HIPPA question

I have an employee who went out to have surgery. She told her department head that this was not private. Usually, in that case, if someone asks about how the employee is doing, we feel free to provide that information. However it is on a limited basis only to those who inquire.

This week the supervisor sent a company wide email explaining that the employee had had surgery, that they were doing well, where they were placed for rehab and encouraged other employees to call and/or visit. This went out to 106 employees in 9 facilities.

When I tried to explain that issued a health bulletin was not in our best interest or the best interest of the employee, I met with total resistance.

Now the supervisor wants federal regulations stating what information can be given out. I am having a hard time finding exactly what I want to show, because most of what I am finding pertains directly to healthcare providers.

Can anyone help me with this?