How do you figure a CBP agent is violating HIPAA for searching items which contain PHI?

CBP is not a covered entity under HIPAA. Hence there is no enforcement action that can be taken against them by the Department of Health Services Office of Civil Rights (the "HIPAA Police").

If anything, HIPAA may enter into the equation for the owner of the laptop through inadvertent disclosure of any unencrypted PHI. Now whether or not the laptop owner can legally refuse a request by CBP to see the content of a file (electronic or paper) that contains PHI by citing HIPAA privacy/security regulations is something I'd need to research. I seem to remember some kind of exception buried in the regs regarding national security (figures!) but it has been awhile since I've waded through the HIPAA swamp.