One way that HIPAA is often violated is in relation to HIPAA business associate agreements, according to the Office for Civil Rights (OCR). Or, more accurately, the lack thereof.
A HIPAA business associate agreement (BAA) is a contract between a HIPAA-covered entity, such as a hospital, and the organization or person providing services to the covered entity, such as a HIPAA business associate. The BAA protects personal health information (PHI). For example, an accounting or consulting firm that works with a hospital would be considered a HIPAA business associate.
In some cases, however, it can be difficult to identify who qualifies as a HIPAA business associate. One example of this is app developers. The U.S. Department of Health and Human Services released guidance for healthcare app developers in February 2016 detailing specific examples and scenarios to help developers understand whether their app deals with PHI and, therefore, needs to be HIPAA compliant.