Sounds like his remarks are grounds for a HIPAA violation lawsuit. I would certainty be traumatized if company leadership referenced my health conditions as grounds for a new HR policy.
AOL is likely not a covered entity under HIPAA. Do they furnish health care in the ordinary course of business? No? Then stop there, they're not covered.
Supposing they were covered, "an employee of AOL" is likely not specific enough to make any statement you make about them personally identifying.
You can certainly claim that your boss talking about you in public was a traumatic experience, but that's kind of thin gruel in a court of law. (IANAL but I have to know just enough about HIPAA to be dangerous, due to (probably) actually being covered by it, by means of BAAs with some clients of mine which explicitly transfer their HIPAA obligations to me with regards to data under my care.)
Supposing they were covered, "an employee of AOL" is likely not specific enough to make any statement you make about them personally identifying.
You can certainly claim that your boss talking about you in public was a traumatic experience, but that's kind of thin gruel in a court of law. (IANAL but I have to know just enough about HIPAA to be dangerous, due to (probably) actually being covered by it, by means of BAAs with some clients of mine which explicitly transfer their HIPAA obligations to me with regards to data under my care.)