With HIPAA you have to track and store the information every person who touches or reads the medical chart. The issue was more to do with random people reading medical charts.
It isn't difficult to bring the process into compliance. I offered to make an app which would have been easy because there was a predefined workflow that can be diagrammed on a sequence chart in about 10 steps. There were a couple interactions between the lawyer and the doctor. Then a step where the insurance company is notified. Then a lawsuit filed if not paid. At one point, I was researching how to store data in HIPAA compliance in the cloud. It was about 2 years later when AWS provided HIPAA compliant EC2 instances. I offered to build the app for $10,000. Having random people pour over private medical charts and undocumented and haphazard communication between the lawyers, insurance company, and doctors through email and text messages was a mess.
> The lawyer looking over the records was probably fine. Him paying his neighbor to help him look through them is more questionable.
I don't think so. The "paying" part is important - the neighbour becomes an employee for the duration of the work, which is fine, as then there's a contract between the employer and employee which includes, even if only implicitly, that the employers data is not to be exfiltrated.
If he were simply sharing it with his neighbour for shits and giggles that would be a different story.
If there is anything true in this article "What Are The Requirements For Storing Physical HIPAA Documents"[0], laws were broken. But, I'm not a lawyer, what do I know?
HIPPA carves out this exception for using your health records:
“To pay doctors and hospitals for your health care and to help run their businesses”