In my experience working at several US health IT companies, company principles for following HIPAA rules (especially patient privacy) were taken seriously at all levels and considered more than just compliance check boxes. Regardless of the ethical issues, if you get a reputation for being sloppy and the trade press writes negative articles then that can kill your sales pipeline.