Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Win2k + SP3 HIPAA Compliant?

Posted by Cliff on from the EULAs-vs-government-regulations dept.

Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

9 of 401 comments (clear)

  1. HIPAA Compliance by mosch · · Score: 4, Insightful
    If you want an answer, you're going to need to hire a lawyer. Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.

    Besides, would you really want to take legal advice from a group of people who are known to mistake duct tape and baling wire for building materials?

    1. Re:HIPAA Compliance by sphealey · · Score: 5, Insightful
      If you want an answer, you're going to need to hire a lawyer. Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.
      In the long run, you are of course correct. This issue will need to be resolved by the hospital's CIO and Legal Dept.

      However, when seeking assistance from a lawyer (or any similar professional) it is best to have a basic understanding of what is going on, and what you need, before you set up a meeting. You will get a lot more accomplished that way.

      Similarily, lawyers aren't born knowing everything (even though they try to foster that impression!). If your hospital's legal dept. primarily handles malpractice and billing cases, and you bring an intellectual property / EULA problem to them, they are also going to have to do some research to get up to speed. Being able to provide background helps here too.

      sPh

    2. Re:HIPAA Compliance by crawling_chaos · · Score: 4, Insightful

      It doesn't matter if you get the right answer on Slashdot. HIPPA is a legal monster and you must get advice from competent legal counsel. To give a marginally related example, a lawyer might give you good medical advice, but you'd be a fool not to check with a doctor before you took the lawyer's advice. Again, find a lawyer who's a HIPPA expert. No other advice counts.

      --
      You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
      -- Colonel Adolphus Busch
  2. Problem is EULA not SP by sphealey · · Score: 5, Insightful
    Running a Windows OS connected to the Internet without a firewall would constitute a violation of the "due cause" clause, with or without SP3.

    Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

    Have to disagree with your police work a bit there.

    The problem is not the service pack or the auto-downloader, which can be disabled. The problem is with the EULA itself, where Microsoft reserves for itself the right to access your system at any time. Installing the service pack off-line still requires acceptance of the EULA.

    sPh

  3. Submit a request to HIPAA not /. by Kefaa · · Score: 5, Insightful

    HIPAA is like any other oversight group and only it can decide this is "okay" or a "violation". However, since logic cannot be guaranteed to rule, you cannot guess which. Have your company, preferably through your legal consul, submit a binding request for clarification.

    Be certain your lawyer understands he should ask for an exemption until this is clarified. (This will prevent them from sitting on it for two years and then you getting in trouble later.)

    Later when HIPAA says it is okay to do "X" and you find MS (or anyone with such an EULA) has absorbed records, your company is in the clear. Do not presume you can later claim a technical solution that was "just as good as..."

    This is an issue for your lawyer(s) to resolve, not Slashdot.

  4. How will a firewall help... by volpe · · Score: 4, Insightful

    ... if your own operating system is tunnelling through http to make requests from Microsoft's server to download patches without your knowledge?
    (Unless, of course, you want to cut off MS's websites from your browsers as well.)

    Note that disabling auto-updating is a technical solution that assumes that MS won't ignore that setting for any updates that it consideres to be "really critical", either to your security, or to MS's business needs.

  5. Re:What a waste of time by Zocalo · · Score: 4, Insightful
    Of course they can (and will) bundle the DRM-stuff with the next service packs anyway, so sooner or later they will get DRM into all Windows machines.

    Ah, but they are preventing users of pirated activation codes and Warez copies of XP from accessing the Windows Update site aren't they? Wouldn't that also preclude gaining access to the DRM "upgrade"?

    All of a sudden that Windows XP .ISO and keygen I spotted on P2P seems a lot more appealing... ;)

    --
    UNIX? They're not even circumcised! Savages!
  6. Perhaps a lawsuit would be appropriate by brokeninside · · Score: 5, Insightful
    For the past several days, I've been wondering if a lawsuit against Microsoft over the EULA for W2K Service Pack 3 might not be viable. If I were more motivated, I might even talk to a lawyer about it.

    It seems to me that unacceptable changes to the EULA for a service pack might void the implied warranty usability of Windows 2000. By releasing the service pack, they are admitting that Windows 2000 has problems. If I cannot get access to fixes for those problems without agreeing to a contract substantially different from that which governed my license for Windows 2000, I think that I might have a good basis for a lawsuit to get a court order that Microsoft supply fixes to their software under the terms of the original EULA.

  7. A Technical Forum??? by fwr · · Score: 5, Insightful
    In the meantime, this is a technical forum...


    I'd say that you have a lot to learn about Slashdot. While most of the stories on here are technical in nature or have something to do with technology a large percentage of them have to do with the legal and political issues surrounding something technical.

    Think about all the stories on copy protection for CD's. Yes, it has to do with a technical issue, but the discussions are certainly not technical. I've seen no code posted no how to defeat the copy protection. 99% of the posts are opinions about whether it is right for the producers to restrict use of purchased CD's in the way they want to, and the other 1% are First Post!

    Why don't you just come out and say it? You are a Microsoft appologist that wants to ignore the issue with their EULA by making fun of the issue and calling it a waste of time. You say it's an invalid clause, but you don't indicate that you are a lawyer (and even if you were I doubt you'd be offering official legal advise). So you want us to just ignore the issue and "agree" to the EULA?

    What happens if the EULA is allowed to stand and then Microsoft actually builds in more of this access that you granted them? What happens when it eventually gets installed on all Windows systems and then the crackers find out how to manipulate it and steal information off your computer? Then it wouldn't be Microsoft accessing the sensitive information, as I doubt they actually would do something like that, but because of the EULA they provide additional access methods for others.

    There are plenty of valid discussion items surrounding this issue. Ignoring them is not going to make them go away, and they definately fall right smack into the favorite topic on Slashdot -- Microsoft bashing.