Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.
The March 2016 issue of the Journal of AHIMA includes an article titled “Smile, You’re on Facial Recognition.” While acknowledging privacy concerns, the article concludes that facial recognition technology can prevent medical identity theft, facilitate early medical intervention, and improve the collection and management of patient information. Those are laudable goals. However, healthcare providers that decide to implement facial recognition technology—a form of biometric data—should be aware of potential legal pitfalls. This blog post will address one such pitfall, the Illinois Biometric Privacy Act (BIPA). BIPA is one of three statutory schemes in the United States (the others being in the states of Texas and Washington) which regulate the collection and use of biometric information. Other states are considering similar legislation.
BIPA defines biometric information to be:
“any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.”
BIPA requires both a retention schedule and destruction guidelines:
“A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.”
BIPA also provides, among other things, that:
“[n]o private entity may collect… a person’s or a customer’s… biometric information, unless it first:
-informs the subject…in writing that… biometric information is being collected or stored;
-informs the subject… in writing of the specific purpose and length of the term for which… biometric identification is being collected, stored, and used; and
-receives a written release executed by the subject of the… biometric information…”
BIPA also authorizes a private cause of action and entitles a prevailing party to statutory damages.
This last provision has spawned litigation in Illinois and other states brought by and on behalf of individuals who have alleged that their biometric information has been collected, stored, or used in violation of BIPA. These cases appear to be in preliminary stages and the courts are divided on whether a “mere” violation of BIPA is sufficient to confer a cognizable injury.
BIPA and the litigation arising out of it are cautionary tales for healthcare providers looking into collection, storage, and use of any biometric information, including facial characteristics. Biometric information may be extremely useful. However, reliance on biometric information must take into account the controlling law of the states.
**Editor’s Note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as legal advice.