Is Windows 10 HIPAA compliant?

Is Windows 10 HIPAA compliant? That’s the $64,000 question. I realize I’m showing my age by using that line, but the fact remains that this is a topic of much discussion on the internet. As of this writing, Microsoft is not exactly helping its case. I’ve searched the Internet for some conclusive statements from Microsoft concerning HIPAA compliance and none are to be found.

Andrew Clarke

One thing is certain, though: Selecting express setup / installation will guarantee a degree of non-compliance due to the defaults selected by Microsoft. You must perform a custom installation so that you can evaluate each option to determine if you want it turned on of not.

For example, the input personalization section of Microsoft’s Privacy Statement, located at, says the following:

” Microsoft collects and uses data about your speech, inking (handwriting), and typing on Windows devices to help improve and personalize our ability to correctly recognize your input.

For example, to provide personalized speech recognition, we collect your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames. This additional data enables us to better recognize people and events when you dictate messages or documents.

Additionally, your typed and handwritten words are collected to provide you a personalized user dictionary, help you type and write on your device with better character recognition, and provide you with text suggestions as you type or write. Typing data includes a sample of characters and words you type, which we scrub to remove IDs, IP addresses, and other potential identifiers. It also includes associated performance data, such as changes you manually make to text as well as words you’ve added to the dictionary.

You can turn off Input Personalization at any time. This will stop the data collection for this feature and will delete associated data stored on your device, such as your local user dictionary and your input history. As Cortana uses this data to help understand your input, turning off Input Personalization will also disable Cortana on your device. At, you can also clear data sent to Microsoft, such as your contacts and calendar data, user dictionary, as well as search and browsing history if your device also had Cortana enabled.”

We don’t know if the scrubbing is performed before or after data is sent to Microsoft (on the device or at the server level). We don’t know if the data is encrypted during transmission. We don’t know if the stored data is encrypted, either on the server or on the device.

There are a lot of unanswered questions concerning how data is handled in Windows 10. Unless Microsoft is willing to clarify the HIPAA compliance of Windows 10, my recommendation is to carefully evaluate each step of the installation process and to absolutely turn of any features involving personalization or Cortana (Microsoft’s version of Siri).


Share and Enjoy:
  • Print
  • Facebook
  • Google Bookmarks
  • Tumblr
  • Twitter
  • LinkedIn
  • PDF
  • RSS

No related posts.

This entry was posted in HIPAA, IT and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>