not quite again, if i induce a third party to commit the violation for me then I have serious liability issues.
(just refering to real world experience)
HIPAA is much more limited than most people think, in my experience. HIPAA even has a reverse preemption provision in recognition of the fact that most states already had medical records privacy laws that are more stringent than HIPAA.
Although HIPAA's best known as a health information privacy statute and regulation, that wasn't its purpose. HIPAA began as a requirement that certain treatment and payment information, if transmitted electronically, be transmitted using certain standards. Insurers and others would no longer be allowed to have their own system and requirements for electronic transmission of treatment and payment information. There would be one federally-mandated standard.
Once patient advocacy groups realized that HIPAA would likely result in increased electronic transmission of health information, there was a push for privacy standards. HIPAA is essentially a safety net of privacy standards and most states already had laws that were more protective in many ways.
Because the privacy regulations grew out of a statute and congressional mandate dealing with the electronic transmission of health information, the initial statute and regulations applies only to defined 'covered entities' and 'business associates.' HHS simply doesn't have congressionally-given authority to apply HIPAA's privacy standard to any part other than those subject to the electronic standards part of the regulations.
That's all an oversimplification, but it's close enough.
I guess I'm just being anal as an attorney who works in this area. There may be state and federal privacy laws that are applicable in this case, but HIPAA isn't one of them. HIPAA doesn't even allow private suits; only the DoJ can bring an action against someone for violation of HIPAA.
Not trying to be a know-it-all; just stating that I respectfully disagree with you.