Skip to main content
A Better Partnership

Publications

Apr 2005
01
April 01, 2005

Microsoft, the Black Box and HIPAA

Going through an e-mail newsletter that I receive every day, I came across a story that Microsoft is going to be adding a "black box" to Windows. Like a flight data recorder, the black box will be an error-reporting tool that will capture information about an error, including what programs were running at the time of the error and even the contents of the documents that were being created. You can read more about the Microsoft black box technology at http://news.com.com/2100-1016_3-5684051.html.

If you are a health care provider or insurer, you routinely create documents that contain protected health information ("PHI"). Even if you are not a health care provider, but are an employer that sponsors a health plan, you may have individuals in your company who at any given moment are working with PHI. This black box technology could capture the PHI if the program being used crashes. The person using the program may then be asked whether to report the information to Microsoft. If the individual simply responds "yes," you will likely have an unauthorized disclosure of PHI in violation of HIPAA security and privacy rules.

Although this feature of Windows is not yet out on the market, the news story is a reminder that when doing a HIPAA security risk assessment of your computer systems, it is important to consider all of the software that you are currently running to make sure that you don't overlook features that collect and share information in the background. In most circumstances, the features can be configured to protect the privacy of the information--but you have to be proactive to make this happen. These risks also demonstrate the importance of training your work staff, so that if an employee is confronted with a question of whether to report the information to Microsoft or some other computer software vendor, he or she knows to say "no" or to at least ask some questions before saying "yes."

If you have any questions about HIPAA security or privacy issues, please call Norbert Kugele at 616.752.2186.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.

ACCEPTCANCEL

Text

+ -

Reset