I get lots of questions about HIPAA security these days; especially as EHR firms, hospitals, payers, and startups alike are being asked about their HIPAA policies.
My general recommendation is that you should forget about HIPAA at first (it’s a toothless, generally unenforceable, regulation that will never improve security because it is a bureaucratic compliance tool). Instead, you should concentrate on good security practices, good security policies, follow recommended NIST guidance, and then come back and tie in the HIPAA regulations to make sure you don’t miss anything from the privacy side. ...