Some of the threats to HIPAA compliance are prevalence of people using laptops, and other mobile devices to store medical records. An attacker could steal these devices, and then access everything stored inside with ease. Another threat to HIPAA compliance is that a member of that organization could share their security information with an unauthorized person, who could turn out to be an attacker. Another thing that this person could do is leave their device in their car, which would allow an attacker to break-in and steal the device.
To help deal with these two issues, I propose that the only devices used are the ones supplied by the organization and that the members of the organization are not allowed to plug any storage devices into computers that are located on-site.
Another thing that I would propose is that there is a DMZ placed on the network, which all outside traffic gets sent to. From that DMZ point, the outside traffic would have to enter a security code or some kind of authentication.