The following is from
https://protonmail.com/blog/hipaa-compliance/
Entities that must be HIPAA compliant
As a rule, any person or entity that has access to patients’ medical data must be HIPAA compliant. These entities are defined by HIPAA as:
- Covered entities — any person or organization that has access to PHI. This includes healthcare providers, doctors, healthcare staff, pharmacies, healthcare clearinghouses, insurance companies, dentists, clinics, and nursing homes.
- Business associates — any person or organization that performs a service or other activity for a covered entity that gives it access to PHI. This includes email providers, cloud storage providers, physical storage providers, billing and finance companies, lawyers, accountants, third-party consultants, and Electronic Health Record (EHR) platforms.
In short, any business or any individual acting in a professional capacity that has any contact with the healthcare industry must be HIPAA compliant.
______________________________________________________________________________________________________________________________________
Reading this it sounds like employers and such are not covered as they are not in the provider domain. But I would think most try to be compliant to protect themselves from lawsuits and for peace of mind of employees. In fact most probably don’t have access to protected data as that is all handled by the providers and associated contractors.
Sounds like Penn State could release info but would naturally be reluctant to do so. And sports teams would be even more reluctant.......don’t give out info the opponents can use. Also, don’t upset players or parents/guardians by releasing personal info.