practice
If you think that your OS may be a security risk, take action today. Let Concordis Practice Management conduct an IT security assessment and recommend the best solution to protect your patients and your practice.