Debunking the Myth: Is Windows 10 HIPAA Compliant?

We’ve collaborated with Microsoft on a new whitepaper and we want you to be one of the first to receive a copy.

Our whitepaper, HIPAA Compliance with Microsoft Windows 10 Enterprise, provides guidance on how to leverage Microsoft Windows 10 as a HIPAA-compliant, baseline operating system for functionality and security. Additionally, we address head on (and debunk) the myth that Microsoft Windows is not HIPAA compliant.

In light of the recent focus on HIPAA enforcement actions; hospitals, clinics, healthcare clearinghouses and business associates are trying to understand how to manage modern operating systems with cloud features to meet HIPAA regulatory mandates. Along with adhering to HIPAA, many healthcare organizations are under pressure to broadly embrace the benefits of cloud computing and manage the security implications.

Microsoft has invested heavily in security and privacy technologies to address and mitigate today’s threats. Windows 10 Enterprise has been designed to be the most user-friendly Windows yet and includes deep architectural advancements that have changed the game when navigating hacking and malware threats. For this reason, organizations in every industry, including the Pentagon and Department of Defense have upgraded to Windows 10 Enterprise to improve their security posture. However, as with all software upgrades; functionality, security and privacy implications must be understood and addressed.

The intersection between HIPAA compliance and main stream applications can often be confusing to navigate. This industry-leading whitepaper addresses the questions and concerns that are currently top-of-mind for healthcare IT and legal professionals responsible for managing ePHI and maintain HIPAA compliance.

Get your copy today and learn now Microsoft Windows 10 Enterprise enables its users to meet and/or exceed their HIPAA Security and Privacy requirements.


  1. There’s no such thing as a HIPAA-compliant system, OS, device, platform, fax machine, etc. The only thing that can become HIPPA compliant is an organization. A Covered Entity, a Business Associate or a declared Health Care Component of a Hybrid Entity.

    • Hi Bob, thanks for the feedback! You are correct and we have to start with an image that doesn’t share data with the cloud. For example appointments, voice-to-text (Cortana) or snippets of ePHI in the event of Telemetry submitting data as part of performance/error-reporting in a default install are big no-no’s. This whitepaper goes into detail on starting out with a configured base-image that has zero-exhaust to the cloud so Administrative and Technical HIPAA safeguards aren’t circumvented by overlooking what impact a default installation of Windows 10 has on PHI privacy. Anyone upgrading to Windows 10 in a health care environment needs to apply ADM Templates per the whitepaper and continue ensuring data security and compliance with each app layered on-top. After all, the Pentagon and DoD can’t make mistakes and use similar controls found in this whitepaper for their O/S installations.

  2. It is extremely unfortunate that you are misleadingly calling out concerns for Windows 10 endangering HIPPA compliance. By your own article, only Enterprise Windows 10 users can utilize the system in a compliant manner. This leaves out an enormous number of covered entities in the real world, and disguises that a computer purchased individually cannot legally be used in a compliant environment. They wouldn’t be able to apply your ADM Templates. I’d like to note that many (if not most) AD administrators are not keep to adopt stringent practices like you determine (despite how necessary), and are likely to take shortcuts, endangering institutional compliance. I really wish this was not the case, but I have to deal with it directly.

    Additionally, implying that DOD uses of Windows 10 are anything but managers buying into marketing is also problematic. Please don’t pretend that Windows 10 has a history of providing security.

    • Steven Marco says:

      Thanks for your feedback. In a health care environment, any patient information being disclosed must fall within treatment, payment or health care operations. That being said there is a chance with Telemetry in its lowest setting to transmit Personally Identifiable Information during Malicous Code Removal Tool (MCRT) transmissions. Since Windows 10 Professional does not understand Telemetry being set to “0”, it cannot be turned off potentially allowing bits of data during submissions to Microsoft.
      It is important to understand Telemetry is a very valuable feature that improves the software and allows Microsoft to quickly respond to malicious code. There are allot of advanced features such as Edge Browser running in its own VM so potential Malware will not speak to the kernel (e.g. exit the infected browser session and the virus is contained and cleaned).

      If you are using Office365 Microsoft will provide a Business Associate Agreement to your entity hence would allow the use of Windows 10 Professional and any setting of Telemetry desired (including whatever your Administrators may adopt).

      Windows 10 is truly evolved to adapt better than any other previous version before it to respond to today’s threats. And it is also critical to remember that HIPAA compliance encompasses 72 Physical Administrative and Technical Safeguards. Glad to see you are doing your homework!


    Thank you for the feedback! S F brings up several valid points…I’d like to opine on a few of them:
    “only Enterprise Windows 10 users can utilize the system in a compliant manner. This leaves out an enormous number of covered entities in the real world, and disguises that a computer purchased individually cannot legally be used in a compliant environment.”

    SO true! There is no “One size fits all” when it comes to security and compliance. This is a challenge for the smaller practices and security (as S F mentions) typically gets ignored…whether intentional or not.

    “implying that DOD uses of Windows 10 are anything but managers buying into marketing”

    I would agree with the statement that just because the Government is using a product or service doesn’t make it secure.

    The days of paper charting, fax and a copy machine are dead. I don’t own a fax machine and haven’t for 15 years. The patient demands more. I prefer to receive information electronically. I like CPOE (Computerized Physician Order Entry) so the Pharmacy doesn’t have to decipher the Doctors handwriting. I like that a prescription can run through a database to determine if dose is incorrect and fatal. We live in a digital world and striking the balance between security (which can slow down processes, limit access and increase expense) and compliance (a low bar and checklist) can be a tricky one.

    The intent of the White Paper is to highlight best practices for larger health care providers as it relates to Windows 10 and HIPAA Compliance. But what about the little guy? Here is what I would suggest to the solo practitioner with a shoe string budget.
    1. Be sure your anti-virus software is up to date.
    2. Get all the proper Policies and Procedures in place.
    3. Encrypt all mobile devices (see link for blog on BYOD)
    4. Install a good firewall
    5. Invest the time in training and awareness for your employees…or let us provide an online training module to you for free.
    6. GET OFF XP! 🙂

    These are just a few ideas on how to protect yourself from a potential breach. Thanks again SF for the feedback.

  4. Kevin Spatz says:

    Unfortunately, the Enterprise version, even with the complete lockdown procedure implemented, still leaks potentially damaging information. But the real issue (as already mentioned) is that only organizations large enough to absorb the massive cost increase of using Enterprise licensing will even have this level of protection. The great majority of medical entities with user counts of 100 or less, which means just about every practice not now owned by a major hospital, will be using Windows 10 Pro, which simply can’t be made to be HIPAA complaint.

    I really wish this industry would step back and see the big picture. If a truthful declaration was made indicating that Windows 10 (all versions) could not truly be made HIPAA compliant and should not be used in the health care industry, I’d bet you’d see an overnight move by Microsoft to allow administrators of at least the Enterprise and Pro versions to not just turn off, but strip out Cortana, telemetry, and all the other non-essential junk. And it would be even nicer if the 18 month lifecycle and all-in-one bundled updates were dropped in favor of a return to the more stable long term lifecycles and granular updates. At least then we could maintain most of the security updates while removing the buggy patches that seem to plague update Tuesday every time.

    Curiously, there is a LTSB version of the Enterprise product that addresses a great deal of these issues. With only a little more work it could possibly be the perfect version of Windows 10 pro.

Speak Your Mind