Is Win2k + SP3 HIPAA Compliant?

Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

Re:What a waste of time

[Kristoffor]

Well I cannot speak for the author of the question but I can tell you that *I* was very intreaged when I saw this question. As an IT professional in a healthcare related field I am bombarded by questions re: HIPAA compliance. The HIPAA regs are in such disarry and so unclear that many people in the industry are anxiously waiting for the moment the regs are cleared up and complete so we can "sprint towards compliance".

Re:What a waste of time

[NumberSyx]

Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

This is not a technical issue, disabling Auto-Update is trivial. This is a legal issue, the real problem is by agreeing to the EULA they are giving a third party, who has no due cause, access to thier system. Whether or not Microsoft ever actually accesses thier system is not the point, the point is they have given consent and Microsoft could in theory demand access at anytime, say for example to check for unlicensed copies of software. I suggest you get a lawyer who can sort this out for you, it is also possible, however unlikely, a good lawyer could negotiate a different EULA with Microsoft.

Watch out for the 'disable' option

[RobertNotBob]

I work in the healthcare industry and have been following this fairly closely. One alarming thing that I have seen in various discussions is the idea that simply disabling the feature has any affect on the situation.

It does not.

The root of the problem is the agreement that M$ CAN download software on your computer without prior notification. If you agree to that, it really makes no difference if you check a box that tells you machine not to do it. At any time, either pre-programed or by an addition that you make, M$ can uncheck that box without letting you know. Think about it, if you sign a document that states I have the privilage to do something (whatever it is) and then you (outside of that document) simply tell me not to do it, am I legally bound not to do it? It is possible that not even using SUS (software update server) will mitigate this.

Also don't feel secure about non-W2K products either. Most (and soon all, I suspect) products M$ releases contain that same provision. If you have updated MediaPlayer ( I believe it is one with the new verbiage) then you have already given consent for M$ to add software to your machine whenever they choose. NOT Maybe, NOT sometime soon, NOT only if you have W2K, but right now on the box you are currently using. And although I don't have it right infront of me now, I'm pretty sure that mediaplayer even specificly mentions that current features may be removed (playing MP3's) by the unannounced 'upgrades'.

Although we are still evaluating this with our legal staff, it looks very possible that we will be purging M$ products from the vast majority of our network.

oh, DARN ! ;)

And for the record, I am not a lawyer. Don't take this as legal advise. Heck, I could be dead wrong. Localities and Nationalities will obviously differ in their approaches.

Re:Problem is EULA not SP

I agree completely. It's the legal issues (not the "probable" or "possible" intrusion).

At our company, we have NDA agreements like you've never seen before. We host legal documents for Law firms that are engaged in battle.

No one. And I mean, NO ONE (other than the law firm), is allowed to see the documents that we host.

The EULA that Microsoft has attached is in absolutely direct violation of our agreements with our clients.

Ergo, we haven't installed SP3 and doubt that we will.

Re:Read the EULA.

[Zeinfeld]

FOR THE LOVE OF GOD, TALK TO LEGAL COUNSEL. WHY THE FSCK ARE YOU ASKING LEGAL QUESTIONS ON `ASK SLASHDOT', ANYWAY?! DO WE LOOK LIKE HARVARD LAW GRADS?!

Oh come on, we know why the question was put. It was a snarky little jibe whose only purpose was to claim that HIPPA prevented the use of Windows.

It is kind of like a 'proof' that 1 = 2. We are not meant to agree with the conculsion, we are meant to admire the devious application of logic.

It is quite obvious to anyone but a moron that MSFT is not going to enforce license agreements that prevent sale of their product for use regulated by HIPPA.

It should also be obvious that the EULA term was written very broadly by a lawyer who was attempting to minimize the probability of a lawsuit if someone complained about auto-update or the like.

And it should be completely obvious that Microsoft as a US corporation is obliged to comply with HIPPA. Microsoft is one of the few US companies that actually has a privacy policy and has agreed to be regulated under the EU privacy directive.

The other fact to consider is that the Clinton era HIPPA act has since gbeen gutted by the Bush administration who have issued 'guidance' that essentially negates the whole act. Under the Bush guidelines you lose the right to opt-out. Hospitals can refuse service if you don't waive all your rights to patient confidentiality which they can do in small print. So while the act may require hospitals to install firewalls etc. etc. none of it will make any difference because the hospitals can now sell all your confidential data to the people you least want to have hold of it.