You’re signed in to the hospital’s electronic medical record system. What’s the harm in just typing in the name of a friend to see what pops up? The harm might be up to 5 years in federal prison followed by three years of supervised release, plus a $250,000 fine. Oh, and maybe your medical license.
Just ask Dr. Gabriel Alejandro Hernandez Roman.
On June 28, 2024, Dr. Hernandez Roman plead guilty in federal court in Cedar Rapids, Iowa, resulting in his conviction on one count of Wrongfully Obtaining Individually Identifiable Health Information Relating to an Individual Under False Pretenses.
Per a press release from the U.S. Attorney’s Office for the Northern District of Iowa, Dr. Hernandez Roman admitted in his plea agreement that, among other illegal medical record snooping, in January 2022, while working as an emergency medicine resident, he knowingly and without authorization obtained the individually identifiable health information of “K.F” under false pretenses at “Hospital-1”. K.F. was never Dr. Hernandez Roman’s patient and was not a patient in Hospital-1’s emergency department at the time Hernandez Roman accessed K.F.’s medical records. He admitted that he accessed K.F.’s records to learn private medical information about K.F. without K.F.’s knowledge or consent.
Dr. Hernandez Roman also admitted to accessing K.F.’s medical records at “Hospital-2” in March 2021, as well as the medical records of “M.C.” at Hospital-2 in October 2020.
According to a 2024 article in the Iowa City Press-Citizen, at the time of those events, Dr. Hernandez Roman was a University of Iowa resident, and both of those patients were women with whom Dr. Hernandez Roman had, or was having, a romantic relationship. The article also reported that he had been fired from his residency program and that the Iowa Board of Medicine head issued an emergency order suspending his license.
Some Things For You To Think About
Humans are, by nature, extremely curious and, although many hate to admit it, overly interested in others’ personal information and the circumstances befalling them. If they weren’t, fender benders on the side of the road wouldn’t attract thousands of gawkers and television news programs would last slightly longer than the weather report.
But we’re not going to change human nature although thousands of pages of legislation and hundreds of thousands of pages of regulation try to do it all the time.
On a case by case basis, though, such as the story of Dr. Hernandez Roman, we can see the violations of privacy laws, whether HIPAA or state law counterparts, criminalizing the improper access of medical information, come with heavy fines and other penalties, including jail time. And, of course, because humans are, by nature, extremely curious and overly interested in others’ failings, the story of Dr. Hernandez Roman teaches each reader a bit about the downside of unchecked, and illegal, curiosity.
For medical groups, it also teaches the lesson of the need to not simply provide dry education on HIPAA compliance, but to regularly drive the lesson home. Depending on what a medical group might know, and have ignored, about one of its physician’s or other employee’s past behavior, and failed to correct it, liability can attach to the medical group itself.
The University of Iowa will survive Dr. Hernandez Roman. Would your group and, say, its contract with a community hospital, survive a similar instance?
Perhaps only time will tell.