The intersection of HIPAA and the Illinois Biometric Information Privacy Act

January 23, 2020

Compliance with HIPAA and state laws has never been more important.

The Illinois Biometric Information Privacy Act (“BIPA”) passed in 2008 and was the first state law in the country to regulate the biometric data usage. For persons in the healthcare sector, the intersection of BIPA and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) cannot be overlooked. 

Let’s begin with the term biometric. 2 CFR § 200.82 defines Protected Personally Identifiable Information (“PII”) as the following:

Protected PII means an individual's first name or first initial and last name in combination with any one or more of types of information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother's maiden name, criminal, medical and financial records, educational transcripts.

Since various components of PII are inherent in the definition of Protected Health Information (“PHI”), Privacy Rule sections CFR §§ 164.514(b), (c) apply in relation to the de-identification of PHI. The HIPAA Privacy Rule sets forth two acceptable de-identification methods: expert determination (an expert is utilized to ascertain that an individual could not be identified); and safe harbor (no actual knowledge that PII, including biometrics, can identify an individual). Satisfying either method would demonstrate that §164.514(a) has been met and that the likelihood of exposure is slim. Persons should also be familiar with certain exceptions, such as HIPAA’s law enforcement exception (45 CFR §164.512) and the protections afforded to whistleblowers and workforce member crime victims (45 CFR §164.502(j)).

Trending: 6 technologies to improve your practice

It is also important to realize that because a biometric is considered to fall under the category of PHI, entities must adhere to the Security Rule in order to make sure that adequate technical, administrative, and physical safeguards are in place to protect the confidentiality, integrity, and availability of the data. 

BIPA also requires adequate technical, administrative and physical safeguards. And, it applies to a variety of industries, which range from healthcare to retail to hospitality to any employer who uses fingerprint technology for time keeping purposes. Like PHI in relation to HIPAA, BIPA, in most instances, requires providing notice that the biometric information is being collected and stored; providing written notice of the specific purpose and length of time for which that biometric information will be used and stored; and obtaining written consent. Healthcare is a bit different than simply using a biometric to log-in to record hours worked, because the 6-7-year period of record retention serves another purpose-the continuity of patient care and treatment. 

One key distinction between BIPA and HIPAA is that BIPA allows for a private cause of action to be brought by individuals, without showing that actual harm occurred in order to recover damages. There is no private cause of action expressly stated in HIPAA; rather, individuals typically sue under a common law negligence theory and use HIPAA as the standard to satisfy the elements of duty and breach. Causation and damages are items that still need to be proven in order to recover under a negligence case. 

Read More: Peer advice for managing a practice

In sum, compliance with HIPAA, as well as state privacy laws such as BIPA, which is further reaching, has never been more important. I’m still amazed at the number of entities that I encounter when I present, or I am asked to represent after a breach that have not done a risk analysis or have not done one in years. This one item, an annual risk analysis that meets the standards under HIPAA and NIST can prevent significant financial, legal, and reputational damage.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.