While employers are generally not covered by HIPAA in relation to employee files, there are times when disclosure of confidential employee information is allowed. The best practice would be to follow HIPAA as a model. Also, if non of the HIPAA issues are in play, disclosing without a warrant or court order is generally not suggested unless you are guided by your attorney.

Here are a few potential situations where the EEOC says disclosure might be legally permissible: https://www.eeoc.gov/laws/guidance/ada-primer-small-business#confidentiality

Legal Requirements: Employers may be required to disclose PHI to comply with a court order, subpoena, or other lawful process.
Work-Related Injuries or Illness: In some jurisdictions, employers are allowed to disclose certain health information related to workers’ compensation or other similar programs.
Disclosure to managers and supervisors when the medical information is necessary to provide reasonable accommodations for the employee (mostly applies to the ADA)
Disclosure to safety personnel and first aid providers if the employee would need emergency medical treatment
Disclosure to authorized personnel in the course of a federal or state workplace investigation

The HIPAA statutes are on pages 88-90 here https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

Here is an article by an attorney that discusses this issue under “Legitimate Need to Know Circumstances”. https://www.jacksonwhitelaw.com/az-labor-employment-law/can-employer-disclose-medical-information-employees/

Be Audit-Secure!