The type of organization that would store HIPPA encumbered data unencrypted, which based on my brief reading is not legal anymore, is not one that would operate in a reasonable (or legal) manner. Sadly, that seems to be most organizations that fall under HIPPA, compliance is a box to be checked while expending as little resources and effort as possible.
How they reacted to your kind action is sad, and depressingly common. I hope you told them to pound sand, and contacted whoever the data protection authorities were in your state. There needs to be much more aggressive enforcement of HIPPA and similar data protection laws, CYA bull like you encountered should not be happening.
This is an interesting case. I always pronounced HIPAA as "hee-pah". That has the advantage of approximating the spelling, but the disadvantage that it's not really a natural way for an English word to be pronounced.
People in the medical field, who deal with HIPAA all the time, pronounce it as if it was spelled HIPPA. It's a short step from there to actually spelling it HIPPA.
How they reacted to your kind action is sad, and depressingly common. I hope you told them to pound sand, and contacted whoever the data protection authorities were in your state. There needs to be much more aggressive enforcement of HIPPA and similar data protection laws, CYA bull like you encountered should not be happening.
Article I ran across: https://info.townsendsecurity.com/bid/74330/Does-HIPAA-Requi...