Does the HIPAA Security Rule Require Use of Certain Operating System? HHS provides sample business associate agreements. Am I required to use the sample BAAs provided by HHS?
With the pending sunset for Windows XP support on April 8, 2014, many have started asking the question of whether the HIPAA Security Rule requires use of a certain operating system to be compliant.

The Department of Health and Human Services has addressed this issue in a FAQ answer:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?

No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.  Additionally, any known security vulnerabilities of an operating system should be considered in the covered entityís risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).

The sunset means that Microsoft will no longer be providing new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates for Windows XP. But, the sunset dates are different for Windows Embedded Products that are based on the Windows XP OS. As Microsoft explained in a recent blog post:
Windows Embedded products have their own distinct support lifecycles, based on when the product was released and made generally available. It is important for enterprises to understand the support implications for these products in order to ensure that systems remain up to date and secure. The following Windows Embedded products are based on Windows XP:

  • Windows XP Professional for Embedded Systems. This product is identical to Windows XP, and Extended Support will end on April 8, 2014.
  • Windows XP Embedded Service Pack 3 (SP3). This is the original toolkit and componentized version of Windows XP. It was originally released in 2002, and Extended Support will end on Jan. 12, 2016.
  • Windows Embedded for Point of Service SP3. This product is for use in Point of Sale devices. Itís built from Windows XP Embedded. It was originally released in 2005, and Extended Support will end on April 12, 2016.
  • Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008; and Extended Support will end on Jan. 8, 2019.
  • Windows Embedded POSReady 2009. This product for point-of-sale devices reflects the updates available in Windows Embedded Standard 2009. It was originally released in 2009, and Extended Support will end on April 9, 2019.

This FAQ post, and the information on this website, has been prepared for general information purposes only. The information on this website is not legal advice. Legal advice is dependent upon the specific circumstances of each situation and the jurisdiction of each state. The information contained here is not guaranteed to be up to date. Please consult legal counsel in your state to discuss your specific circumstances.