My response was essentially, "I can do it, but we will need to explain why we are going against CDC guidelines or else I see a mass problem on our hands. Can you get that reasoning for me so I can share it?"
A few hours later, the request for the memo was rescinded. Big win in my book.
You are correct. HIPPA is not in view here. But, there may be other privacy issues in play that have legal merit. The ADA can be expanded to fit the circumstance as well as GINA. Each state has there own regulations with regard to how private medical information of employees are handled. This is an area right now that is grey and will only be settled through litigation to fine tune it. It would come under an employers responsibilities to use general care to protect an employee's medical status.
If a person voluntarily gives their status to another person that is one thing. But, an employer cannot generally force an employee to divulge their medical status nor can the employer divulge private medical information once obtained without written authorization to do so. Medical records in certain circumstances, like in health care settings, can be requested by an employer - such as vaxine status. Those records must be maintained securely and are not kept as part of employee's work records. This is mostly defined through state regulation and not part of Federal mandate. For most states these private records held by a company cannot be released without the employee's consent except in certain legal circumstances such as by subpoena or other legal mechanism or in the case of medical emergency. The biggest threat to employers is getting sued by an employee for the release of this information.