Taking a Closer Look: Assessing Biometric Authentication

Taking a Closer Look: Assessing Biometric Authentication

2.12.2024

By Michael O. Fraser

In health care settings, biometric authentication is often used to streamline the patient registration process by minimizing paperwork and improving patient intake to ensure secure, precise health care service delivery.^[1] Notably, Elmhurst Hospital, the Mount Sinai Health System, New York University Langone Health and other hospitals in New York have integrated biometric authentication technologies into their operational protocols. These technologies include fingerprint recognition for patient identification during check-in, facial recognition for mobile apps utilizing face or touch ID, and retina scans for body temperature through scanning sensors.^{[2], [3]}

Scholars have written on the general need for enhanced health care privacy safeguards, the protection of consumer privacy rights and measures against government and corporate surveillance.^[4] This article will assess privacy and technology issues, particularly in the context of biometric authentication within New York hospitals, arguing that a more transparent notice and informed consent procedure could eliminate the need for federal or state legislation.

Challenges in Patient Data Privacy

While biometric technology has many advantages, challenges remain in earning patient trust. Structural inequalities, such as racial and ethnic bias, gender bias and issues of informed consent, raise concerns.[5] Legal scholars and policymakers have also raised questions regarding the use, storage and ethical permissibility of biometric technology use within healthcare settings.[6]

Structural Inequalities

While offering convenience and security, biometric technology has the potential to create racial and ethnic bias through algorithmic prioritization and promoting datasets skewed towards a particular racial group or skin tone. Gender bias may emerge due to design limitations and insensitivities for non-binary individuals who do not conform to traditional gender norms. Furthermore, issues of informed consent can exacerbate these concerns, particularly when individuals from marginalized communities are disproportionately identified. To address biometric challenges, it is essential to prioritize diverse datasets and eliminate algorithmic biases.

Policy Concerns

Tiffany Li, a biometric health law researcher and associate professor of law at the University of San Francisco School of Law, suggests that “rather than blindly giving up our privacy for unknown benefits to public health, we should seek the privacy-preserving methods of achieving our public health goals.”[7] Brenda Leong, an artificial intelligence lawyer in Washington, D.C., bolsters Li’s argument by suggesting that facial recognition and biometric authentication should never be the default. Leong argues these measures should not be part of the standard terms of service or privacy policies because of the error rates in recognition and the public’s lack of trust in the systems or the people running them.[8]

Congressional Initiatives for Biometric Privacy Regulation

Before the pandemic, Congress introduced the Commercial Facial Recognition Privacy Act of 2019, or CFRPA, requiring consent before using biometric tracking on individuals. At the time of this writing, this bill has yet to be enacted. Another bill introduced by Congress, the Facial Recognition and Biometric Technology Moratorium Act of 2021, imposes limits on the use of biometric surveillance by federal, state, and local governments.[9] At the time of this writing, this bill did not receive a vote and thus died in Congress. In addition, Congress introduced the Ethical Use of Facial Recognition Act to establish a congressional commission that recommends rules governing the use and limitations of biometrics on both government and commercial use of such technology.[10]

While these bills have been introduced, they have not been approved. Instead, the Department of Health and Human Services, Office of the Inspector General and the National Institute of Standards and Technology have provided comprehensive guidelines on various aspects of biometric technology, cybersecurity and privacy that hospitals can look to for guidance.

A Comparative Analysis of Biometric Use in the EU, US and New York

Biometric Use in the European Union

It is worth considering valuable insights embraced by the European Union’s General Data Protection Regulation.[11] This regulation not only unifies data privacy rules across all 27 EU member countries, it also extends its jurisdiction to non-EU entities conducting business within the EU, thereby ensuring the strict applicability of the regulation.^[12] Embracing a similar approach in the US could serve as a robust model for a universally applicable biometric data protection framework. Such a framework would prioritize individuals’ rights and privacy, regardless of their location or the entities involved in data processing, thus fostering trust and enhancing data security.

A National Use Case

The Health Insurance Portability and Accountability Act is a comprehensive framework for safeguarding the privacy and security of health information within the United States. However, its applicability to biometric data is subject to debate. While crucial for healthcare data privacy, HIPAA’s scope is primarily directed at protected health information held by covered entities, which may not fully encompass the unique challenges associated with biometric data.^[13] Biometric information, introduces distinctive complexities, including difficulties in effective de-identification, heightened risks of data breaches and a lack of specific consent requirements. Unlike traditional health data, biometric information may not always be directly linked to an individual’s health condition, posing potential privacy gaps.^[14] Consequently, there is a need for a more tailored regulatory framework to address the distinct characteristics and risks posed by this type of sensitive information.^[15] Illinois, Texas, Washington and other states have enacted their own privacy laws where private entities must notify individuals that their biometric information is being collected and destroy the data within a specific timeframe. ^{[16], [17]}

The best way to see how such regulation might work in practice on a federal level is to look at Illinois’s Biometric Information Privacy Act.^[18] Often referenced as a potential federal data privacy law model, Illinois’s law is the only state law requiring both notice and signed consent from the person whose biometrics will be collected. Moreover, the act outlines the specific purpose and length of term for collecting, storing and using the data.^[19] Under this law, if a private entity fails to comply with one of the statutory requirements, it is considered an infringement on the rights of the individuals whose biometric information is involved.^[20] Those aggrieved by such violations have a right of action in a state court or as a supplemental claim in federal district court against the entity responsible.

