When it comes to data integrity, data security and systems access, the best security is adherence to enterprise network industry best practices security policy. Adherence to HIPAA and/or CFR compliance regarding data security/integrity are often victim to the dynamics and expense of EHR/EMR systems because of the deliverable "deadlines" and promised bonuses partnered with a wall of waivers of we-promise-to-fix-this-at-a-later-date.
These systems are often delivered with enterprise network security policies as a complete after thought. Now that many of these health care IT systems are maturing and reaching the next fad of providing health care IT services to "affiliates", the issue of PHI security is quickly becoming a pay later scenario. In computer speak, the introduction of affiliates requires the addition of enterprise network "Infranets" and/or "Extranets" - more extranet than infranet.
These terms require a short study of Wikipedia to get a lukewarm understanding of what you're going to have to get involved with. Confidence is high that lots of your infrastructure folks with any conscience at all will roll their eyes at executive sponsorship wanting to be the first on their block to tout affiliate (extranet) connectivity. First you're going to have to fix all those security waivers, and if your UNIX boxes (mostly UNIX servers drive these health care IT systems) are not compliant with UNIX server best (security) practices and you're still trying to spell security policy, then you are in for some high cost migration.
The metamorphosis of IT and Health Care is a book that needs to be written now that we have a few years (10) behind us. The technologies used in health care since 2000 rivals that of the banking and financial information systems in complexity and need for extreme levels of data security. And although we can take from those lessons learned by the financial communities with regards to data security, we actually are developing an information technology that adheres more to classified environments.
There are methodologies out there which can be adapted, but this requires more robust engineering efforts and investment than the health care industry is willing to admit. Until HIPAA gets bigger teeth than it already has and some big player has to settle a high dollar law suit for lack of compliance, executive sponsorship will not spend more than the business risk requires to implement the proper level of security to guarantee a system that will deliver a bullet proof PHI.
The sad lesson in all of this, is that properly designed secure systems are much more economical, robust, scalable, better performing and the closest to that fleeting notion called the point of equilibrium.