Worth noting that the TrueCrypt security audit is going to proceed regardless. So it should be known before too long if there really is some major issue that is not feasible to fix, or if it would be practical for someone else to fork or take over the project.
My guess is the feds would consider TrueCrypt to be 'inadequate' now in the event of an audit, whatever version, but damn, the process of decrypting & re-encrypting is a pain.
Do the HIPAA rules actually specify acceptable ciphers and key lengths, key management requirements, etc? In the financial world the big one is GLBA, which only stipulates that measures must be planned, documented, and implemented to protect NPI but do not specify what those measures need to be.
Though even if there isn't a strict requirement, if there is a known vulnerability (there isn't at this point) that you are disregarding that could be a civil liability should a breach occur. I'd expect that any vulnerability that does exist would be in the realm of key strength or security, since they are using standard ciphers.