It goes further than that. If you work for a company and have a need for some level of access to private information (ex. processing a short term disability request) you cannot disclose the information. There is no need to share such information with anyone unless there is a truly compelling need.
Agreed that HIPAA is broad. Many protections for personal health info stored/possessed by third parties is actually covered by the HITECH Act (which complements HIPAA) and many state data privacy protection laws, regs, and rules too.