Sanctity:

I know what you mean. I manage the security for 5 domains, 4 of which I have no administrative control over. You need the buy in of the Administrators... Even if that buy in is only them signing your spiffy new corporate policy that states at the start:-

This is a business network for business use only

and work down the list of things you are banning, blocking and firing for..... In the policy you don't need an explanation of why you are doing anything. Do an expanded version for the Administrators for "sales" purposes. Put it all in terms of time therefore co$t should this policy item be broken. Since you mention HIPPA attach a copy to the back and in front of that place the synopsis of the security regulations - don't forget to point out the potential penalties for a breach of HIPPA and mention the fact that a breach of confidentiality will ruin the organization's reputation which will, in turn, ruin the organization itself.

Once administration signs off on it then implement. Every phone call after that ends with you saying "But it's the company policy... There's nothing I can do"... like a good little "jobsworth". The only thing you need to worry about after that is having the appropriate reason for why X is forbidden followed immediately with "... but tell me, what, exactly, is the business reason for this kind of activity?", when an administrator is forced to challenge you by their whining (L)users. Once you drop that question _be quiet_, silent... say nothing. In this situation the first person to speak loses.... You would be silly to speak. If there is a genuine business reason then you allow it _only_ to specified destinations or _only_ from specified sources or better yet both. You just made them happy, proved you are "flexible" with the policy, proved that you act in the best interest of the company and you are an all around bon oeuf...

The grief slows down really quickly... trust me...