Wow. There are so many good lessons to be learned from the Hungry, Hungry HIPAA post over at the DailyWTF, an often hilarious site that posts, um, implementation flaws. Some lessons immediately come to mind:

• control and physical location of the data matters (physical entities must be part of the model).
• too much aggregation of user data makes for big mistakes
• access controls need to protect against incompetence of administrators as well as malicious intent