Just because your EMR/EHR system is HIPAA-compliant doesn't necessarily mean your entire organization is. You may also need to consider a GRC compliance management system: