The Illinois Biometric Information Privacy Act (BIPA) of 2008 was the first state law in the country to regulate biometric data use. For physicians, the intersection of laws such as BIPA and the federal HIPAA law cannot be overlooked.
Let’s begin with the term “biometric.”
Since various components of personally identifiable information (PII) are inherent in the definition of Protected Health Information (PHI), the HIPAA Privacy Rule applies to the de-identification of PHI. The HIPAA Privacy Rule sets forth two acceptable de-identification methods:
- expert determination (an expert is utilized to ascertain that an individual could not be identified); and
- safe harbor (no actual knowledge that PII, including biometrics, can identify an individual).
Satisfying either method demonstrates that the regulation has been met and that the likelihood of exposure is slim. HIPAA includes certain exceptions, such as for law enforcement purposes and the protections afforded to whistleblowers and workforce member crime victims.
It is important to realize that because a biometric falls under the category of PHI, entities must adhere to the Security Rule to ensure that adequate technical, administrative, and physical safeguards are in place to protect the confidentiality, integrity, and availability of the data.
BIPA also requires adequate technical, administrative and physical safeguards. And it applies to a variety of industries, ranging from healthcare to retail to hospitality to any employer who uses fingerprint technology for time keeping purposes.
[…]
This is an excerpt.
Click here to view full original article at www.medicaleconomics.com