As someone who has practiced employment law for nearly 30 years, I've noticed that far too many other attorneys are unwilling to take strong stances even when they are in the right. In this case, it would have taken one very blunt letter to her telling her that she voluntarily disclosed her health care information, that there is nothing approaching a violation of HIPAA, and that she is perfectly free to waste a lot of her own money to hire her own lawyer to tell her the same.
When you're indisputably in the right, there is no reason to mince words. Clunk them on the head with the 2X4, and tell them to get lost.
I know that it wasn't your position to do that, but your compliance people sound like gigantic p*ssies. But that's how compliance departments justify their staffing.
The problem was she named both me and the company I worked for at the time for a HIPAA violation by name in her email that went out to many people, very publicly and threatened not only a lawsuit against me personally but also the company I worked for that was subject to HIPAA as a third party health insurance administrator. Both my internal HIPAA compliance folks and our outside compliance company knew she had no claim and that she was basically bat sh!t crazy, but they had to do what they had to do, basic due diligence in order to protect both me and my company from any potential litigation and I couldn’t blame them for doing that.