I note that this thread is old, however, for compliance with HIPAA I would use the administrative HIPAA guidelines that were updated in 2013. These guidelines give specific security standards which the federal government expects a healthcare company to meet and be measured against. Standards are broken down by "required" and "addressable". Required standards must be implemented on a priority basis, addressable standards can be implemented after the fact.