tough as nails -vs- creme-puff

there is nothing in between

enforcement is one of the requirements of HIPAA... in addition, no matter what industry you should get the authorization of the CEO -- yeah, the C*E*O -- to punish every violator... even CXOs... even the CEO himself (herself)...

if there are rules, then there has to be enforcement of sanctions for violation... and without consistency, enforcement is without teeth...

people will pay attention only if and...

...when the CFO's admin aide get busted for installing unapproved software

... when the son (daughter) of the CHRO (Chief Human Resources Officer) comes with his parent on Saturday and uses a company computer "just for homework", whereupon the CHRO will be asked to resign

it will take six months for people to get over themselves, then everyone will toe the line... or else