Employee health records are often stored in third party systems that are subject to HIPAA.

Point is that Automattic would have full access to this as well.

Those providers may be subject to it.

Attempts to go fishing in such records would be pretty unlikely to succeed; it'd be an uneforcable request contrary to public policy, with no relevance to such an audit. It would be correctly and easily fought.