Motard (1553251) writes "For much of my career, I've worked in organizations subject to the Health Insurance Portability and Accountability Act. Among other things, HIPAA prescribes government-mandated regulations regarding the security surrounding Protected Health Information, or PHI.
In smaller companies, where I've been able to talk directly to the equivalent of a General Counsel, it has been interpreted as a requirement to employ reasonable measures to protect the information. In larger corporations — especially those that had found themselves entertaining representatives of The Office of The Inspector General — there are generally dedicated Risk Management or Security officers dedicated to eliminating risk — often without regard to practicality (since that isn't their charge).
So I ask this question: When it is demonstrated that a government contractor can flee to Hong Kong with classified secrets from the NSA (of all things), what chance does 'The Main Street Clinic' have of meeting the requisite data security requirements? At what point to we have to throw up our hands exclaiming "If the freaking NSA can't do it, how can we?""