Seems like if you just disclose and make assurances that "you take security seriously" then it's fine.

HIPAA doesn't have a private cause of action so if a violation happens, it's a wealth transfer to the government, it doesn't mean anything to you or any individual.

And most companies can simply price it in as cost of doing business at this point.

unfortunately, even if the fine seems harsh, if it is less than the profits generated the fine is an operating expense and not a deterrent.