The California Dental Association’s website in an article dated January 27, 2014:
If dentists need to continue using Windows XP past April 8, the minimum requirement for HIPAA compliance is that they address the risks in their risk analysis. Addressing the risks means the dentist knows what can happen and that they have a plan to minimize the risk (they must describe the plan in the risk analysis). That plan also can include a timeline for making the switch away from Windows XP because dentists cannot continue to use that operating system indefinitely.
So when does using Windows XP past April 8 become a HIPAA violation? When a dentist’s written risk analysis does not address the risks associated with using an unsupported operating system. As the risks increase over time, dentists are obligated to keep the risk analysis updated.
From the US Deaprtment of Health and Human Services:
Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?
Answer: No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security. Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).