Yes, I agree, I think your personal medical information being passed on to your bosses spouse constitues a violation.
You may have recourse, but you need to follow a chain of command and DOCUMENT it as carefully as possible.
I'd suggest doing two things: speak with your employer first. Get your employers take on the situation - this may not have transpired as you think -- your MIL could have brought it up first... or who knows.... but speak with your employer first - just a simple question as to how it came up - don't be angry or defensive no matter what he/she says -- just go on a fact finding mission.
THEN: call your company's Human Resource department and speak with the highest person in that department. Ask what the rules are about your boss speaking to other people outside the company about your personal medical information.
THEN take all of that information to an attorney. With all of that, see if you have a case.
Let me know how this all works out for you... okay?
I was afraid of that... okay - so ask the employer and then speak with an attorney if you want to pursue this legally.
If not - know you hold some pretty powerful cards- and see what she is willing to do about her mistake...
The botXXXXX XXXXXne is you have to decide what your goal is and go at it from that angle.
Thanks again, so what rights of mine did my employer violate?
Your medical privacy is covered under Federal Law. Here's some information:
Per section 1177 of HIPAA, a person who knowingly
is in violation of HIPAA regulations. Such persons are subject to the following penalties:
HIPAA also provide for civil fines to be imposed by the Secretary of DHHS "on any person" who violates a provision of it. The maximum is $100 for each violation, with the total amount not to exceed $25,0000 for all violations of an identical requirement or prohibition during a calendar year.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA is the federal law that establishes standards for the privacy and security of health information, as well as standards for electronic data interchange (EDI) of health information.
HIPAA has two main goals, as its name implies:
HIPAA aims to improve accountability in part through what it calls administrative simplification -- a term that translates, roughly, as "promoting efficiency."
The principal means of promoting efficiency is better use of information technology. Health care is -- or, at least at the time of the legislation, was -- still very "uncomputerized" compared to other parts of the economy, particularly in its use of paper for personal health records.
Broader use of computer systems increased concerns about misuse of patient's health information, hence the inclusion of privacy and security provisions as part of HIPAA along with EDI standards.
HIPAA as implemented has four health information standards, and four associated sets of regulations or "rules":
HIPAA is also known as the Kassebaum-Kennedy Act, or the Kennedy-Kassebaum Act.