You need to be part of a patient’s care team, using that data to further their care. Any other access is a violation.
Med students get a little grey area on this because their job is to absorb as much info as possible without necessarily providing care, but even they shouldn’t venture outside the census of their supervising physician.
That's absolutely false. Many other people need to be able to access the data just to keep systems working. I've worked in a HIPAA environment (as well as FDA class 1 / ISO 13485) for nearly 15 years now.
Med students get a little grey area on this because their job is to absorb as much info as possible without necessarily providing care, but even they shouldn’t venture outside the census of their supervising physician.