Doctors using Windows 10 Are Likely Violating Federal Privacy Laws.


Bank Vault Accompanied by much fanfare, Microsoft's Windows 10 was released recently, attracting attention for several reasons. In addition to hopefully improving the mess that is the Windows 8 user interface, Windows 10 was breaking the Microsoft mold in two important ways: First, it is free, and second, no disks are required for installation. You can download Windows 10 from the internet and install it directly.

While this makes Windows 10 a tempting upgrade, since its debut, analysts have discovered a number of intentional privacy flaws in the operating system, permissions which give Microsoft access to all of the data on your computer.

And if you are a medical or chiropractic doctor, psychologist, nurse practitioner or acupuncturist in private practice, these permissions are likely in violation of federal laws protecting private medical information.

HIPAA: Protecting your medical information

This federal law is known as HIPAA, or the Health Information Portability and Accountability Act. Passed into law in 1996 and enacted in 2003, HIPAA strictly regulates who has access to a patient's medical data, or Protected Health Information (PHI). PHI includes any part of a patient's medical record or payment history that includes any identifying information, such as name, phone, email address, beneficiaries, account numbers, or any other piece of data, no matter how small, that could be used to identify the patient. Even a zip code associated with medical data makes it PHI which is regulated by HIPAA.

A doctor may disclose PHI without consent of the patient only to facilitate treatment, payment, or health care operations. Any other disclosures of PHI require a doctor's office to obtain authorization. If PHI is released for any other reason, a doctor must first inform the patient of the reason for the release, and obtain their written consent. All releases of PHI must also be documented so that they may be reviewed by the office's Privacy Officer, usually a staff member, and by privacy auditors if there is a complaint.

The only time a doctor may release information without the patient's permission is if the doctor is presented with a warrant from the courts.

Insurance companies are also bound by HIPAA privacy regulations, and though insurers are pretty lax about their implementation of the law (ask any woman who has started receiving coupons for Pampers in the mail two weeks after testing positive for pregnancy in their doctor's office), most doctors follow the law pretty rigorously. The punishment for leaking patient data can be swift and severe, and after the government is finished, the patient whose data was leaked can certainly take a swing at the doctor in civil court. All in all, it's easier to follow the law than not.

These days, with most medical records electronically stored on servers "in the cloud," the software used by doctors uses multiple means of protecting that data, from encryption to password protection. Any data stored on the doctor's office computers, such as emails, lab reports, and billing and other payment information, has in the past not been at risk because it is kept behind the closed walls of a password-protected computer.

Along Came Windows 10

At least until Windows 10 came along. Windows 10 violates every privacy principle on which doctors rely to protect their patients' data.

Let's look at the Windows 10's new license agreement, which contains this nugget in its privacy policy. Microsoft says:

"We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary."

This license gives Microsoft permission to Hoover up every particle of data on a doctor's hard drive. This will include any confidential patient-doctor emails that are stored there, any reports, any bills, and any short notes to staff through intra-network messaging (for example: "Spoke to Tom Mypatient today re gender dysphoria and desire to transition to female. Pls follow up with referral.")

Microsoft, unlike a health care provider, is not restricted by any privacy policies, and it can use this information as it wishes, including aggregating it with other data it has about you, and selling it to anyone.

And all of a sudden, your history of STDs, depression, drug addiction or cancer is public knowledge and being sold to anyone who wants it.

It gets worse. Another part of the new Microsoft license says "key components of Windows are cloud-based.… In order to provide this computing experience, we collect data about you, your device, and the way you use Windows."

This means that Microsoft can now track the doctor's use of any application on his computer, basically eliminating the privacy firewalls put into place by the developers of electronic medical records software. Even if the data is encrypted and stored remotely, once it is sent to the doctor's computer and unencrypted for display, it becomes fair game for Microsoft's data collection software.

Simply put: It's a privacy nightmare for everyone

If you are a doctor, you should find this breach of privacy -- and the liability which it creates -- horrifying.

And if you are a patient, you should find this nothing less than terrifying. Every single private particle of data about you, from the level of your Zoloft dosage to the color of your last urine sample, is about to become publicly available.

There are ways to turn off much of this data mining capability, but the process is not self-evident, and few doctors' have either the know-how or even desire to shut it down, despite the clear risk it prevents. Only those doctors in large corporate practices using enterprise deployment will possibly be the exception., and then only if their IT departments are themselves aware. In fact, I would bet that fewer than 10 out of 100 doctors are even aware of the risk migrating to Windows 10 creates. And even then, there are massive gaps which will Microsoft access to privately-stored data.

As a patient, your options are minimal. About the only thing you can do is to ask your doctors' if they are using Windows 10, and then send them a letter expressly forbidding them from releasing any of your PHI to Microsoft. At least then, a few more doctors will take notice.

And if you're my patient?

Not to worry. My practice has been using the most secure operating system in the world (Linux), for eight years, and I have taken significant measures to ensure your data is secure. Of course, a determined hacker can break in to the best-defended systems, and that includes mine; but my patients, at least, do not have to worry about me handing over the keys to their private lives in exchange for nothing more than the use of a simple operating system.