As more states enact biometric laws (although none are as robust as Illinois), healthcare AI companies, covered entities, and business associates should take note and take steps to update compliance programs in order to reduce the risk of a lawsuit and a potentially criminal HIPAA violation.
The intersection of Artificial Intelligence (“AI”) and biometrics represent emerging areas of the law, which cannot be overlooked by the healthcare sector. A recent Illinois case involving Section 15(b) of the Illinois Biometric Information Privacy Act (“BIPA”) further illustrates the importance of obtaining patient consent and updating HIPAA policies and procedures to address the evolving area of biometrics.
Although not a healthcare industry case, there are several take-aways from the Court’s recent Memorandum Opinion and Order in ACLU, et al. v. Clearview AI, Inc., Case No. 20 CH 4353. Central to this case is the tension between privacy rights and Frist Amendment protections. Here, the defendant utilized “facial recognition technology to capture more than three billion faceprints from publicly-available photos on the internet” and incorporated the faceprints into a database. Subsequently, Clearview AI, Inc. (“Clearview”) sells access to its database, technology, and investigative tools—all without the knowledge or consent of the individuals whose data appears in Clearview’s database.
Let’s take a moment to consider how this may have potentially criminal HIPAA implications. 45 CFR § 164.508 prohibits the sale of protected health information (“PHI”) without first obtaining a patient’s prior authorization and biometrics are a type of sensitive personally identifiable information, which may be contained in a patient record. How many pictures do providers take(e.g., before and after photos) that become part of the medical record? It is not enough to obtain consent to merely take the pictures, selling PHI is a completely different ballgame.
Back to the Clearview case. The Complaint alleges that Clearview violated BIPA Section 15(b) by failing to obtain permission to create and store faceprints of the persons depicted in the photographs that it scrapes and uploads into its database. Section 15(b) precludes a private entity from collecting, capturing, purchasing, receiving, etc. a person’s or a customer’s biometric identifier(s) without first receiving a written release from the subject or his/her legal representative that provides consent. BIPA also requires that the specific purpose and length of the term be disclosed. In some ways, this is similar to HIPAA, which requires the specifics of the PHI sale to be disclosed in the written authorization and also providing the patient or his/her legal representative the option of opting out.
Overall, the Court in Clearview found that the Illinois legislature had the power to enact the statute, BIPA furthers an important governmental interest, and because BIPA does not prohibit Clearview from collecting data but fundamentally requires it to “provide notice and receive consent” from the Illinois individual involved, this is not a limitation on one’s First Amendment Rights. As more states enact biometric laws (although none are as robust as Illinois), healthcare AI companies, covered entities, and business associates should take note and take steps to update compliance programs in order to reduce the risk of a lawsuit and a potentially criminal HIPAA violation.