Microsoft Corp. is moving swiftly to address health care organizations' concerns that the terms they must agree to upon installing two service packs might impede their ability to comply with federal privacy laws.
IT administrators who must comply with the Health Insurance Portability and Accountability Act (HIPAA) are concerned that the end-user licensing agreement [EULA] -- which they must sign upon installing Service Pack 1 for Windows XP and Service Pack 3 for Windows 2000 Professional -- would give Microsoft the legal right to access data on an individual PC.
Also, IT managers are concerned that the Microsoft SP3 has new licensing language that gives Microsoft the right to revise the customer's operating system silently. The concern is that a Microsoft patch making an adjustment in the operating system might inadvertently break multimedia software or revoke access to patient data, thus creating a risk to a provider treating a patient.
"It's not just direct access to patient data that is a concern, but a change in the OS that might have unintended consequences for a provider treating patients," said Robert Lower, a HIPAA specialist and partner at New York-based law firm Alston & Bird.
One Microsoft product manager said that his company is aware that there is some confusion about the impact of the provisions on customer compliance, but he wants to make it clear that the EULA does not give Microsoft access to customer personal data.
Jim Cullinan, lead product manager for Windows said: "There is nothing in the Microsoft EULA in either service pack that results in the customer being out of compliance with HIPAA."
Companies bound to HIPAA are worried because they must observe strict guidelines that give them complete control over the integrity of each machine, Lower said.
But IT administrators said that they rarely study the legal language when they click "I agree" in the course of installing their service packs.
"I always click right by it," said one IT administrator at a large Wisconsin health care provider. The administrator, who did not want to be identified, said that she never considers not installing the patch.
"We would be in more trouble if we were left vulnerable," she said. "You have to fix now what you have to fix."
Lower said that there are several deadlines looming for companies in the health care industry. On Oct. 15, all companies must follow guidelines on how they process health care claims electronically. Many companies are expected to apply for a one-year extension to achieve compliance, he said.
On April 14, all companies must comply with regulations on the disclosure of user health care information. There is a third set of regulations that govern physical security, controls on access and databases. The final dates for compliance have not been set yet, Lower said.
"Although the security regulations are not final, privacy regulations require you to take reasonable and appropriate measures to protect integrity," Lower said. "But if you are allowing an outside party to make changes, this could put you in violation of HIPAA."
Cullinan said that features in Windows 2000 SP3 AutoUpdate help a customer keep the software current, but no personal data is accessed, viewed, captured or stored through this process.
Cullinan explained that the AutoUpdate feature takes a snapshot of the user's PC in order to provide the correct patches and to prevent the user from downloading duplicate patches.
AutoUpdate provides silent updates, which are background events conducted by the general operating system. One typical event is the feature that updates the clock regardless of which time zone the end user happens to be in, Cullinan said.
If customers are concerned about the AutoUpdates creating a situation in which patient care is potentially compromised, the customer can simply shut off the AutoUpdate feature, or not enable it in the first place, Cullinan said. The feature is turned off by default.
He emphasized that the terms of the EULA do not give Microsoft access to personal data. Microsoft will be providing information about its waiver on its Web site and educating its sales force and partners so there will be no further confusion.
"We want to make sure that everyone applies their service packs," he said.
Microsoft already posts a white paper on its Web site that instructs customers on how to turn off silent downloads.
But he added that Microsoft recognizes that, in this era, when privacy and security are on everyone's mind, customers want to be sure they're in control of their own data.