Re: Bah!
HIPAA covers how Protected Health Information that is identifiable can be accessed be people. Because of changes to technology in the last 20 years, the enforcement of HIPAA has been extended to include information security.
Having working in healthcare previously, I can attest to the rectal probing that an audit should bring when done with actual compliance in mind. Generally, even automated or transactional accesses to PHI was logged and justified. Since it extended to automated processes, just having a generic "SysUser" account for any and all applications that might access the data was not cool, so a unique identifier was required.
We were often asked to "Give me all you've got," by incoming systems and we had to get them to outline the exact data they needed, what it was needed for, and what, if any, was going to persist in their system. Even if they persisted none of it, however, there was a conversation way above my pay grade that often resulted in a much reduced field count and/or without any kind of the forbidden identifiers.
I'd heard that others around us were similar, though that might have been because healthcare is a rather important field in my geographical location, so there is a lot of poaching... err, cross-pollination of ideas, so it wouldn't surprise me to learn that through sheer luck, the healthcare companies in my neck of the woods are a bit stronger... but I'll probably see a local company hacked in tomorrow's paper just to make an idiot of me.
As far as the "seal of approval" from the OPM, I think they only are really concerned about the security of federal employee data... and it wouldn't surprise me if such data was kept sequestered from the other information to please government auditors. Where I was, the PHI of Medicare, Medicaid, Military, and Federal Employees were kept separate from other clients and had tighter control as the government had standards in excess of what was required by law, while the other clients were more concerned about NDAs, IP, and trade secrets (which they often considered things like benefits to be). So at Premera, don't be surprised if few, if any, people associated to a federal contract were compromised.