Earlier this year (Feb 2017), we released guidance for configuring Windows 10 systems to comply with HIPAA requirements. After further review both internally at Microsoft and via customer feedback, we determined that additional clarification was needed.
It was quickly determined that if we configured all of the settings in the original documentation, the system would be some what limited on functionality. We also wanted to ensure our customers fully understood the implications of disabling or adjusting the settings outlined in the document, as well as understanding what information may be transmitted via telemetry.
Spearheaded by the great Chauncey Larsen, one of the many Windows experts here at Microsoft, he worked a ridiculous number of hours with the HIPAA One team, Microsoft legal, and a whole slew of other brilliant minded individuals to drive these revisions. Chauncey shared the following with me:
I'm happy to inform you that HIPAA One was recently cleared to add an Addendum to their document detailing HIPAA compliance with Windows 10. The addendum states the following:
Appendix B: Response to Microsoft Creators Update 1703 for Windows 10
In April 2017, Microsoft released Creators Update 1703 for Windows 10. This update provided granular details on amended basic level Windows diagnostic events and fields and most importantly, furthered Microsoft's commitment to decreasing the exposure of ePHI.
Microsoft continues to be forthcoming on the user data that they collect and may have taken all steps necessary to minimize the possibility for exposure of that data. It is here that Microsoft showcases their pledge to exclude ePHI which may possibly exist on any computer operated by any covered entity.
Following the release, Microsoft issued this statement:
Customers subject to HIPAA can use Windows 10 with confidence in the collection of telemetry data at the Basic level. As customers can confirm for themselves, the data collected at Basic includes data about the user's device only and does not include the content of documents, emails, or any other sensitive personal information about them or their clients.
-Marisa Rogers, Microsoft WDG Privacy Officer
There may still be items that require additional clarification and we will continue to address these as they are brought to our attention. While still a work in progress, this is certainly a step in the right direction. Please let me know if you have additional feedback as our team will continue to work with HIPAA One to provide the best guidance for our customers. In the meantime, the update was posted at the link below and the document is available today.