The Health Insurance Portability and Accountability Act (HIPAA) does not contain any express language conferring rights to sue upon a person or employee if the privacy regulations are violated. The Fifth Circuit in Acara v. Banks, 470 F.3d 569 (5th Cir., 2006) held that HIPAA does not provide a private cause of action to an individual for privacy violations but that Congress left the enforcement of the law to the Secretary of Health and Human Services. Therefore, an individual or employee who believes their privacy rights under HIPAA have been violated would need to file a complaint with said agency. Here is where you may find information on filing a complaint.
An individual may still have a common law suit for invasion of privacy for the unauthorized revelation of medical information; however, this would be separate and not involve any HIPAA protections or violations.