Working with an outdated OS could cost you more than just an upgrade.
Isn’t technology always — or virtually always — ahead of the law? Frequently, yes. Courts and administrative agencies regularly decide cases in which a technological solution presents a unique legal issue.
For example, we’ve written in a prior column that an ACR member’s social media presence might unintentionally create a physician-patient relationship and lead to a legal claim. (Read the column at http://bit.ly/RADLAWsocial)
Recently, our office received this intriguing question: Does a radiology practice that does not upgrade from Windows XP to a modern version of Windows have liability under the Health Insurance Portability and Accountability Act (HIPAA)? Microsoft announced in March that it will terminate updates and support for XP, effective April 8, 20141. At press time, several radiology PACS systems continue to run XP. In this column, we will examine the legal consequences of this, and other technology, that may fall behind the curve.
Suppose a radiology practice has an operating system that contains such unsupported software as XP. Federal government officials have not mandated specifically that practices discard XP for the most current version of Windows. Yet the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, has addressed system support in its Security Rule Standard FAQs:
Q: Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
A. No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer) [emphasis added].2
The government thus focuses on whether a radiology practice’s operating system sufficiently protects e-PHI. ACR members and their practices must collaborate with IT professionals to reach viable solutions to safeguard patient data. This matters particularly when members interpret studies that they receive at another location, e.g., home or another office. If the practice relies on XP and has not yet made the transition to Windows 8, it likely will spend valuable time and money to install a patch that might not work.
HIPAA authorities could receive a complaint that a particular IT platform clings to older generation technology. One of your referring physicians, a practice manager, or a patient may well raise concerns about your system’s integrity. Unless your practice demonstrates that it handles e-PHI properly, today’s internal security problem may turn into tomorrow’s federal investigation.
A national health benefit company learned that painful lesson when it had to settle HIPAA charges with HHS. In July 2013, Wellpoint, Inc. entered into an agreement with the government in which it paid a $1.7 million penalty to HHS and a $100,000 penalty to the state of Indiana.3 Why? Wellpoint disclosed to HHS that it had suffered a major security breach that exposed e-PHI for more than 612,000 of its health benefit clients. The security breach apparently happened during a system application upgrade. Wellpoint’s vendor overseeing the upgrade failed to incorporate needed administrative and technical security safeguards. A Wellpoint client inadvertently discovered other users’ e-PHI through a company-provided website that only should have been used to track individual user applications. Wellpoint did not admit liability for any HIPAA violation but acknowledged a security breach had been committed. Other health entities lacking adequate network security also paid major fines to HHS in 2013.4
Additionally, ACR members who do not upgrade their IT systems correctly and in a timely fashion risk a claim for medical negligence. For instance, a radiology practice’s older operating system might have gaps that prevent imaging study reports from going to clinicians or patients on time — or at all. We can envision a case in which a radiologist is accused of not meeting the standard of care because he or she sent reports via a PACS that lacked current software or security measures.
Many IT professionals conclude that it is not “reasonable” (in HIPAA terms) to use an old operating system when PHI is involved after a software manufacturer no longer supports it. Similarly, the law has begun to respond to health care IT deficiencies. What to do? Work with your IT team. Protect patient data — and your practice’s reputation.
By Bill Shields, JD, LLM, CAE, and Tom Hoffman, JD, CAE
1. Greene T. “Windows XP Can Put SOX, HIPAA, Credit Card Security-Compliance at Risk.” Network World. March 17, 2014. http://bit.ly/RADLAW2014. Accessed March 25, 2014.
2. U.S. Department of Health and Human Services. “Frequently Asked Questions.” http://bit.ly/HHSFAQ. Accessed March 24, 2014.
3. “Wellpoint Website Vulnerability Leads to $1.7M Fine.” Health Security Solutions. July 19, 2013. http://bit.ly/WellpointFine. Accessed March 25, 2014.
4. Rosati K, Carlson K, Keeney K. “Top 10 Health Law Issues 2014: No. 4 – Data Breaches and Security.” AHLA Connections. February 2014:17.