From Concurring Opinions, this commentary on a recent New York Times article on Hypercompliance on the HIPAA front. Health care folks have been intimidated into denying access to PHI to people who have legitimate inquiries and a legal right to it.
This type of behavior is born out of fear and poor understanding of rules filtered through complicated reports written by obfuscating contractors. It seems reactionary, and unreasonable, but a means to the safety only an ass well-covered provides. As Mr. McGeveran points out, "it is always easier to say 'no' than to figure out how to say 'yes.'" I believe mistaken "safe" attitudes like this is often how security policies end up being implemented, and are difficult to purge once they become corporate folklore.
The "easy no" is not uncommon in security management, and enables ten thousand wannabe Kip Hawleys to exercise passive aggressive nonsense in its name.