Offline
HIPAA is a source of regular error and misperception in the public and even healthcare professionals.
The key to your quote here is "about an identifiable patient". Where the information shared with public-health agencies or the public is not of the kind that would allow the patient to be identified (e.g. with personal information revealed or in a context where the patient's identity would be obvious from the report), there is no HIPAA privacy issue.
Correct. And with that, releasing said info on an employee would make it "public" to the immediate co-workers of that employee, thus "identifying" them and making it public.
Thats the insane fine line that no one wants to cross.