Before using the HIPAA argument, you should have whoever handles the HIPAA compliance to clarify about patient information over the radio and the need for encryption.
HIPAA does not require encryption when first responders are handling emergency patient care over the radio.
That may be different inside the walls of the hospital, but the compliance officer could confirm that. Be careful using a hobby radio forum as the basis for your argument.
Businesses -can- use GMRS if they are properly licensed. If they had a valid GMRS license before the rules changed back in the late 90's, then they would still be legal. Would be surprised if they had a valid license, but I do know of more than a few businesses that -do- have valid GMRS licenses and can absolutely, legally, use GMRS for their business. Those radios, however, are not legal for use on GMRS, even without the encryption.
Using GMRS for this application is a poor choice, legal issues aside. Obvious someone went on Amazon, searched "Walkie Talkie" and hit "buy it now" on the first thing that looked cool and was cheap. Not the first or last time that'll happen.
Yeah we have an internal phone system on WiFi here at the hospital which nurses doctors and ward clerks/ technicians are supposed to be using but in honest typical fashion our I.T director from 3 years ago wanted to “save” money (haha) and ordered these for the emergency room,
There are some very good WiFi push to talk radios that will do exactly what they need, would be HIPAA compliant, and would utilize the existing infrastructure you already have.
I have a police scanner that I use and pick up their frequency regularly on Gmrs, sadly things do get said on the frequency that violates HIPPA, been trying to go on the best way to report it to the FCC or maybe another agency that would be appropriate to handle this.
FCC probably isn't going to give you the response you desire. They aren't going to show up at the hospital and hand them a fine. Best you'd get would be a call from the local FCC office asking a few questions and reminding them of the rules. If you kept complaining, they may eventually get a bit more serious. But the process is usually a verbal warning, a written warning, a few more warnings, lots of time, eventually a Notice of Apparent Liability. The NAL could be handled by a good attorney from the hospital claiming ignorance and then fixing the issue.
In other words, that's not going to get you far. At least not quickly.
Your best option is to use what you have. If you are in IT, then talk to your managers and let them know what you found. Explain the HIPAA concerns and show them that you can listen on your scanner.
Explain the FCC Part 95 rules about encryption not being permitted.
Explain that the FCC requires a valid GMRS license to use those frequencies and that the hospital will not qualify for that license if they do not already have one.
Explain that the radios purchased do not have proper FCC Type Approval for use on those frequencies.
Be prepared to back all that up with sections of the FCC Part 95 rules.
Then offer them a few solutions:
Icom,America,Land Mobile,Marine,Aviation,Amateur,Network,Systems
www.icomamerica.com
Or any of the similar products out there on the market, including some cheaper Chinese products.
And then be ready to let this all go. Amazon/YouTube has led thousands of random people to assume they are now two way radio experts. This happens all over the country every day. The GMRS frequencies are full of this sort of stuff. It's good that you want to fix this, but it sounds like the deck is kind of stacked against you. Don't risk making those above you unhappy.