If the company has an office in the USA (or any physical presence), or if the physical exam was conducted in the USA and the employee is an American, then HIPAA & Privacy Act applies. Doesn’t matter the flag of the ship. USA law applies if the company maintains a presence in the USA and employee is American. If employee is another nationality, then it may not be applicable.