We are a covered entity, and developing an online education program for a medical condition. Only registered/approved users are able to join view pages. So it may be assumed that a user has the medical condition, but the site does not require that users identify themselves to others.
Users will have the option to enter PHI in a secured profile (hipaa compliant...), but can elect not to enter any info. The users will also be able to generate their own content that can be viewed by other registered users. The rules ask users to use discretion on what they present about themselves to others. So users may themselves reveal PHI to other users in these situations. Since we own / run / maintain the site as a covered entity is this disclosure a violation of HIPAA and are we responsible for it if it is a violation?