Preach it. Reported my own psychiatrist for having a bunch of highly sensitive "followup" forms asking about medication, emotional state, etc. (and including patient name, address, other PII) on the practice website that transfered data over plaintext to a shared hosting server running PHP5 in debug mode that had been hacked by an automated script and was redirecting people on first visit from a fresh IP to a "Congrats! You're our 1000000th visitor" spam site. Haven't heard from OCR in over a year.

¯\_(ツ)_/¯