Doctor Sentenced for HIPAA Violations and Inappropriate Sharing of Patient Information

An Iowa emergency room doctor and medical resident, who violated the Health Insurance Portability and Accountability Act (HIPAA) by viewing the medical records of multiple women who were not his patients, was sentenced to one month in jail on January 16. He pleaded guilty to one count of wrongfully obtaining individually identifiable health information under false pretenses.

Between 2020 and 2022, the doctor knowingly and without authorization accessed the protected health information (PHI) of multiple women at hospitals in Cedar Rapids and Iowa City. At the time, he was working as a resident doctor at Hospital-1 in Cedar Rapids and Hospital-2 in Iowa City.

In January 2022, the doctor viewed the medical records of Patient-1 at Hospital-1 without her knowledge or consent. Patient-1 was neither his patient nor a patient at Hospital-1’s emergency department. When Patient-1 learned of the unauthorized access, the doctor asked her to falsely tell the hospital that she had granted him permission to view her records.

The doctor also accessed Patient-1’s records at Hospital-2 in March 2021 and Patient-2’s records at Hospital-2 in October 2020. The records included those of Patient-2, who was a minor at the time, as well as her adult psychological records. An anonymous complaint about the doctor’s alleged romantic involvement with patients, unauthorized record access, and threats led to the discovery of the violations.

Additionally, in January 2022, the doctor took and sent a photograph via SnapChat of a Hospital-1 patient, showing the patient in a hospital gown with a prolapsed rectum. The doctor had no legitimate medical purpose for taking or sharing the photo.

In June 2023, the doctor sent a letter to the Iowa Board of Medicine, admitting to accessing Patient-1 and Patient-2’s confidential medical records and sharing the photograph. In the letter, he falsely claimed he had sent the photograph to his mother as a reminder of the importance of fiber intake.

The doctor was sentenced to one month in prison, fined $1,000, and will serve a three-year term of supervised release after his sentence. There is no parole in the federal system.

Compliance Perspective

Issue

The HIPAA Security Rule requires healthcare facilities to maintain reasonable safeguards—administrative, technical, and physical—to protect electronic protected health information (ePHI) and ensure its confidentiality. Unauthorized access or disclosure of ePHI is a violation of resident privacy, and facilities must have appropriate authorization and supervision of staff handling such information. Similarly, residents have the right to privacy and confidentiality under regulations such as F583 and F600, which prohibit unauthorized photographs or recordings of residents, their private spaces, or activities without the resident’s or designated representative’s written consent. This includes taking photographs of residents in any state of dress or undress using devices such as smartphones, and sharing or distributing them via social media or multimedia messages. Violations of privacy, whether through improper handling of ePHI or through inappropriate photographs or recordings, can also constitute mental abuse, especially when facilitated by technology, such as smartphones, which enables the sharing of demeaning or humiliating images.

Discussion Points

    • Review policies and procedures related to HIPAA, PHI, and privacy, as well as the rights of residents to privacy and confidentiality. Ensure that the policies address preventing unauthorized access to ePHI and unauthorized photographs or recordings of residents and their private spaces. These protections are essential for safeguarding both electronic information and personal dignity.
    • Train all staff on HIPAA, PHI, privacy, and the specific rights of residents to privacy under regulations such as F583 and F600. This training should emphasize the importance of obtaining written consent before capturing or distributing any images or recordings of residents, as well as the consequences of violating these rights.
    • Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed by all staff. This includes auditing to ensure that no unauthorized access to ePHI occurs, and that no inappropriate or unauthorized photographs or recordings of residents are being taken, stored, or shared.

*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*

You May Also Like