Computer World has an interesting article up about companies which have, through their own incompetence, run afoul of the HIPAA data security rules. Highly recommended reading, and quite entertaining in a Darwin Award sort of way. My personal favorite was the one where a manager asked an employee to take backup tapes containing unencrypted personal data for patients home with him in order to accomplish the off site data storage requirements of HIPAA. When the tapes were stolen (of course) the employee reported their theft to the authorities and was fired for his trouble. The story doesn't end there though - because the employee was following his company policy and instructions from a supervisor, the employee is potentially protected from retaltiation from his employer. Thus, the employer might have bought itself both a HIPAA nightmare and a suit under the applicable whistleblower protection laws.
However, the bottom line of the article is serious. Too many organizations have been behaving as if HIPAA simply doesn't exist, or as if its requirements had no meaning. While the keystone cops level of competence of some organizations is amusing, it's no joke for the organizations and people involved. So, for HIPAA, know it, read it, do it...otherwise you could find yourself included in the next compilation of HIPAA disasters.