Thank you for your question.
Required Disclosures. A covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.17 See additional guidance on Government Access.
Permitted Uses and Disclosures
Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.18 Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
It would clearly be a violation of the HIPAA privacy rule for the health care provider to make any disclosure to your employer of private health care information. As to the insurer, the law is less clear but the disclosure that you supposedly failed a drug test is not relevant to billing the insurer, so my answer is that any disclosure of that information to the employer or the insurer would be illegal.
Unfortunately, there is no private remedy for a HIPAA violation, but the same conduct can be treated as an invasion of privacy under State law.
I hope this information is helpful.