"Who must comply with HIPAA": https://www.hhs.gov/hipaa/for-professionals/faq/190/who-must...
"Is a software vendor a business associate of a covered entity": https://www.hhs.gov/hipaa/for-professionals/faq/256/is-softw...
For example, the GoodRX [0] and BetterHelp [1] settlements were both due to alleged violations of the FTC Act and Health Breach Notification Rule, rather than a violation of HIPAA.
[0] https://www.hipaajournal.com/court-approves-ftc-settlement-g...
[1] https://www.hipaajournal.com/betterhelp-settlement-ftc-healt...
