My response was essentially, "I can do it, but we will need to explain why we are going against CDC guidelines or else I see a mass problem on our hands. Can you get that reasoning for me so I can share it?"
A few hours later, the request for the memo was rescinded. Big win in my book.
This gets the "Liar, Liar Pants on Fire" snopes flair. The law was originally written for insurance companies and healthcare providers, but extended to anyone that handles private medical data, primarily concerned with paper records. The follow-on HITECH Act covers any entity that stores private medical data in an electronic system. Source: I'm a certified auditor.
Seriously, we should start raking corporations over the coals on this one and demanding HIPAA and HITECH audits of their HR systems if they're trying to do this.