Fines don't happen until they get caught. How long can a company go and how much can they make before they get caught? What happens to the executives? They just move on pointing to their old success numbers.

I run internal audits for a large org as part of a strike team when my company is acquiring smaller orgs. External auditors are a joke and it's incredibly easy to slip things by them. The only reason we catch stuff is because we assume full ownership as part of our takeover process and actually build and deploy product to find issues.

But your company wouldn't even have a line item to look for those problems if regulations didn't require it. It's not a fool-proof solution but it's at least a foot in the door for improvement

Look up the cap on fines per year. It's less than $2m.

I've consulted for healthcare companies where that is a literal rounding error on their bottom line.

They. Do. Not. Care.

There's also a criminal liability aspect to it. I've worked for healthcare companies too and they do care, at least enough to have it in the conversation and to include the HIPAA officer in those conversations. Nowhere I have worked have they been flippant about it.

I agree with you that the cap is too low. It should cap based on gross or revenue. I suspect it's so that the smaller companies won't get destroyed by fines leaving the larger ones largely unaffected, but I'm speculating.