In a controversial ruling
(registration required), the Justice Department has ruled that HIPAA
applies to insurers, doctors, hospitals and other providers -- but not
their employees or outsiders who steal personal health data. Considered by some
as gutting the law, the decision not to hold employers culpable for
breeches of security or privacy is because they are not "covered entities."

If a hospital sells a list of patients' names to a firm for marketing
purposes, the hospital can be held criminally liable, Mr. Gellman said.
But if a hospital clerk does the same thing, in defiance of hospital
policy, the clerk cannot be prosecuted under the 1996 law, because the
clerk is not a "covered entity."

UPDATE: More info here.