I was recently out on medical leave for surgery on my foot. I had only disclosed it to HR as they needed to process paperwork for insurance/short term disability. The doctor's paperwork did not go into specific detail either. However within my dept. my manager knew I was going out on leave for as it was a 6-week leave and I had casually mentioned it to another colleague let's call her "Tanya", also in my dept.

After I returned to work I had a phone conversation with somoneone from one of our regional offices whom I speak to only on an occasional basis or when something needs to be resolved.

During the call, she asked me how my "XYZ" was doing. I said fine but asked her how in the world she knew I had XYZ done? She jokingly told me she had been reading all about my XYZ in our quarterly newsletter (of course she was just joking). Yes, it was funny and I did burst out laughing but really it was not OK as it made me realize someone from HR let the cat out of the bag. After I stopped laughing I asked who told her and that's when she sensed the alarm of concern in my voice. Even though she tried to soothe me by saying "Listen I honestly can't remember how I found out but really, all of us should have our XYZ done especially when we get to this age.", by then it was really too late as I now knew this piece of sensitive info had managed to get all the way out to her 3,000 miles away! Needless to say even after the laughter died down, I was quite mortified to know all about this .

On top of all this: I HAPPEN TO WORK IN THE HR DEPARTMENT!!!. and believe it or not - I am supposed to be a "watchdog" for things like this... my manager and "Tanya" are all part of the HR dept...

Was a HIPAA violation committed from within HR - my own dept? Did someone in HR possibly volunteer that info in order to explain why I was out for that period? Do I have any recourse of action? My company is a financial institution.

No HIPAA violation. But a possible breach of ethics. HIPAA protects against unauthorized release of medical info by your medical practitioner. Since they did not release the info, HIPAA isn't involved.

However, YOU volunteered the info to at least three people in your workplace. The HR person you talked to about the leave, your manager and Tanya. I don't know what you told them about keeping this confidential. They may have mentioned this to this other colleague who may have expressed concern for you. Sounds like you went through a common procedure.

Whether a breach of confidentiality and ethics occurred, I can't say because I don't know what you said to the people you told. If they did breach, then you need to decide what you want to do.

Don't think so, I believe the HIPAA regulations pertain to someone in the medical field (your Dr. nurse, etc.) sharing your medical information. I think what you have here is a case of good old office gossip. (Not that is matters, but you said you had surgery on your foot, then you mentioned that your co-worker said "all of us should have our XYZ done especially when we get to this age" why do people need to have foot surgery at a certain age? Confused... )
Health Information Privacy (http://www.hhs.gov/ocr/privacy/)

Thanks, Scott. I only voluntarily told 2 people - both in HR - (again, my own department) about the exact XYZ procedure I had done. You'd think it would stay only with my own manager and colleague - all of us being in the HR dept - as a place of perceived safety. I wonder how people would like it if I randomly started to openly share their annual perf review information across the company?

You are probably correct about a breach in our code of ethics. I will have to read through it to find out if there's anything specific that addresses things like personal information.

Does anyone know what options I have or what recourse I could take?

Your recourse is to take it to the head of HR and point out that you only told 2 people yet the information seems to have spread beyond the dept. The HR head will need to decide what further action to take.

Keep in mind that when someone misses 6 weeks of work, it's common for people to express concern about the seriousness of his condition. And it's common to be quizzed about it, and it's common (in cases like yours) to assure people that it's not serious, and one thing leads to another, ending in 'don't worry, it was just his foot!' just to dispel fears of cancer and heart attacks.

Scott and Joy: many thanks. I see now how my leave could have stirred concern (as well as nosiness) in others about me but I still feel regardless, that medical and personal details should be kept airtight - especially within HR. Whenever there is a "need" to answer to other people's concerns about a fellow employee who's on leave, there are many other ways to purposely use non-disclosing wording and avoid spilling out specifics.

Scott and Joy: many thanks. I see now how my leave could have stirred concern (as well as nosiness) in others about me but I still feel regardless, that medical and personal details should be kept airtight - especially within HR. Whenever there is a "need" to answer to other people's concerns about a fellow employee who's on leave, there are many other ways to purposely use non-disclosing wording and avoid spilling out specifics.

And I totally agree with you. But as Joy pointed out giving out the info may not have been malicious or even inconsiderate. Any action you take could affect someone's job adversely, so you need to consider how the info was given out before you bring management into it.