Iowa Doctor Jailed for Unauthorized Medical Record Access
An Iowa doctor who accessed the medical records of current and former romantic partners without authorization, and shared an unauthorized photograph of a patient with his mother via Snapchat has been jailed for the HIPAA violations.
Dr. Gabriel Alejandro Hernandez-Roman, age 31, from Isla Verde, Puerto Rico was discovered to have accessed individuals’ medical records without authorization in June 2023 after an anonymous complaint was filed with a hospital where he worked alleging he was entering into romantic relationships with patients, impermissibly accessing their medical records, and threatening them. The complaint was investigated and the privacy violations were confirmed.
When one of the women discovered Dr. Hernandez-Roman had viewed her medical records, he asked her to advise the hospital that she had given him permission to access her records. Dr. Hernandez-Roman accessed the medical records of another woman without authorization, including her medical records when she was a minor and her adult psychological records. He also took a photograph of a patient’s prolapsed rectum and sent the image to his mother via Snapchat, which he claims was a warning about the importance of fiber intake.
Dr. Hernandez-Roman was investigated by the Iowa Board of Medicine and blamed his behavior on poor mental health and cultural and language barriers; however, those claims were rejected by the Board of Medicine which fined him $7,500 and suspended his medical license. Dr. Hernandez-Roman was charged with criminal HIPAA violations and entered a guilty plea on June 28, 2024, to one count of wrongfully obtaining individually identifiable health information relating to an individual under false pretenses. He could potentially have faced a jail term of up to 5 years and a fine of up to $250,000. Cedar Rapids United States District Court Chief Judge C.J. Williams sentenced Dr. Hernandez-Roman to 1 month in jail and 3 years of supervised release and ordered him to pay a $1,000 fine.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
July 1, 2024: Iowa Doctor Pleads Guilty to HIPAA Violations
An Iowa emergency room doctor has pleaded guilty to violating HIPAA by knowingly accessing the medical records of two patients without authorization when there was no treatment relationship with the patients. Dr. Gabriel Alejandro Hernandez Roman, 30, was a resident at two University of Iowa hospitals between 2020 and 2023, one in Cedar Rapids and another in Iowa City. During that time, Hernandez Roman knowingly and without authorization obtained the medical records of two individuals without their knowledge or consent. The two individuals did not have a treatment relationship with Hernandez Roman and were former romantic partners.
University of Iowa Hospitals and Clinics (UIHC) launched an investigation in early 2023 into the alleged privacy violations, confirmed that the patient records had been accessed, and questioned Hernandez Roman about why he had accessed the medical records. Hernandez Roman confirmed he was in a relationship with the first woman and said he accessed her records because he was concerned that she was having a psychotic breakdown. He also admitted to accessing the records of another former partner to check lab results for any sexually transmitted infections.
In another incident in January 2022, Hernandez Roman took a photograph of a patient’s prolapsed rectum when there was no legitimate medical reason for taking the photo and sent it via Snapchat to a woman he was dating at the time along with an unprofessional commentary. Hernandez Roman lied to the investigator about the reason for sharing the photo, which he claimed was sent to his mother to remind her of the importance of fiber intake. Following the investigation, Hernandez Roman’s Emergency Medicine Residency was terminated.
Hernandez Roman was also investigated by the Iowa Board of Medicine over his performance and privacy violations. The Board of Medicine investigation revealed Hernandez Roman’s performance fell below what was expected, his recordkeeping was poor, and concerns had been raised about the amount of time he spent on his phone. Numerous patients had requested they be treated by a different physician, and complaints had been made by nurses about his lack of professionalism with staff, patients, and patients’ families. The board also learned that he had been moonlighting at a hospital in Ottumwa when he had not received authorization from UIHC and had not completed the required coursework.
Hernandez Roman blamed his unprofessional behavior on poor mental health and cultural and language barriers; however, those arguments were rejected by the Board of Medicine which found the justification he provided for accessing the private health information of women he had a sexual/romantic relationship with was blatantly untruthful and he had a history of dishonesty. In February 2024, the Board of Medicine issued an emergency order suspending his license indefinitely due to unprofessional conduct and alleged incompetence and imposed a $7,500 financial penalty. Before the suspension can be lifted, the Board of Medicine requires Dr. Hernandez Roman to complete a comprehensive psychological evaluation, complete any recommended treatment, and provide proof of completion of a board-approved course on ethics, professional boundaries, recordkeeping, and patient privacy.
Hernandez Roman was also charged with criminal HIPAA violations. Under the plea agreement, he pled guilty to one count of wrongfully obtaining individually identifiable health information relating to an individual under false pretenses and faces a jail term of up to 5 years, three years of supervised release, and a fine of up to $250,000.
