HIPAA Compliance In 30 Days or Less

Computerworld - HIPAA. We are all sick of the acronym by now, and the April 20 compliance deadline for the Health Insurance Portability and Accountability Act is looming.
At the state agency where I work, the information security officer (ISO), who is responsible for HIPAA security rule compliance, has spent the past seven months or so writing policies and procedures. He divided them into two groups: "required" (stuff we have to do) and "addressable" (stuff we'd better be thinking about doing).
When I came aboard, only one of the policies had been approved by the agency chiefs. Everything is done by consensus here -- if one chief doesn't like a single sentence, the policy is rejected, edited and then resubmitted. I was starting to panic about the approaching deadline. If we can't get the policies approved, we certainly can't implement them.
I did what any respectable security professional would do under the circumstances. First, I asked each chief to support the policy-approval process. Next, wanting to find a template that would be widely accepted but not wanting to reinvent the wheel, I went to the Web site of the National Institute of Standards and Technology (NIST) and downloaded every available document related to security and compliance with the HIPAA security rule.
Special Publication 800-66, titled "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule," was just what our ISO needed: a step-by-step guide to compliance. A table on page 13 of this handy document defines each standard of the rule, identifies its section number and outlines implementation specifications, noting which ones are required and which are addressable. Even better, pages 16 through 54 describe various "key activities" and provide sample questions. This was the perfect project outline to give to a HIPAA newbie.
I went one step further and took the NIST outline and plunked it into Microsoft Project, defined major milestones, allocated resources and hung the Gantt chart on my wall. I also printed all of the related NIST documents and put them in a big binder.
I wanted to show my ISO how to formulate a project plan. I wanted him to understand what he was going to be held accountable for and how short the time frame for implementation was.
When I showed the plan to my boss, I felt the need to apologize for my micromanagement. "I don't usually go to this length with a direct report, but I need to get through to this guy that this is the quality of