From Processor comes this editorial "Taming the Compliance Beast"---
Sarbox and HIPAA are so big (and so feared) that some firms go overboard to comply with them. “The biggest problem is over-scoping,” says Gartner’s Caldwell. Some companies put controls “here, there, and everywhere,” he says, ignoring the narrow intent of the law. For instance, Sarbox was designed to address financial controls and audits and never mentions IT per se. But some auditors have been reluctant to limit their clients’ efforts, a problem that was common in the early days of Sarbox when little was known about it. In contrast, some companies don’t go far enough, approaching Sarbox and HIPAA “as a project, not a process,” says Forrester’s Rasmussen. They don’t see compliance as part of their day-today operations, he says, and too often assign a project manager to an ad hoc job that won’t suffice in the long run.
This is so true. About half the front-line workers I deal with are suffering from HIPAA fatigue. They have been beat on for so long, and been so handcuffed by policies that they despise the very mention of HIPAA.
The other half are working at places that are so casual with PHI that they themselves are concerned, and are attending one of my workshops to cover thier own assets.
Find a sane middle ground. Make your policies transparent enough that your front-line workers can follow them, but integrated into your processes so that they have some effectiveness.