An Iowa doctor pled guilty to illegally accessing patient records and sharing sensitive photos.
What happened
Dr. Gabriel Alejandro Hernandez Roman, a 30-year-old emergency room doctor from Puerto Rico, confessed to serious privacy and medical ethics violations. While participating in an emergency medicine residency program in Iowa, he exploited his access to hospital electronic medical record systems. Dr. Hernandez Roman accessed the personal health records of individuals who were neither his patients nor present in the emergency department during his shifts.
In one particular instance, he photographed a patient’s medical condition, an exposed rectum, and sent the image to another person via Snapchat. This breach of confidentiality, along with others, including unauthorized access to the records of patients "K.F." and "M.C." at different times, was admitted by Dr. Hernandez Roman in a letter to the Iowa Board of Medicine.
In the know
Dr. Hernandez Roman’s actions primarily violated HIPAA's Privacy Rule, specifically 45 CFR § 164.502, which prohibits the use or disclosure of protected health information (PHI) without a valid consent or authorization unless it is necessary for treatment, payment, or healthcare operations.
Dr. Hernandez Roman breached this fundamental rule by accessing the medical records of individuals who were not his patients and for whom he had no legitimate medical or operational reason to view their information. His act of taking and distributing a photograph of a patient in a vulnerable condition to a non-medical contact via social media compromised the patient’s privacy. It contravened the same section of the Privacy Rule that demands the protection of PHI against improper use and disclosure.
What was said
The Northern District of Iowa Attorney's office press release stated, “Specifically, Dr. Hernandez Roman used his access, as a resident doctor, to Hospital 1’s electronic medical records system to access K.F.’s medical records and learn private medical information about K.F. without K.F.’s knowledge or consent. At no time did K.F. consent to Dr. Hernandez Roman accessing K.F.’s medical records.”
Why it matters
Cases like this one and that of Drs. Gabrielian and Henry, show vulnerabilities within healthcare systems to both internal and external threats. Drs. Gabrielian and Henry were accused of violating the same section of the Privacy Rule, 45 CFR § 164.502, by allegedly conspiring to disclose PHI to an undercover FBI agent posing as a Russian embassy official. While they diverge in their contexts and motivations, these cases exemplify the need for healthcare providers and institutions to make use of controls over PHI access and usage within their organization.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a HIPAA violation?
A HIPAA violation occurs when there is unauthorized use or disclosure of PHI that compromises the privacy or security of such information.
What is PHI?
PHI refers to any information in a medical record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service, such as diagnosis or treatment.
What is the purpose of the Privacy Rule?
The purpose of the HIPAA Privacy Rule is to protect the privacy of individuals' medical records and other personal health information while allowing the flow of health information needed to provide high quality health care.
Kirsten Peremore
