How is that in any way related to HIPAA? The patient has to contact the company and give them their information. The company then bills their insurance. No one is exposing their private health information.
I'm pretty sure HIPAA made the rule that patients must accept everything billed to insurance (or something to that effect), so I think it makes sense that they would be responsible to making sure it's enforced.
HIPAA isn't taken seriously until shit hits the fan, much like FINRA or any other piece of alphabet soup.
I've seen companies closed over HIPAA violations, and I've seen folks go to jail. It's totally ok to ignore HIPAA until it isn't and by then it's too late.
Some people play chicken with the federal government and some don't. As always, it is up to your particular risk profile.
Point being, HIPAA isn't taken very seriously.