Windows 10 and HIPAA compliance

Developer Support

This post is provided by Senior App Dev Manager Srividya Annapantula, who spotlights Windows policies and considerations for HIPAA compliance.

Windows 10 is the best Windows OS so far. With all the shiny features, there has also been concerns raised in the Healthcare industry about any personally identifiable information (PII) saved on Windows 10 devices. Some of the settings that are turned on by default in Windows 10 could potentially have an impact on HIPAA regulations.

Healthcare ISVs who provide software applications for healthcare providers need to oblige HIPAA regulations. When a medical practitioner is entering a patient’s data, we do not want that information to be stored as medical practitioner’s data. We do not want Cortana to process that data to provide recommendations or create Privacy issues.

Here are few things for Healthcare ISVs and Healthcare providers should consider to help prevent violating HIPAA regulations and protecting their patient’s privacy. Enterprises can configure these policies on Windows 10 using Policy Configuration Service Provider(Policy CSP). Health care providers range from huge hospitals to small physician offices. It is important for ISVs to understand what Windows 10 edition providers have. Policy CSP documentation provides information on which policies are available for which flavors – Home, Pro, Business, Enterprise, Education, Mobile and MobileEnterprise.

  • Privacy/AllowInputPersonalization: Turned on (1) by default. Consider setting this value to ‘0’.
  • Experience/AllowCortana: You could completely turn-off Cortana. When Cortana is off, users will still be able to use search to find items on the device.
  • System/AllowTelemetry: The telemetry data is categorized into four levels:
    • Security: Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
    • Basic: Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
    • Enhanced: Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
    • Full: All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.

Understand Telemetry level in detail and how to configure them: Configure Windows telemetry in your organization. You can configure telemetry at the Security level and turn off all other connections to Microsoft network endpoints to help prevent Windows from sending any data to Microsoft. Check this out for details: Manage connections from Windows operating system components to Microsoft services

Healthcare ISVs and providers need to understand their application requirements and configure for their enterprises accordingly. Above information is not a comprehensive list of policies and simply represent a sample of considerations.  For additional information, see HIPAA and HITECH Act at the Microsoft Trust Center.

Premier Support for Developers provides strategic technology guidance, critical support coverage, and a range of essential services to help teams optimize development lifecycles and improve software quality.  Contact your Application Development Manager (ADM) or email us to learn more about what we can do for you.


Discussion is closed.

Feedback usabilla icon