Are these lawyers you have talked to and gotten meaningful and nuanced advice from, or are they lawyers your bosses have talked to and derived maximally avoidant policies from? I'm not saying that you shouldn't have policies that fit your risk profile, but I ask because I have been in those former conversations (and I have done a nontrivial amount of auditing+compliance work in this space) and have never come away with such an impression, while at the same time the level of perceived risk that your bosses derive from those conversations can be entirely untethered from the level of risk that actually exists. (This space is full of people saying "oh, HIPAA means we can't do that" as shorthand for "I don't want to do that," after all.)

They are wrong generally speaking. Willful conduct is the standard for criminal liability. A developer in good faith introducing a bug or inheriting one from a third party is not in that situations

My guess as to why the draconian position is more about the internal process. You have to identify and disclose breaches in a timely way; if you don’t the company is at risk.

From HHS summary of the rules:

(See: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg... ) (it’s also laid out in the regulation which I don’t have time to find.)

“Criminal Penalties. A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.”