As a caveat, I don't do IT. But...
The assignment tasks you to construct an enterprise wide policy that is compliant within the realm of not only HIPAA, but the Sarbanes-Oxley Act as well.
Neither one of these terms are mentioned in your acceptable use policy. I'd recommend doing a brief research of HIPAA, and possibly the Sarbanes-Oxley Act to get at least a base line idea of what they're designed to do. I'm not saying that you don't know what they're supposed to do, but it could help you implement some sort of guidelines for acceptable use, that ties into these two components.
HIPAA compliance is a very serious item in the healthcare industry, and I think it would be prudent to advise new users to XYZ what HIPAA is, or at least something set forth that states any and all sensitive customer information has to be safeguarded, etc etc.
I'm also not sure how many acceptable use policies expressly allow for newsgroup posting and for blogging of any kind. If you still have a little bit of time before the due date, it might be prudent to check around and see what other major companies have in regards to this.
Ok, I think I'm done. Probably wasn't much help, but hell, it's past 1am.