There really is no such thing as "HIPAA-compliant" software. See my column on this very subject.
HIPAA compliance is a process which is made of various policies, procedures and technologies. The fact that 30-day password changes cannot be forced doesn't mean that a product is non-compliant or even vulnerable. I'm of the belief that the more often passwords are changed, the greater the likelihood they will become compromised due to people writing them down in insecure places. The fact that the admin who sets new passwords can see everyone else's password could be a vulnerability, but it's not a deal breaker. There are a lot of organizations that do this. I'm not fond of it, but sometimes it's the only solution. Just keep in mind that there will be risks related to HIPAA compliance. The rules only ask that you document the risks, create a policy stating how that system is handled (and how risks are minimized), implement countermeasures when possible and train your users on safe computing practices. If there is no other way around it (which there probably is somewhere somehow -- it's just inconvenient), that's really all you can do.
For more info on this topic, visit these SearchSecurity.com resources:
This was first published in August 2003