A battle over privacy recently gave way, in favor of the small guy. What does this mean for HIPAA, the Health Information Portability and Accountability Act? We believe privacy still matters, and have written about this before. When privacy wins, we pay attention, and want our readers to know.
Privacy has been eroded in recent years with the explosion of the internet for most of what we do every day – communication with family and friends, social media, shopping, news, healthcare, but people still care about privacy. We’re using the internet but don’t want to give up our privacy.
Facebook Used Biometric Data Without Consent
The latest battle was a class action lawsuit, where millions of regular people, Facebook users in Illinois, got a settlement and will be paid for Facebook’s breach of their privacy under Illinois law.
Facebook just agreed to pay $650 million to settle a class action lawsuit based on a 2008 privacy law in Illinois, the Biometric Information Privacy Act (BIPA). NOTE: as of today, the judge in the case has not yet approved the settlement – this blog will be updated when the court decides. It’s a huge amount of money, even for a class action, and in this case, the size of the class (the people included in the lawsuit against Facebook) is limited; only people who used Facebook in Illinois between June 7, 2011 and September 3, 2019 are included. It’s estimated that users in Illinois will be paid between $200 and $400 each.
Biometrics is a method of measurement/analysis using unique physical or behavioral characteristics to digitally verify an individual’s identity. Common examples include fingerprint, voice, facial photograph, retinal scan or DNA.
In the lawsuit, Facebook was accused of “secretly amass[ing] the world’s largest privately held database of consumer biometrics data,” specifically facial data used to identify people’s faces in user-uploaded photographs. The lawsuit alleged that Facebook’s computers analyzed biometric data in users’ faces in order to identify them in any photos later uploaded to Facebook.
The Illinois law requires companies to get written consent before collecting biometric data and to notify customers about how long their information will be kept. The lawsuit alleged that this “is precisely what Facebook did not do when it rolled out its facial recognition program.”
Illinois Law Does Not Protect People Living in Other States – Facebook’s Terms of Service Protect Facebook
The Biometric Information Protection Act in Illinois is unusually strong – in order to store and use biometric information from an individual, a company must notify the individual and obtain their express consent. So Facebook’s “Terms of Service”, the contract all Facebook users agree to when they sign up, did NOT protect Facebook. In most states, Facebook’s Terms of Service – the legal contract with users – allow it to collect and use information like this.
Facebook’s Terms of Service are written to protect Facebook, and a theme is that the user is responsible for all content posted on a Facebook product created by the user. However, users grant Facebook a “non-exclusive, transferable, sub-licensable, royalty-free, and worldwide license” to the content. It is unlikely that many Facebook users actually read or keep up to date with the contract they have with Facebook, but to protect privacy, users should read them.
Biometric Information is Private and Protected by HIPAA
Biometric information is the most intimate and private kind of information individuals possess. It’s not changeable, the way a social security number, address, or even a name might be. It is part of a person, physically and biologically.
Under HIPAA, one piece of biometric information, if connected to the past, present or future provision of healthcare, or payment for healthcare, would be considered Protected Health Information (PHI), and must be protected, just like a name, address, patient i.d. number, etc. So covered entities and business associates should be aware that any biometrics they collect should be protected the same way all patient information is.
Medical Identity Theft
The Illinois legislature’s purpose in passing BIPA was to reduce the risk of identity theft:
“Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” (740 ILCS 14/5) Sec. 5. Legislative findings; intent
Medical identity theft is the fastest growing form of identity theft in the United States. The U.S. Health and Human Services – Office of Inspector General says only two things are necessary to steal a patient’s medical identity – the identity of the patient and identity of the provider.
Protection of Biometric Privacy is Growing
Although Illinois’ law, BIPA, is one of the first in the United States to expressly protect biometric privacy, other laws recognize biometrics. The EU’s General Data Protection Regulation (GDPR) protects biometric information, as does the California Consumer Privacy Act (CCPA). Texas and Washington have laws protecting biometric privacy, and other states have amended their existing privacy laws to add biometrics to the definition of “personal information”.
The $650 million settlement against Facebook will likely encourage other class action lawsuits to protect individuals’ privacy. The Texas Attorney General is reportedly looking at similar issues that the Illinois case raised, in relation to Texas law.
In Healthcare, Follow HIPAA
Not only do you need to follow HIPAA to pass audits and investigations by the Office for Civil Rights (OCR), the agency that enforces HIPAA, but lawsuits are a growing threat when patients’ privacy rights are violated. Lawyers are getting creative to fill a gap where OCR may not reach.
The HIPAA E-Tool® is the most comprehensive and up to date HIPAA compliance tool available – we stay on top of privacy and security law so you don’t have to.