HIPAA avoidance is much narrower than that. Entities which perform administrative or managerial duties on behalf of a mandated organization that have to transmit PII to provide that service are also covered, even if the entity itself isn't a provider.
If 'Uber for nurses' is acting on behalf of nurses, it probably doesn't apply? If it's acting on behalf of the hospitals (who are indisputably covered entities), then the situation is much less clear.
I encountered a similar situation with my startup many years ago and decided "better safe than sorry" after consulting the lawyer.
I used to work in the field. HIPAA protects patient data, not provider data. If my understanding is correct that only nurse PII was leaked, this has nothing to do with HIPAA.
In general, I've found that people tend to think HIPAA applies much, much more than it actually does. Like people thinking if you're in a meeting at work with clients and say "Sorry, Bob couldn't be here today, he's got the flu" that that's a HIPAA violation. No, it's not.
This is just an employee data leak, just like a bajillion other employee data leaks. The fact that the employees happen to be nurses still doesn't mean it has anything to do with HIPAA.
ESHYFT isn't a covered entity, so HIPAA doesn't apply to them. Even if they have health data of their employees in their system, they're still not a covered entity.
Really, "Uber for Nurses" is a title to drum up interest. "Large Staffing Service" would be factually accurate.
If 'Uber for nurses' is acting on behalf of nurses, it probably doesn't apply? If it's acting on behalf of the hospitals (who are indisputably covered entities), then the situation is much less clear.
I encountered a similar situation with my startup many years ago and decided "better safe than sorry" after consulting the lawyer.