HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Michigan doctor sentenced to prison for HIPAA violations

Written by Tshedimoso Makhene | Jan 24, 2025 2:31:56 PM

A Cedar Rapids doctor was sentenced to one month in prison for unlawfully accessing women's medical records and sharing an inappropriate photo of a patient via Snapchat.

 

What happened

A doctor has been sentenced to a month in prison after admitting to unlawfully accessing the protected health information of multiple women and sharing an inappropriate photo of a patient via Snapchat. In addition to his prison sentence, Dr. Hernandez-Roman was ordered to pay a $1,000 fine and will serve a three-year term of supervised release following his incarceration.

See also: HIPAA Compliant Email: The Definitive Guide

 

The backstory

The misconduct occurred between 2020 and 2022, while Dr. Hernandez-Roman was working as a resident doctor in the emergency rooms of hospitals in Cedar Rapids and Iowa City. According to court records, he accessed the medical records of multiple women without their knowledge or consent. Importantly, none of these women were his patients.

The violations came to light when an Iowa City hospital received an anonymous complaint. The report accused Dr. Hernandez-Roman of engaging in romantic relationships with patients, unlawfully accessing their medical records, and threatening them.

 

Going deeper 

Dr. Gabriel Alejandro Hernandez-Roman, 31, of Isla Verde, Puerto Rico, pleaded guilty on June 28, 2024, to one count of wrongfully obtaining individually identifiable health information under false pretenses. An investigation was launched and revealed an alarming incident in which Dr. Hernandez-Roman took a photograph of a patient at a Cedar Rapids hospital that exposed the patient’s rectum. He then shared the image with another individual via Snapchat.

 

Why it matters 

The case highlights the importance of patient privacy and the severe consequences of violating HIPAA. While Dr. Hernandez-Roman's prison term is brief, the legal outcome reinforces the message that such violations will not be tolerated.

See also: Preventing HIPAA violations

 

FAQs

What constitutes a HIPAA violation?

A HIPAA violation occurs when there is unauthorized access, use, disclosure, or handling of PHI. Common examples include:

  • Accessing patient records without a valid reason.
  • Sharing patient information without consent.
  • Failing to secure electronic health records (e.g., due to a data breach or inadequate safeguards).
  • Sending PHI through unsecured communication channels.

Learn more: Understanding HIPAA violations and breaches

 

What are the penalties for HIPAA violations?

HIPAA violations can result in:

  • Civil penalties: Fines ranging from $141 to $71,162 per violation, depending on the severity and whether the violation was intentional.
  • Criminal penalties: Fines up to $250,000 and prison time (up to 10 years) for deliberate violations, such as stealing or selling PHI.
  • Corrective actions: Additional training, audits, and policy revisions may be required.

 

What are the HIPAA requirements for reporting a HIPAA violation? 

HIPAA requires covered entities to report violations involving breaches of protected health information (PHI) to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). For breaches affecting 500 or more individuals, the organization must notify affected individuals, the OCR, and in some cases, the media within 60 days of discovering the breach. For breaches affecting fewer than 500 individuals, the OCR must be notified no later than 60 days after the end of the calendar year in which the breach occurred. Notifications must include details of the breach, the type of PHI involved, and steps being taken to mitigate harm.

Go deeper: What are the HIPAA breach notification requirements
View full post