Measured subjectively, Runyon estimates that 60% of health care providers are compliant with HIPAA's security standards. A survey last summer of 220 health care providers and insurance companies by the Healthcare Information and Management Systems Society and Phoenix Health Systems showed that only 56% are complying with the security requirements.
Runyon said ambiguity was built into the HIPAA security regulations on purpose to make them less onerous and encourage adoption. But now that organizations have had a couple years to implement best practices and security technologies, he expects enforcement to increase in the next two to five years, which will "put some teeth into this rule."
Enforcement is coming--- I know you have heard this before, but time really is running out. Don't wait for it to start to rain before you build your ark.