Whether the police have DNA or not (did they publicize that??), and whether or not he is guilty, or even a suspect, is up the system we have in place that includes a jury trial. I suspect that by reporting your suspicions, warranted or not, to the management (and security), that you complied with reporting requirements, and also protected the paycheck that pays for your mortgage.
The news is full of people that attempted to stop robberies or assaults in the workplace, and were terminated for violating company
There's another scenario here that defense lawyers may love- he may have been arrested on your suspicions, then found not guilty, then you might have faced all kinds of sticky legal issues. Not only that- we also always hear about truly vicious, guilty, nasty people getting 'off' on even minor technicalities. (Might have heard about the drunk Texas teen that killed 4 people, and was sentenced to a Country Club, because he was so rich, he didn't know any better?).
As far as HIPAA, it's not a simple plan, and there are plenty of loopholes to allow for reporting of many things- infectious diseases, fraud, and criminal activity, are some of them. I would assume your employer, and its legal team, formulated its reporting policy on their interpretation of HIPAA.