Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Win2k + SP3 HIPAA Compliant?

Posted by Cliff on from the EULAs-vs-government-regulations dept.

Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

7 of 401 comments (clear)

  1. "How to defang Win2k SP3's auto updating" by C0vardeAn0nim0 · · Score: 4, Informative

    is the head title of this arcticle in The Reg.

    basicaly it teaches how to deactivate this backdoor M$ is installing in every win2k box.

    now, the original submiter could really consider an alternative.

    if U don't like free (as in freedom) open source tools, why not a Solaris box with Oracle to keep the data ? Or an AIX with DB2 ? or PostgreSQL ?

    does you REALLY need win2k ????

    --
    What ? Me, worry ?
  2. Here's a couple of Linux Medical Sites by motardo · · Score: 5, Informative
    http://www.openhealth.org/


    http://www.euspirit.org/

  3. Check Out MSHUG.ORG or HL7 by puto · · Score: 5, Informative

    The Microsoft Healthcare Users Group. This is a group of vendors that sit togehter on a board that define all standards for healthcare products that run on MS software. To be a member of this group or state that your software is compliant they certify you.

    They strictly adhere to all governmental regulations for healthcare records including EDI and storing of sensitive medical records.

    The medical industry is a huge economic buyer in the hardware and software industry and MS based vendors have always been in strict compliance with government standards.

    1. Check to see if your software is HL7(health care 7) HL7 is a protocol for formatting, transmitting and receiving data in a healthcare environment.

    2. Ask your vendor how they store the medical rcords, is it hl7 compliant. I think you guys have a homegrown product? IF your product is home grown it does'nt apply to the governmental standard for handling medical data, the EULA is the least of your worries.

    3. IF the product is home grown. Cover your ass.

    MSHUG is microsoft centric but a good start for you.

    I did medical software for ten years and dealt with all these issues long ago. Your vendor should be able to point you in the right direction. BUT IF YOUR SOFTWARE CAME FROM A VAR, DONT ASK HIM, CALL THE ACTUAL HOME COMPANY! The developers will give you more of a straight answer than the var.

    PUTO

    --
    The Revolution Will Not Be Televised
  4. Re:MS Windows EULA not HIPAA compliant by JWW · · Score: 4, Informative

    The government can audit you and find you out of complience basically at their whim.

    It doesn't matter if Windows systems are a monopoly, and everyone has them. They will find everyone they audit to be out of complience. Auditors are looking for a score, they don't give a shit about your ability to do business.

    BTW: This EULA aslo is not FDA part 11 compliant either. Locked down systems would need to be revalidated after any and all autoupdates.

  5. Get More Than Just a Lawyer by Phoukka · · Score: 5, Informative

    If your company is of any size whatsoever, you'll need more than just a lawyer who specializes in HIPAA compliance issues. You'll need to acquire the services of a HIPAA compliance and remediation consulting group. Our hospital is using Ernst & Young.

    It sounds like you have multiple areas to look at -- your data storage, your data transmission (you aren't just creating those medical records from thin air, are you?), your partner companies, and how you handle the Patient Identifying Health Information on the desktop. Not to mention that your company should have been preparing for this for QUITE some time now.

    First, you'll need to make sure that your data storage, transmission and handling (includes handing paper copies around), and desktop security are all compliant. Next you'll find that you are also responsible for making sure that any business partner companies are compliant. This task basically means getting your partner companies to sign "HIPAA Business Partner Agreement" contracts that means the partner company states that they are contractually obligated to handle any patient data of yours in a means that is also HIPAA compliant.

    Finally, and most important of all, you'll need to be able to document all of the above, in a form that the government inspectors can easily use to check your compliance. Yay.

    Get yer HIPAA-lovin' lawyers on the stick as fast as you can, and file for any extensions that may apply. You will need a complete inventory of any and all computing infrastructure (servers, workstations, network, and software) that touches identifying patient medical data. You will need to have this inventory so your CIO, lawyers, computer security experts and your HIPAA remediation consultants can check the compliance of everything on the list. Anything failing compliance, you'll need to fix or replace.

    One last thing: you are also responsible for making sure that the source of your medical data is asking permission to use that medical data, and is asking that permission in a way that is compliant.

    I hope this provides you with a decent starting point. Good luck, you have a hard task ahead of you.

  6. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  7. Attorney's Take by quoz13 · · Score: 4, Informative
    I'm an attorney who works with HIPAA. Here are some general observations about the EULA.

    Reasonable Assurances... The writer who states that the covered entity need only take reasonable precautions. What is or is not reasonable depends on too many factors. I happen to think that if you disable the feature, that action seems pretty reasonable. I for one, am not worried about the EULA. I'm more worried about things like password protection, access to the file room and the like.

    Illegal Contracts... As someone else correctly states, contracts that are contrary to law cannot be enforced (at least the illegal provision).

    Covered entites... Chris, who wrote the original message may not need to worry about HIPAA. HIPAA covers mostly medical providers and insurance companies. It also covers self-insured companies and the like, but I don't think it covers loan applications. Of course, Chris could be a business associate of a covered entity.

    Business associates... A covered entity must obtain satisfactory assurances from its business associates (accountants, lawyers, billing companies) that the health information is protected. As someone correctly notes, that requires an agreement known as a business associate agreement/contract.

    As a side note, I've begun to draft an article about what HIPAA requires... the language in the law actually asks the covered entity to make sure that they have "satisfctory assurances" that the business associate safeguard personal health information ("PHI" although some call it "individually identifiable health information")