I suspect HIPAA is somewhat nebulous in the exact requirement for reinserting encrypted data, wouldn't the reasonable precautions argument say well yes this is Dr K's encrypted data and yes it is being loaded onto a machine that has been verified to be in Dr K's practice enough to past that test? I will of course claim some ignorance of the matter but think being HIPAA overzealous/paranoid opens up bigger potential roadblocks in patient care(which is the life I've chosen).
So am I to understand these latest security measures are 'we think this is a good idea' but not specifically mandated?
One thing I've learned from dealing with governmental regulatory agencies is don't say you are ever going to do more than mandated.