The Illinois Biometric Information Privacy Act (BIPA) of 2008 was the first state law in the country to regulate biometric data use. For physicians, the intersection of laws such as BIPA and the federal HIPAA law cannot be overlooked.
Let’s begin with the term “biometric.”
Since various components of personally identifiable information (PII) are inherent in the definition of Protected Health Information (PHI), the HIPAA Privacy Rule applies to the de-identification of PHI. The HIPAA Privacy Rule sets forth two acceptable de-identification methods:
- expert determination (an expert is utilized to ascertain that an individual could not be identified); and
- safe harbor (no actual knowledge that PII, including biometrics, can identify an individual).
Satisfying either method demonstrates that the regulation has been met and that the likelihood of exposure is slim. HIPAA includes certain exceptions, such as for law enforcement purposes and the protections afforded to whistleblowers and workforce member crime victims.
It is important to realize that because a biometric falls under the category of PHI, entities must adhere to the Security Rule to ensure that adequate technical, administrative, and physical safeguards are in place to protect the confidentiality, integrity, and availability of the data.
BIPA also requires adequate technical, administrative and physical safeguards. And it applies to a variety of industries, ranging from healthcare to retail to hospitality to any employer who uses fingerprint technology for time keeping purposes.
As with PHI in relation to HIPAA, BIPA, in most instances, requires providing notice that the biometric information is being collected and stored; giving written notice of the specific purpose and length of time for which that biometric information will be used and stored; and obtaining written consent.
Healthcare is a bit different than simply using a biometric to log in to record hours worked, because the 6-7-year period of record retention serves another purpose—ensuring the continuity of patient care and treatment.
One key distinction between BIPA and HIPAA is that BIPA allows a private cause of action to be brought by individuals, without showing that actual harm occurred in order to recover damages.
There is no private cause of action expressly stated in HIPAA; rather, individuals typically sue under a common law negligence theory and use HIPAA as the standard to satisfy the elements of duty and breach. Causation and damages are items that still need to be proven in order to recover under a negligence case.
Compliance with HIPAA and any state privacy laws has never been more important. I’m still amazed at the number of practices that have not done a risk analysis in years or ever. This one item, a proper annual risk analysis, can prevent significant financial, legal, and reputational damage.