Lax US Security Rules????
Given that much of the US government has IT security rules and their systems are insecure by most standards (the Hillary Clinton email issue brought this out), their rules don't mean much.
A HIPAA audit in IT only looks at the paper trial. IT is supposed to be audited by a 3-rd party and even then, no down and dirty penetration testing is done and no one ever checks the servers for patches, etc. They only check the paperwork that things have been done.
HIPPA is more about the physical security... are papers properly shredded, does customer service as customers for their ID's, etc. and not assume the caller is "Joe Blow" without asking some questions. Some of it is the illusion of PHI security such as the line on floor in lobby areas, etc. so supposedly, no one else can hear names, account numbers, etc. which is joke when some mostly deaf pensioner is screaming at the receptionist and she/he at them.
HIPAA is much like some of the other things in government like "Homeland Security"... mostly to make everyone feel safe and secure. If they ever implement penetration testing, things might change. But with the lobby money pointed at Congress, I doubt that will ever happen.