Wave it all you want, you're wrong. All the technological stuff you're talking about gets totally swept under the rug. Having sat next to five sales presentations, whenever you mention HIPAA compliance they all say "we got this and can protect you" and the conversation moves on. I'm not saying these vendors are HIPAA compliant - I'm saying they're diffusing the question their customers are asking effectively be that through misunderstanding, half-truth or outright deception. Either way, individual practitioners get to check off the HIPAA box without having to know or care what a load balancer is. They mash an icon on their iPad and they're in, and their clients click a button on their website and they're in. So get worked up. Take a stand. Pontificate about encoding. Between the pointy-haired bosses and the sales weasels, you're not only irrelevant, you're a deaf-mute because you won't even be asked. I'll take it further - you could walk into any independent practitioner's office with a white paper and server logs demonstrating that a doctor's EMR isn't HIPAA-compliant and they'll shrug, say "I got my waiver" and tell you to leave.
The sales weasels don't care whether the product does the right thing, they care that the customer thinks the product does the right thing. The pointy-haired boss doesn't care that the product does the right thing, he cares that his ass is covered and he has something to brag about to his pointy-haired boss to prove he has Leadership. Your users care in the abstract, but aren't really interested; if they're told all is well, they'll take it on faith because they just want problems ancillary to what they're trying to do to go away. If you care about your craft or your users, you pick fights with your pointy-haired boss and the sales weasels so you can do whatever it is you're trying to do right. Dominant species or no, PHBs are easier to replace than you are, you can get away with saying "fuck that, here's what we're going to do" as long as you're right. Or you let it grind you down and just do whatever you need to do to keep the PHB smiling, but that'll make you miserable.
Or, if you don't care to write your own HIPAA-compliant EHR for your staff-of-five and client-base-of-hundreds, you accept that the whole thing is a big stupid pigfuck but that it's everyone's big stupid pigfuck and move on. It's like speeding on the freeway - if everyone's doing it, the likelihood of being pulled over is proportional to the redness of your car and personal ethnicity, not proportional to speed. HIPAA, in many ways, is the exact same boondoggle as the Americans with Disabilities Act. 10-20 percent of my audio budget used to be for Assistive Listening Devices because the ADA says you have to assume that 5% of the audience for any given public event is deaf, and you need to provide them headsets, minimum 5. Which means if you have a classroom that seats 20 people, you have to have headsets for 25 percent of the seats. Which means if you have a stadium with 20,000 seats, you've got 200 headsets in a closet somewhere. Which nobody adhered to. Even the building inspectors knew it was a joke. They wanted to see the regulation "six headsets and an emitter" on every spec sheet because they knew it would never get used. Commtek, Genter, Listen Technologies... these are companies that exist to make devices no one will ever use because of legislation. When HIPAA went through I got to start putting in masking systems for every lobby in every medical office. HISSSSSSSSSSSSSSSSSSSSSSSS
Eh. Issues like this are always complaint-enforced. So everything is fine until a patient files a lawsuit. Then your piece of paper won't be worth the paper it was written on. "And your infrastructure isn't HIPAA compliant, either. So add another quarter million onto the award for lack of proper network infrastructure." I rail because the technologically correct answer is inadvertently the wrong legal answer. And that shit pisses me off, because it's gonna be the little practitioners who mashed a button on their iPad who get screwed.
Doesn't matter. The lawyers always go after the deep pockets and the deep pockets are never the individual practitioner. Besides which, a malpractice suit isn't going to be about medical records, a records leak suit is going to be about medical records and then the practitioner points at the waiver and says "talk to my EMR." Rail all you want. Actual HIPAA compliance matters fuckall compared to perceived HIPAA compliance, and perceived compliance is "there's an app for that."