In the context of these various discussions, I've learned that many people, including a lot of health care professionals, seem to believe that HIPAA is:
a) a set of confidentiality guidelines that apply to all aspects of information about health care
b) something new that's only been around for a decade or so
c) something that can be maintained or violated by any person including health care providers, patients, city departments, bystanders, etc.
The only part of this that is accurate is b, in that HIPAA was enacted in 1996. The idea of protecting information is hardly new though, as all health care providers have had a duty to protect confidentiality for at least the last half a century. Other entities such as schools and employers might not have an explicit code of ethics around health care confidentiality, but will generally lose lawsuits if they make secondhand disclosures of people's medical information for no good reason, and this is also not anything new and has nothing to do with HIPAA.
HIPAA only applies to "covered entities," which refers to individuals or agencies that transmit medical information electronically for billing and similar purposes. This means that a good number of private providers who do not take insurance or salaried providers who work outside of the insurance system (school nurses, etc.) are not affected by HIPAA. They still are bound by confidentiality standards given by their professional organization, licensing board, state laws, etc., but this is not the same thing as HIPAA.
Basically, someone is only maintaining or violating HIPAA if they are someone who bills insurance electronically. And if they are such a person, they also would be violating confidentiality. In everyday speech and writing, it makes a lot more sense to refer to protecting or violating confidentiality, not HIPAA, since you likely don't know whether a provider is a covered entity (and, apparently, a lot more providers think they are covered entities than actually are).