An emergency room physician in Iowa has confessed to violating HIPAA laws by purposefully accessing the health data of two patients with no authorization nor treatment relationship with them. From 2020 to 2023, 30-year-old Dr. Gabriel Alejandro Hernandez Roman spent his residency at two University of Iowa hospitals – in Cedar Rapids and Iowa City. In that period, Hernandez Roman intentionally acquired the health data of two persons without their knowledge or permission. The two patients who were former romantic partners were not treated by Hernandez Roman.
University of Iowa Hospitals and Clinics (UIHC) started investigating at the begining of 2023 into the supposed privacy violations. It was confirmed that the doctor accessed patient records and so UIHC inquired Hernandez Roman with regards to his reason for accessing health records. Hernandez Roman said the first woman was his romantic partner and he viewed her records to find out if she was experiencing a psychotic breakdown. He also accessed another ex-partner’s records to see if her laboratory test data showed positive for sexually transmitted infections.
Another incident in January 2022, Hernandez Roman took a picture of the prolapsed rectum of a patient without valid medical reason and sent the picture plus an unprofessional comment via Snapchat to a lady he was dating. When investigated, Hernandez Roman lied by saying that the reason for sharing the picture to his mother was to tell her the necessity of fiber consumption. After the investigation, UIHC terminated the Emergency Medicine Residency of Hernandez Roman.
The Iowa Board of Medicine also investigated Hernandez Roman for his performance and HIPAA privacy violations during his residency. The Board of Medicine investigation showed that Hernandez Roman’s performance was not satisfactory. He has poor recordkeeping and spends a long time using his phone. Many patients had asked for a different doctor for their treatment. Nurses complained about his unprofessionalism in dealing with personnel, patients, and patients’ relatives. The board additionally discovered that he was moonlighting at an Ottumwa hospital without authorization from UIHC and he failed to complete his expected coursework.
Hernandez Roman attributed his unprofessional conduct to poor mental health and language and cultural barriers. The Board of Medicine rejected those excuses which he provided to justify his access to the private health data of women he claimed to have a relationship with because he had a record of dishonesty. The Board of Medicine suspended Hernandez Roman’s license indefinitely in February 2024 due to unprofessional behavior and incompetence. A $7,500 financial penalty was issued as well. To lift the suspension, Dr. Hernandez Roman must undergo a complete psychological assessment, finish the recommended treatment, and give a certification after taking a board-accredited course on professional boundaries, ethics, patient privacy, and recordkeeping.
Hernandez Roman also faced charges of criminal HIPAA violations. He admitted his guilt to one count of wrongfully obtaining individually identifiable health information of a person under false pretenses. He will serve up to 5 years in jail, pay a $250,000 penalty and be on supervised release for three years.
