Comment by yunwal

Insurance companies are absolutely covered by HIPAA. If it’s true that the insurance company (and not some third party service or app) shared the information directly with HR this is definitely a violation.

https://www.hhs.gov/hipaa/for-professionals/covered-entities...