HIPAA and Biometrics: What Counts as PHI and How to Stay Compliant

Definition of Protected Health Information

Under the HIPAA Privacy Rule, Protected Health Information (PHI) is individually identifiable health information created or received by a covered entity or its business associate that relates to a person’s health status, care, or payment. If the data identifies the individual—or could reasonably identify them—it is PHI, regardless of whether it is electronic, paper, or oral.

De-identified data that meets HIPAA’s De-Identification Standards falls outside the Privacy Rule. However, “limited data sets” remain PHI and require data use agreements even though some direct identifiers are removed.

What makes information PHI

• It is handled by a covered entity or business associate in connection with care, operations, or payment.
• It identifies an individual directly or indirectly through a reasonable linkability risk.
• It contains health context, such as diagnosis, treatment, benefits eligibility, or billing details.

Where biometrics appear in healthcare

• Patient matching at registration or check-in kiosks.
• Voiceprint authentication for portals or call centers.
• Palm, fingerprint, or facial scans to access areas where ePHI is used.
• Telehealth apps that capture facial images or voice for identity assurance.

Biometric Data as a HIPAA Identifier

HIPAA treats certain Biometric Identifiers as direct identifiers for de-identification purposes. Explicit examples include “finger and voice prints,” and HIPAA also lists “full-face photographic images and comparable images” as identifiers. When such data is created, received, maintained, or transmitted by a regulated entity in a health context, it becomes PHI.

Biometric templates and embeddings can also function as identifiers if they enable or assist in uniquely recognizing a person. The context matters: the same template may be PHI in a hospital’s patient index but not PHI in a stand‑alone consumer app that has no link to care or payment.

Examples that are PHI

• A voiceprint used to authenticate a patient before releasing lab results.
• A palm-vein template tied to a medical record number for patient matching.
• Facial images captured during telehealth intake linked to encounter data.

Borderline examples

• Workforce building-access biometrics not connected to patient records are generally not PHI, though they are still sensitive.
• Consumer wearables collecting biometrics outside any HIPAA relationship are typically outside HIPAA, but other privacy laws can apply.

De-Identification Methods for Biometric Data

HIPAA provides two De-Identification Standards: Safe Harbor and Expert Determination. Safe Harbor requires removing all 18 identifiers—including biometric identifiers and full-face images—and any residual knowledge that could identify the person. Expert Determination requires a qualified expert to document that the risk of re-identification is very small given applied controls.

Because biometric features can be highly unique, Safe Harbor often means excluding them entirely from released data. If you must retain biometric-derived signals, Expert Determination is the practical path with rigorous safeguards.

Applying Safe Harbor to biometrics

• Do not include fingerprint or voiceprint data, full-face photos, or comparable images in de-identified releases.
• Strip device IDs, account IDs, precise timestamps, and geolocation that could re-link individuals.
• Remove internal codes that could be used to re-identify without a key.

Using Expert Determination

• Transform raw biometrics into non-reversible, “cancellable” templates; separate any transformation keys.
• Quantize or otherwise reduce template fidelity to lower uniqueness while preserving utility.
• Assess linkage risk across datasets; enforce contractual and technical controls to prevent re-matching.
• Document the expert’s methodology, risk thresholds, assumptions, and release conditions.

Limited Data Set vs. de-identified data

• A Limited Data Set removes direct identifiers but may keep elements like dates or regions; it remains PHI and requires a Data Use Agreement.
• De-identified data meeting HIPAA standards is no longer PHI; ongoing risk monitoring is still prudent for biometric-derived elements.

Operational safeguards

• Minimize retention of raw images and audio; prefer on-device extraction and immediate template disposal.
• Use separate storage for templates and any identity keys; tightly control re-linkage capability.
• Perform periodic re-identification risk testing on biometric fields.

Compliance with HIPAA Security Rule

The HIPAA Security Rule requires administrative, physical, and technical safeguards for ePHI. Biometric PHI introduces additional risks, such as spoofing, replay, and irrevocability if compromised, so security design must be defense-in-depth.

Start with an enterprise risk analysis, identify where biometric PHI is created and flows, then implement role-based access and continuous monitoring aligned to risk.

Administrative safeguards

• Policies for enrollment, verification, retention, and deletion of biometric PHI.
• Workforce training on spoofing risks and acceptable use.
• Vendor due diligence and Business Associate Agreements for any service handling PHI.
• Contingency planning for outages and fallback authentication methods.

Physical safeguards

• Secure capture devices; prevent tampering and tailgating in controlled areas.
• Locked rooms and cabinets for biometric servers and backups.
• Media re-use and disposal procedures for sensors and storage.

Technical safeguards

• Unique user IDs, MFA, and “break-glass” controls with enhanced auditing.
• Encryption in transit and at rest, with strong key management and rotation.
• Audit controls that capture enrollment, match attempts, failures, and administrative actions.
• Integrity and anti-spoofing controls (liveness detection, challenge-response, replay protections).
• Network segmentation and least-privilege service design for biometric processing services.

Incident response and monitoring

• Detect anomalous match rates, mass template access, or unusual export behavior.
• Test incident response and breach notification procedures for biometric PHI scenarios.

