With regard to HIPAA, it can be violated only by health care providers and their business associates, plus sub-contractors.
"3. Who must comply with HIPAA?
HIPAA does not protect all health information. Nor does it apply to every person who may see or use health information. HIPAA only applies to covered entities and their business associates.
a. Covered entities
There are three types of covered entities under HIPAA.
Health care providers get paid to provide health care. Doctors, dentists, hospitals, nursing homes, pharmacies, urgent care clinics, and other entities that provide health care in exchange for payment are examples of providers.
Health care providers must comply with HIPAA only if they transmit health information electronically in connection with covered transactions. Most providers transmit information electronically to carry out functions such as processing claims and receiving payment. Therefore, most providers are covered under HIPAA.
Health plans pay the cost of medical care.
The following are examples of health plans covered under HIPAA: health insurance companies, health maintenance organizations (HMOs), group health plans sponsored by an employer, government-funded health plans such as Medicare and Medicaid, and most other companies or arrangements that pay for health care.
Health care clearinghouses process information so that it can be transmitted in a standard format between covered entities. Clearinghouses often act as a go between for health care providers and health plans which means that they rarely deal directly with patients. For example, a clearinghouse may take information from a doctor and put it into a standard coded format that can be used for insurance purposes.
For more information on whether an entity is covered under HIPAA, HHS provides a helpful chart.
b. Business associates
What is a business associate? Health care providers, health plans, and health care clearinghouses are just a few of the players in the health care business. Covered entities hire or contract with people and companies to perform numerous services.
A "business associate" creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity or another business associate acting as a subcontractor."
https://privacyrights.org/consumer-guides/health-privacy-hipaa-basics