Something they are hoping you don't consider is the fact that HIPPA does in fact extend to individual persons attempting to access your medical privacy. A violation does not have to just pin the company. You can and should file suit against anyone prying into your personal, private information. And more than likely, the company will try to distance themselves from the employee you are suing. This will flip the script on them when companies start struggling to employ fall guys.
EDIT: I really need to wake up more. The thought came to me so I shared it. You cannot discuss people's medical history or status unless they volunteer it, but even then you can still get in trouble if it turns out said someone didn't want that information volunteered. It does not only apply to medical professionals.
"Even if HIPAA is implicated by the employer's disclosure of the OSHA Log, the statue and implementing regulation expressly permits the disclosure of protected health information to the extent required by law. See 45 CFR 164.512(a)."