Comment by hypeatei
I'm 99% sure HIPAA just applies to medical personnel (i.e. nurses, doctors) so they can't outright share private information. Third parties (i.e. your mom or insurance companies) can share it all day without violating HIPAA.
It does not protect your medical data whatsoever.
Insurance companies are absolutely covered by HIPAA. If it’s true that the insurance company (and not some third party service or app) shared the information directly with HR this is definitely a violation.
https://www.hhs.gov/hipaa/for-professionals/covered-entities...