New York’s Approach to Biometric Authentication

In 2021, the New York City Council enacted provisions in the city’s Administrative Code to address inquiries about the use of biometric technology in local businesses.^[21] For businesses operating in the city, New York City’s biometric law requires that commercial establishments post a “clear and conspicuous” sign near the customer entrances prior to collecting biometric information; prohibits the sale of this data without the customer’s consent; and is enforced through a private right of action, with statutory damages of $500 for each negligent violation and $5,000 for each intentional violation.^[22]

On one end, the local law protects citizens by making it unlawful to profit from biometric data. It creates a private right of action for aggrieved individuals to sue for violations. On the other end, the New York City biometric law applies explicitly to “commercial establishments” encompassing retail stores, places of entertainment and restaurants.

A New Approach to Biometric Authentication in New York

Under the New York Privacy Act, enacted in 2023, companies are now required to disclose their methods of de-identifying personal information, place special safeguards around data sharing and allow consumers to obtain the names of all entities with whom their information is shared.^[23] The New York Privacy Act allows New Yorkers to have more control over their data and digital privacy.

Moreover, it explicitly addresses what is permissible for covered entities like hospitals. One legal issue that New York lawmakers may not have redressed is the notice and signed consent needed from the person whose biometrics will be collected. Suppose patients are provided with information regarding the collection and storage of their data and the ability to opt out. In that case, these procedures can potentially equip patients with the tools to make well-informed decisions concerning their health and the handling of their biometric data.

Conclusion

When shaping future biometric legislation, we must shift to a framework centered around notice and the ability to opt out. This framework should prioritize informing consumers and patients about the retention, storage and sharing of biometric data. For HIPAA-regulated entities in New York contemplating the adoption of facial recognition technology, compliance with Privacy, Security, and Breach Notification Rules requirements should be a top compliance priority and included in all risk assessments. These entities are urged to assess the anticipated benefits against biometrics’ privacy risks.

Michael O. Fraser is an assistant law clerk at the New York State Supreme Court, Appellate Division, First Department. Before pursuing a legal education, he worked as a digital health project manager at the District of Columbia’s Medicaid agency.

This article appears in the Health Law Journal (2024, vol. 29, no. 1), the publication of NYSBA’s Health Law Section. For more information, visit NYSBA.ORG/HEALTH.

[1] Valerie McCleary, Smile, You’re on Facial Recognition Developing Technology Could Solve Patient Identification Issues, American Health Information Management Association: HIM Body of Knowledge, March 6, 2022.

[2] Cheryl L. Brown, Health-Care Data Protection and Biometric Authentication Policies: Comparative Culture and Technology Acceptance in China and in the United States, 29 Review of Policy Research 141, 159 (2012).

[3] Stanley Goodner, What Are Biometrics?: How This Measurement Technology Is Part of Your Life, Lifewire, Oct. 10, 2021, https://www.lifewire.com/biometrics-4154702.

[4] Tiffany C. Li, Privacy in Pandemic: Law, Technology, and Public Health in the Covid-19 Crisis, 52 Loy. U. Chi. L.J. 767 (2021).

[5] “Structural inequality is defined as a condition where one category of people are [sic] attributed an unequal status in relation to other categories of people.” Structural Inequalities, United Nations Economic and Social Commission for Western Asia, https://archive.unescwa.org/structural-inequalities.

[6] Li, supra note 4, at 767.

[7] Tiffany C. Li, Privacy in Pandemic: Law, Technology, and Public Health in the Covid-19 Crisis, 52 Loy. U. Chi. L.J. 767 (2021)Id.

[8] Thorin Klosowski, Facial Recognition Is Everywhere. Here’s What We Can Do About It, N.Y. Times, May 13, 2022, https://www.nytimes.com/wirecutter/blog/how-facial-recognition-works.

[9] H.R.3907, 117th Cong. (2021).

[10] S.3284, 116th Cong. (2020).

[11] See 2018 Reform of EU Data Protection Rules, European Commission, 2018, https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules.

12. See Data Protection Act, 2018, c. 12 (U.K.).
13. Ashley Huddleston, and Ronald Hedges Liability for Health Care Providers Under HIPAA and State Privacy Laws, Seton Hall Law R., 51:5, Article 7 (2021), https://scholarship.shu.edu/shlr/vol51/iss5/7.

[14]. Tracking U.S. State Biometric Privacy Legislation, Husch Blackwell, June 20, 2023, https://www.huschblackwell.com/2023-state-biometric-privacy-law-tracker.

15. New York City Bar, Committee Report Power, Pervasiveness and Potential: The Brave New World of Facial Recognition Through a Criminal Law Lens (and Beyond) (2020).
16. Jason B. Binimow, State Statutes Regulating Collection or Disclosure of Consumer Biometric or Genetic Information, 41 Am. Law Reports 7th 4 § 2 (2019).
17. Aaron Charfoos et al., Another New Biometric Privacy Law as New York City Law Becomes Effective, Paul Hastings, July 6, 2021, https://www.paulhastings.com/insights/ph-privacy/another-new-biometric-privacy-law-as-new-york-city-law-becomes-effective.
18. Ill. Comp. Stat. Ann. § 740 14/10.
19. Id.
20. Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197 (Ill. Sup. Ct. 2019).
21. N.Y.C. Admin Code §§ 22-1201–1205.
22. Id.
23. S365– The New York Privacy Act.