State-Specific Biometric Data Legislation

State Biometric Privacy Laws can add stricter duties beyond HIPAA and may apply even when HIPAA does not. HIPAA generally preempts conflicting state laws, but more protective state provisions typically govern.

If you operate across states, build a baseline program and layer state-specific requirements for notice, consent, retention schedules, and private rights of action.

Illinois (BIPA)

• Written notice of purpose and retention; written consent before collection.
• Public retention and deletion schedule; prohibit sale and restrict disclosure.
• Private right of action with significant statutory damages drives strong compliance incentives.

Texas (CUBI)

• Notice and consent before capture; prohibit sale and limit disclosure.
• Reasonable security and deletion within a defined period after purpose ends.
• Enforced by the state attorney general.

Washington

• Notice and purpose limitation for commercial enrollment of biometric identifiers.
• Reasonable security, restricted disclosure, and retention controls.
• Attorney general enforcement, no general private right of action.

California (CPRA)

• Biometric information is “sensitive personal information” with disclosure, purpose-limitation, and consumer rights obligations.
• Contracts with service providers to control use; opt-out of certain sharing and profiling.

Other states

• Several comprehensive privacy laws (for example, in Colorado, Connecticut, Virginia, Oregon, Utah, and others) treat biometrics as sensitive data, often requiring consent and purpose limits.
• Align HIPAA programs with these frameworks to streamline multi-jurisdiction compliance.

Multi-state action tips

• Map biometric data flows and maintain a single retention/deletion standard meeting the strictest state rule.
• Use layered notices and explicit consent where required; record consent provenance.
• Harden vendor contracts with data minimization, subprocessor controls, and audit rights.

Handling Biometric Data in Tracking Technologies

Tracking pixels, SDKs, cookies, and session replay tools can collect identifiers like IP addresses, device IDs, and page context. When a regulated entity’s tracking reveals that an identifiable person sought or received care, those signals can constitute PHI.

Treat analytics on authenticated portals, appointment scheduling, refill flows, and symptom or condition pages as high risk. Avoid transmitting PHI to third parties that will not sign Business Associate Agreements.

What to avoid

• Third-party advertising pixels on patient portals or forms collecting medical details.
• Sending granular URLs, search terms, or form fields that reference conditions or treatments.
• Cross-site tracking or retargeting based on visits to care-related pages.

Safer patterns

• Server-side tagging with strict allowlists and PHI redaction.
• On-premise or BAA-backed analytics with IP truncation and data minimization.
• Contextual triggers to disable tracking on PHI pages or flows.

Vendor management

• Execute Business Associate Agreements where PHI may flow; otherwise block PHI at the source.
• Review SDK/pixel behavior regularly; verify no unauthorized data egress.

Minimum Necessary Standard for Biometric PHI

The minimum necessary standard under the HIPAA Privacy Rule requires you to limit uses, disclosures, and requests for PHI to what is needed to accomplish the task. For biometric PHI, design systems so the template—not the person’s identity—is what most processes see.

Collect only what you need for a clear purpose, and keep that purpose narrow. The less you store, link, and share, the lower your compliance and security risk.

Design for minimum necessary

• Role-based access so only specific services can read or match templates.
• Tokenize identifiers and separate identity keys from biometric data.
• Prefer on-device or edge matching; avoid central storage when possible.

Retention and deletion

• Adopt a written retention schedule; delete templates when the purpose ends.
• Use verifiable deletion methods and track disposition events.

Access and monitoring

• Log every enrollment, match, export, and admin action; review routinely.
• Set alerts for anomalous access or excessive match failures.

In short, align biometric collection with De-Identification Standards where feasible, harden systems under the HIPAA Security Rule, and apply the minimum necessary principle. These practices keep HIPAA and biometrics in harmony while supporting secure, patient-centered workflows.

FAQs.

What biometric data is considered PHI under HIPAA?

Biometric data becomes PHI when a regulated entity creates or uses it in a health context and it can identify the person. HIPAA explicitly treats “biometric identifiers, including finger and voice prints,” and “full-face photographic images and comparable images” as identifiers. Templates that enable recognition can also function as identifiers when linked to care or payment.

How can biometric data be properly de-identified?

Use HIPAA’s Safe Harbor by excluding biometric identifiers and full-face images entirely, or pursue Expert Determination to retain transformed, non-reversible templates with a documented very small re-identification risk. Apply template protection, minimize metadata, separate any keys, and contractually and technically prevent re-linkage.

What are the key HIPAA rules governing biometric information?

The HIPAA Privacy Rule defines what counts as PHI and enforces the minimum necessary standard. The HIPAA Security Rule requires administrative, physical, and technical safeguards for ePHI, including risk analysis, access control, encryption, and audit controls. Business Associate Agreements are required for vendors that create, receive, maintain, or transmit biometric PHI.

Are there specific state laws affecting biometric data privacy?

Yes. Illinois BIPA, Texas CUBI, and Washington’s biometric statute impose consent, retention, and disclosure limits, with BIPA enabling private lawsuits. California’s CPRA treats biometrics as sensitive personal information, and several other states regulate biometrics within comprehensive privacy laws. State rules can be stricter than HIPAA, so align programs to the most protective standard you face.