Back in August 2016, the personal physician for U.S. President-elect Donald Trump came under fire for a photo revealing his office computer. It wasn't the computer that was the problem, rather it was the operating system used on the computer. As explained in this article by Gizmodo, Dr. Harold Bornstein was using Windows XP on his computer, which is an outdated operating system that Microsoft no longer supports – a possible violation of the Health Insurance Portability and Accountability Act (HIPAA).
The HIPAA Security Rule requires covered entities, including doctors and physicians, to implement a combination of technical, physical and administrative safeguards to prevent the unauthorized use or access of Electronic Protected Health Information (ePHI). One could argue that using Windows XP is a violation of this rule since it's not updated and subsequently contains security vulnerabilities. However, the Department of Health and Human Services (HHS) recently addressed the question regarding the minimum requirements for operating systems used by covered entities.
So, what operating systems are covered entities allowed to use in regards to HIPAA? According to the HHS, the Security Rule was created without any specific requirements for computer operating systems. This was done to provide covered entities with the flexibility to implement security measures that fit their respective organization's needs best.
While the Security Rule doesn't require the use of a specific operating system, it does require covered entities to implement the aforementioned safeguards when ePHI is stored on a computer or device. As such, the security features of an operating system may used in compliance with the technical safeguards of the Security Rule.
This doesn't necessarily mean that you can use an outdated operating system and still comply with HIPAA. If the operating system is old and outdated, perhaps it contains security vulnerabilities, which could be viewed as a violation since the appropriate technical safeguards are not being used. Of course, this only applies to computers on which ePHI is stored. If the computer doesn't contain patient information, there's no need to worry about implementing these safeguards and protecting the data from disclosure.
To recap, neither the HIPAA Security Rule nor Privacy Rule require the use of any specific operating system. However, you must still implement a combination of technical, administrative and physical safeguards, which may conflict with some outdated operating systems.