293388-bigthumbnailMicrosoft’s Windows XP operating system will officially reach the end of its lifecycle support on April 8th, 2014, which may have unintended HIPAA compliance consequences.

Why does this matter?
If you are one of the many who are still using Windows XP, please know that your system is not going to shutoff or stop functioning. However, using software that is no longer supported can create vulnerabilities that put your sensitive electronic protected health information (ePHI) that is contained in those systems at risk. HIPAA penalties can reach upwards of $1,500,000 per violation per year for noncompliance based on the level of negligence involved.

What does this mean for me?
If you are not using Windows XP then you are not affected by the end of this support lifecycle. If you are, then you should know that Microsoft will no longer be providing support for their product after April 8th, which includes security updates and patches. The HIPAA Security Rule asks covered entities and business associates to protect their ePHI from malicious software (164.308(a)(5)(ii)(B)). Computers using unsupported software which are no longer receiving security updates could be in violation of the rule.

How do I know if I’m using Windows XP?
Microsoft has created a website that can help you determine whether or not you are using Windows XP. Please click here.

I am using Windows XP, now what?
To mitigate this risk, you will need to migrate from Windows XP to a supported operating system. This process should involve an evaluation of your current computer systems to see if your current hardware can support a simple upgrade to a new operating system or if you will need new hardware as well. Additionally, you should evaluate how making the change will affect ancillary systems (E.g. EHR, Practice Management, etc.) as the change in operating systems may affect their ability to perform the functions you need. Please note that this process of switching systems can be very time consuming and expensive.

I am not sure how to go about making these changes, who should I talk to for help?
For assistance with making changes to your systems, you should contact your preferred information technology vendor for assistance.

For issues with HIPAA compliance, Kentucky REC is here to help. We can perform a HIPAA Security Risk Analysis for your organization to help with identifying security vulnerabilities and risks in accordance with HIPAA’s Security Rule specifications (164.308(a)(1)(ii)).

For assistance, please contact Kentucky REC at 859-323-3090 or email

For more information about Windows XP you can visit Microsoft’s website here.