Protecting Biometrics Identifiers

By Ronald L. Scott

Texas law now protects the confidentiality of an individualís biometric information by restricting the collection, sale, lease, or disclosure of it. In passing House Bill 678, the Legislature recognized that many transactions that now require a password or some other form of identification would utilize biometric technology in the future.

Security systems use biometrics to identify an individual user by her or his fingerprint, iris, voice, retina, face, or hand geometry. Law enforcement uses biometrics systems for identification. Identification is labor intensive since these systems must compare an individual sample with all possible candidates. Verification systems are simpler. The software looks up the template related to a user name and compares the new sample against the template to determine whether a match exists. Such systems are already being used in biometrics automated teller machines (ATMs) and would be appropriate for most health care applications

A Florida hospital already uses a system allowing doctors to access the hospitalís electronic health care data via a finger scanning biometrics security system. Such a system is more secure than one using passwords that can be guessed or stolen. A scanner can capture a fingerprint, or a camera can capture the image of an iris. Some ATMs already use iris or fingerprint scans to prevent fraud in monetary transactions. The technology holds even more potential for healthcare. Physicians are notorious for giving out their passwords to secretaries, nurses, and other support staff. It would be impossible for a physician to loan her finger or iris ensuring the accuracy of medical records by limiting and identifying those who access and alter medical records. The systems are becoming less expensive. A fingerprint scanning system costs less than $300 per workstation, down from $2,000 only a few years ago.

Biometrics technology may be used for patient registration and identification to ensure that medical records are properly associated with each patient. A childrenís health care project in Florida has adopted another approach using iris scan technology. Authorized health care providers have access to childrenís Internet-based medical records. Using the iris scan technology, providers can identify a child and link to the appropriate medical record, even if the child cannot communicate.

The new Texas law (Section 35.50 of the Business & Commerce Code) provides that a person may not capture a biometric identifier of an individual for a commercial purpose unless the person first informs the individual and then receives the individual's consent to capture the biometric identifier. Also, any person who possesses a biometric identifier of an individual may not sell, lease, or otherwise disclose it to another person unless the individual first consents to the disclosure (or the disclosure completes a financial transaction authorized by the individual). There are also exceptions allowing disclosure for law enforcement purposes and when required by a federal statute. The law requires a person possessing a biometric identifier to protect the identifier in the same manner as the person protects other confidential information. Violation of the law can result in a civil penalty of up to $25,000 per violation.

Except for the penalty provisions, governmental bodies that possess biometric identifiers are subject to similar restrictions on use and disclosure. See Title V, Texas Government Code, Chapter 559. Texas shows foresight in protecting biometrics information before the technology becomes widespread.