Home page logo

basics logo Security Basics mailing list archives

Re: Biometrics question
From: "Frederick Garbrecht" <fgarbrecht () ecogchair org>
Date: Sun, 10 Nov 2002 09:30:23 -0500

I strongly doubt that biometric information in the form of fingerprints,
retina or iris scans, etc obtained and stored for the purpose of
authentication would or could be interpreted to constitute patient clinical
information that would require HIPAA compliance.  Although every form of
biometric identification data could contain diagnostic clues to medical
conditions (e.g. fingerprint swirl patterns -> Down's Syndrome; retinal
scans -> diabetic retinopathy and a whole host of other problems), the same
applies to photographs taken for identification purposes.  Many medical
conditions could be inferred from photographs, but headshots are the sine qa
non of human identity verification (leaving aside discussion of DNA
sequencing), and photographs for this purpose are not likely to be
considered HIPAA fodder anytime soon.  This of course would exclude the use
of photographs or other biometric data obtained by a medical practitioner
for purposes of documentation of a medical condition.

If you are in the business of providing healthcare, then you have legitimate
concern about the use of biometric information under HIPAA, but since you
would presumably be storing this data within the context of your network
authentication system for your employees and contractors, and NOT on
patients, HIPAA is not going to be a factor here either.  If this were not
the case, then there would be a serious catch-22 in the way that the HIPAA
rules have been (and are being) written, ala the privacy rule could regulate
storage and use of this information but the security rule (which is not
finalized yet but will probably mandate strong authentication methods) might
lead to irreconcilable conflicts in the implementations of the respective

The HIPAA rules are pretty clear about who and what is regulated.  It may be
painful to read the regs, but it is plainly spelled out, and an
interpretation that biometric authentication methods would violate the regs
is just plain mistaken.

----- Original Message -----
From: "DeGennaro, Gregory" <Gregory_DeGennaro () csaa com>
To: "'Konrad Rzeszutek'" <darnok () 68k org>; <ktyler () nautilus-ins com>
Cc: "Felix Cuello" <felix () qodiga com>; <security-basics () security-focus com>
Sent: Friday, November 08, 2002 12:54 PM
Subject: RE: Biometrics question

Yep ... HIPPA ...

However, if you sign a waiver ... sorry ...


-----Original Message-----
From: Konrad Rzeszutek [mailto:darnok () 68k org]
Sent: Thursday, November 07, 2002 1:25 PM
To: ktyler () nautilus-ins com
Cc: Felix Cuello; security-basics () security-focus com
Subject: Re: Biometric question

And less invasive. Keep in mind that with retina scanner you can scan the
veins in the back of the eye - which touches medical concerns. Based on
your heart-beat you could infer some medical condition and in US touching
without consent anything that has to do with medical history is a big No

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]