The short answer, it depends. The Health Insurance Portability and Accountability Act (HIPAA) is about more than just the tools you use, but how you use them. While some applications may never be HIPAA compliant, others that offer compliant features can still get you in trouble if your equipment is not physically secure, or if your employees are not trained to use the tools in a compliant way (i.e. walking away from a workstation without signing off or sharing passwords).
At a minimum, HIPAA compliance requires you use the Pro version of windows, as Home versions do not offer the functionality required for HIPAA compliance. Additionally, your operating system must be currently supported by the software vendor. Any version of Windows prior to Windows 7 is not compliant, and Windows 7 will not be compliant after the Windows 7 end-of-life date on January 14, 2020. This article focuses on Windows 10 because other versions have reached or will soon reach end-of-life.
While your business is only as compliant as your physical security, policies, procedures, and user behavior allows; you must be sure to use devices and applications that are compliant out of the box.
HIPAA and Windows 10 Pro vs. Windows 10 Home
In general, all businesses should avoid using home versions of software applications, but HIPAA makes this best practice mandatory for Covered Entities.
The following HIPAA rules require Windows 10 Pro functionality not available in Windows Home versions.
Domain Audit Control
Every employee in the practice needs their own domain log-in for audit control. This allows for the necessary reports and logs to be pulled for the regular security audits required under HIPAA.
(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Feature Availability: ✔-Windows 10 Pro X-Windows 10 Home
Group Policy Management
Group policy management is used to ensure that all workstations are following the same password policies, screen locks, and sign in protocols. Keep in mind that the functionality alone is not enough for compliance. HIPAA requires documentation and implementation of administrative policies and procedures around passwords, screen locks, and sign-in. Group policy management is simply the device functionality required to adequately implement acceptable policies and procedures. You are still not HIPAA compliant if you do not have documented policies and procedures for these functions, or if your employees are not properly trained to follow them. Group policy is the mechanism within Windows 10 Pro that allows you to document, a requirement of HIPAA, that access control policies and procedures are being appropriately followed in your practice.
(A) Authorization and/or supervision. Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
(4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
(D) Password management. Procedures for creating, changing, and safeguarding passwords.
Feature Availability: ✔-Windows 10 Pro X-Windows 10 Home
Remote Desktop
Remote Desktop is necessary for anyone to work outside of the office. In order for employees to work remotely, remote desktop must be created for each employee and given a secure VPN to access their domain.
(B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process or other mechanism.
(C) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
Feature Availability: ✔-Windows 10 Pro X-Windows 10 Home
Device Guard
Device guard prevents employees from downloading or accessing unauthorized applications while preventing outside attacks. It is a set of features that includes hardware and operating system technologies that allow the practice to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps, while simultaneously hardening the operating system against attacks. If you are interested in learning more about the technology behind device guard, this excellent article does a great job explaining the technical details of the features. The important part of device guard for HIPAA compliance is that this access control protects the workstation when in use both inside and outside of the practice network.(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
Feature Availability: ✔-Windows 10 Pro X-Windows 10 Home
BitLocker & Device Encryption
BitLocker offers the encryption functionality required to keep Patient Health Information (PHII) secure. Essentially, it converts data into a format that prevents unauthorized users from accessing PHI.
(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
Feature Availability: ✔-Windows 10 Pro X-Windows 10 Home
Other Pillars of Compliance
While compliant devices and applications are necessary, your overall compliance and exposure to risk also depends on physical safeguards and user behavior.
The HIPAA compliant features and functions offered through Windows 10 Pro are only as secure as user behavior.
At a minimum, your practice must conduct an annual risk analysis including a review of all policies and procedures, as well as physical and network security audits. Your analysis is a working document used to identify and mitigate potential risks through the adoption of appropriate digital and physical equipment, administrative policies and procedures, and employee training.
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
For more information on overall HIPAA compliance and potential risks, download our free fact sheet.
