As a chiropractic assistant, you most likely are very involved with the technology decisions of your practice, including which practice management and patient records management software your practice uses. In most practices, CAs work with these systems more frequently than doctors. For this reason, it is important for you to note that Microsoft announced that support for Windows XP ended on April 8, 2014. This means that there will be no more security updates and patches or technical support for the Windows XP operating system. Without these critical updates, your computer network may become vulnerable to harmful viruses, spyware, and other malicious software that can steal or damage your practice's data, including patients' electronic protected health information (e-PHI). The discontinuation of this service by Microsoft could lead to violations of the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA). This rule requires your practice to safeguard e-PHI. In addition, HIPAA compliance is a mandatory requirement to achieve "meaningful use" (MU) with your electronic health record (EHR). Not migrating away from Windows XP after April 8 could place your practice at risk of being noncompliant with the MU criteria. You wouldn't think that killing off an operating system that debuted in the first year of George W. Bush's administration would ruffle too many feathers. However, an amazing 29% of computers across the globe are still running Windows XP, which makes it the world's second most widely used operating system, just behind Windows 7. It is also important to note that antivirus software also will not be able to fully protect your practice data once Windows XP is unsupported. Additionally, most PC hardware manufacturers will stop supporting Windows XP on existing and new hardware. This also means that the drivers required to run Windows XP on new hardware may not be available. You Must Take Action Migrating from one operating system to another can be an exhaustive process involving testing, deployment, and training. This means your practice should begin to develop a plan right away. If your practice will continue to use Windows XP beyond April 8, the Department of Health and Human Services (HHS) requires you to perform a risk analysis in order to remain HIPAA compliant. The HIPAA Security Rule requires your practice to protect against any reasonably anticipated threats or hazards to the security or integrity of e-PHI, and to implement security mea- sures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Assessing risks is only the first step. You must use the results of your risk assessment to develop and implement appropriate policies and procedures. Your risk assessment must document that you know what could happen due to the vulnerability of your security and that you have formulated a detailed plan to minimize your risk. Your plan must also include a timeline for making the switch from Windows XP to a more modern operating system. Many practices assume that their EHR vendor will provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted. The Office of Civil Rights (OCR), the agency responsible for enforcing the HIPAA Privacy and Security Rules, has issued "Guidance on Risk Analysis Requirements of the Security Rule." It can assist your practice to identify and implement the most effective and appropriate safeguards to secure e-PHI. You can download the document from the HHS website at www.hhs.gov. Getting Help Faced with the growing complexity required to maintain HIPAA compliance and the increasing threat to the security of your network, many practices are opting for a different approach to HIPAA security risk and change management by outsourcing this function to managed security service providers (MSSPs). An MSSP is an Internet service provider (ISP) that provides a practice with network security man- agement, which may include virus blocking, spam blocking, intrusion detection, firewalls, and private network management. An MSSP can also handle system changes, modifications, and upgrades, which will be needed for migration from Windows XP. MSSPs offer your practice access to resources that you might not otherwise afford to maintain on your own. While some practices feel competent to handle the multitude of security issues, many lack personnel with the skills necessary to implement a complete security strategy. Risk management, including the migration away from an out-of-date operating system, is only one of the many components necessary for implementing a complete security strategy. Other critical steps include the development of security policies and processes and a comprehensive assessment of your technology and procedures, as well as the training of the members of your practice team. Your security strategy should also include procedures for breach of privacy incident response and forensics. Outsourcing Is a Viable Alternative When combined with the increasing salary demands of security professionals and the overall lack of skilled specialists, outsourcing has become an attractive alternative to many practices. Hiring a full- or part-time security specialist to help you maintain HIPAA compliance usually is not the best financial move for a chiropractic practice because the cost (salary, hardware, and software) could run into the tens of thousands of dollars. Outsourcing security monitoring to an MSSP allows you to implement enterprise-level security solutions for a nominal monthly fee. Over the past few years, some chiropractic practices have been reluctant to outsource security to an MSSP because it entails placing trust in an outsider and letting others see the inner workings of the practice. A reluctance to give up control in this critical area may have resulted in stalling the implementation of a process that is crucial for the protection of your practice and your livelihood. The damage to the reputation of your practice that can occur due to a breach in patient privacy can be more damaging than the fines themselves. The peace of mind that comes from ensuring HIPAA compliance through an outsourced MSSP definitely will be worth the investment. Dr. Mark Sauna is a member of the Chiropractic Summit, the ACA Governor 's Advisory Board and a board member of the Foundation for Chiropractic Progress. He is the president and CEO of Breakthrough Coaching (www.mybreakthrough.com 1-800-723-8423).
