The Biometric Information Privacy Act (BIPA) is a groundbreaking law enacted in Illinois in 2008 to regulate the collection, use, and storage of biometric data by private entities. The Act itself, “...requires a private entity that obtains an individual's biometric identifier or biometric information to take specified actions to maintain and ensure the privacy and security of such biometric data.” This aims to protect individuals' unique biometric identifiers, such as fingerprints, retina scans, and facial geometry, from unauthorized use and data breaches.
How does BIPA intersect with HIPAA
In a market valued at 34.5 billion, BIPA offers protection within the state of Illinois in a sector that is only set for rapid growth. Section 10 of BIPA specifically excludes information captured from patients in a healthcare setting and otherwise protected under HIPAA.
Recently, the Illinois Supreme Court delivered a notable ruling regarding the intersection of BIPA and HIPAA, particularly in the healthcare sector. The case involved two nurses who sued Ingalls Memorial Hospital, asserting that the hospital's use of fingerprint-enabled medication storage systems violated BIPA's requirement for notification when collecting biometric data. However, the hospital defended its practices by arguing that this biometric data collection was integral to healthcare operations and thus protected under HIPAA.
Initially, an appellate court sided with the nurses, but the Illinois Supreme Court overturned this decision. The Supreme Court ruled that the hospital's actions were compliant with HIPAA, and therefore, the collection of employee biometric data without explicit notification was permissible. This ruling signifies a notable exception in BIPA's application, specifically in healthcare settings where biometric data is used in alignment with HIPAA's guidelines for patient care, treatment, or operations.
What types of data does BIPA protect?
Under BIPA, the types of biometric data that are protected include:
- Fingerprints: This is one of the most commonly used biometric identifiers, often employed in various security systems for identity verification.
- Retina and iris scans: These involve the use of unique patterns in a person's retina or iris and are used in some high-security authentication systems.
- Voiceprints: Voice characteristics can be analyzed to create a unique representation of a person's voice, used for identity verification in voice recognition systems.
- Hand or face geometry: This includes measurements and shapes of a person's hand or facial features. Face recognition technology, for example, uses these unique geometric patterns to identify or verify a person's identity.
See also: HIPAA Compliant Email: The Definitive Guide
Who does BIPA apply to?
- Private businesses: Any private company operating in Illinois that collects, stores, or uses biometric data, such as fingerprints, facial recognition, or iris scans.
- Employers: Companies in Illinois that use biometric data for employee identification or timekeeping purposes.
- Technology providers: Companies that develop or supply biometric technology or systems used within Illinois, even if the company itself is not based in the state.
- Educational institutions: Schools, colleges, and universities in Illinois that collect or use biometric data of students or staff.
- Healthcare providers: While they are subject to HIPAA for patient data, healthcare providers in Illinois must comply with BIPA for biometric data collected from employees, unless the data collection is specifically protected under HIPAA.
- Retailers and service providers: Businesses that use biometric data for customer identification or personalized services.
- Financial institutions: Banks and other financial services that employ biometric data for customer authentication.
The key requirements of BIPA for private entities
Entities such as who fall under BIPA’s jurisdiction must:
- Obtain written consent from individuals before collecting, capturing, or storing their biometric identifiers, such as fingerprints or facial geometry.
- Inform individuals in writing about the specific purpose and duration for which their biometric data will be used and stored.
- Publicly disclose a policy detailing the guidelines for retaining and permanently destroying the biometric data, ensuring it aligns with the purpose of data collection or within three years of the individual's last interaction with the entity, whichever is earlier.
- Not sell, lease, trade, or profit from individuals' biometric information.
- Protect and store biometric data with at least the same level of care and security as they would other confidential and sensitive information, ensuring its safety from unauthorized access or use.
See also: Security in biometric identification
FAQs
What is HIPAA?
HIPAA, the Health Insurance Portability and Accountability Act, is designed to protect patients' medical records and other patient data by establishing data privacy and security provisions.
How does BIPA define a biometric identifier?
BIPA defines a biometric identifier as any personal feature used to identify an individual, including fingerprints, retina scans, and facial geometry.
How does HIPAA define PHI?
HIPAA defines protected health information (PHI) as any information about health status, healthcare provision, or healthcare payment that can be linked to an individual.