I think this is the wrong approach. Establishing a law will just give them something to point you that they followed what was required instead of have doing what was necessary for their systems.
Instead of HIPPA violations they should start enforcing it at the maximum levels it allows by putting executives in jail over it (which HIPPA currently allows for). This will cause useful security policies to be implemented instead of the box checking nonsense we get now.
Instead of HIPPA violations they should start enforcing it at the maximum levels it allows by putting executives in jail over it (which HIPPA currently allows for). This will cause useful security policies to be implemented instead of the box checking nonsense we get now.