Comment by sonofhans

Yes, exactly, the rules are intentionally broad and vague. You can wave paper at most of them and technically succeed. And then when you release accidentally PHI for the first time and your bullshit comes to light, your chickens will come home to roost. Doing a good job on compliance is less about security and more about staying out of jail.