Coming in late - but to answer some specific issues, first HIPAA compliance.
The first things to do to improve your compliance is to ensure that all users have non-admin accounts for regular use, and do not have access (in general) to admin passwords. This protects the practice and the machines, as both internal and external attacks are limited if the user does not have admin permissions.
Second is to understand that you have to protect info at rest, in use, and in transit.
At rest - strong passwords are your friend, in the event of theft, disk/full-disk encryption give you the piece of mind that the the bad actor has an expensive paper-weight/boat anchor.
In use - if each user has their own credentials, and they don't share, then in the event of a staff change you just deactivate one account. Don't leave a computer logged in as a practitioner without locking the screen.
In transit - encryption is the name of the game. Disk encryption for drives/tapes in transit, and for info going over the wire, encrypt the message or the container. There are email encryption tools, but both practitioners and patients don't like wrestling tech, so I suggest something that is re-assuring to the patient, but transparent - there are several portals out there now - I believe that Updox offers one that has some AC integration.
FYI - NV enacted law governing the encryption of electronic transfer of private info with hefty fines, more states will follow; so choose a tool that works for your practice.
Bottom line is that compliance is a combination of preventative measures (mostly common sense), processes that protect the data (a la shredding, locking screens), and awareness of what has to be protected.
On the other hand, FEAR comes from the unknown, and the folks who make their living selling into that FEAR, or doing compliance audits.
YMMV.
