Seconded. I’m a physician that got so pissed off at how a practice was repeatedly and willfully violating HIPAA that I risked my standing in the local physician community and reported them.
I was basically told by the case manager, or whatever they call themselves, to fuck off.
Preach it. Reported my own psychiatrist for having a bunch of highly sensitive "followup" forms asking about medication, emotional state, etc. (and including patient name, address, other PII) on the practice website that transfered data over plaintext to a shared hosting server running PHP5 in debug mode that had been hacked by an automated script and was redirecting people on first visit from a fresh IP to a "Congrats! You're our 1000000th visitor" spam site. Haven't heard from OCR in over a year.
When I worked at an MSP, we supported a small dermatologist's office. Everyone had personal computer accounts but everyone had a password of '1234' so...yeah.
I was basically told by the case manager, or whatever they call themselves, to fuck off.