Is biometric data a HIPAA risk?

February 19, 2020

Leona Rajaee

Biometrics are gathered to digitally identify individuals, based on unique physical characteristics. Biometrics include fingerprints, facial features, voice cadence, and other identifiers. The US Department of Homeland Security uses biometrics primarily for immigration purposes, vetting and credentialing, detecting illegal entry attempts, and verifying visa applications. In healthcare, biometrics are used to identify patients and to ensure that employees have access only to the information they need to know.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required HHS to adopt national standards for electronic healthcare transactions and code sets, unique health identifiers, and security. In 2009, as part of the American Recovery and Reinvestment Act (ARRA), the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law. The HITECH Act addresses the privacy and security concerns associated with the electronic transmission of protected health information.

As the use of biometrics becomes more prevalent in healthcare, providers must exercise care in regard to adhering to the regulations of HIPAA and the HITECH Act. Biometrics are in the category of protected health information (PHI) and as such, healthcare providers must ensure that appropriate safeguards are put in place to protect the confidentiality and integrity of the information.

Illinois was the first state to recognize the importance of protecting data gathered through biometrics. In 2008, the state passed the Biometric Information Privacy Act (BIPA), which applies to healthcare, hospitality, retail, and any employer who uses fingerprint technology. Many businesses use employees’ fingerprints, for example, for timekeeping purposes.

BIPA requires healthcare providers to, in most instances:

Put into place adequate technical, administrative, and physical safeguards
Have a written policy, schedule, and guidelines for the data’s collection, retention, and destruction
Provide advance disclosure and a written release from the patient
Adhere to restrictions regarding disseminating biometric information.

Following the example set in Illinois, five other states – Texas, Washington, California, New York, and Arkansas – have passed similar biometric statutes. The California Consumer Privacy Act (CCPA), which will go into effect in 2020, defines biometric data as “physiological, biological or behavioral characteristics, including … DNA[,] that can be used … to establish individual identity,” which includes “sleep, health, or exercise data that contain identifying information.”

Given the definitions of HIPAA, the HITECH Act, and biometrics as they are used in healthcare, there is a risk involved in collecting and maintaining this data. As with all PHI, steps must be taken to ensure the security and integrity of biometrics when used in a healthcare setting to comply with federal regulations and to provide patients with appropriate data safeguards.