Exercises: Health Data, Genetic Data, and Biometric Privacy

Claude (AI-Generated Textbook)

Exercises: Health Data, Genetic Data, and Biometric Privacy

These exercises progress from concept checks to challenging applications. Estimated completion time: 3-4 hours.

Difficulty Guide: - ⭐ Foundational (5-10 min each) - ⭐⭐ Intermediate (10-20 min each) - ⭐⭐⭐ Challenging (20-40 min each) - ⭐⭐⭐⭐ Advanced/Research (40+ min each)

Part A: Conceptual Understanding ⭐

Test your grasp of core concepts from Chapter 12.

A.1. Section 12.1 describes HIPAA's Privacy Rule and Security Rule. Explain the difference between the two. Which entities are covered by HIPAA, and which are not? Why does the scope of HIPAA create significant gaps in health data protection?

A.2. Define the terms "covered entity" and "business associate" as used under HIPAA. A patient uses a fitness tracking app that syncs heart rate data with their doctor's electronic health record system. Is the app developer a covered entity, a business associate, or neither? Explain your reasoning.

A.3. Section 12.2 distinguishes between genetic data obtained through clinical genetic testing (ordered by a physician) and direct-to-consumer (DTC) genetic testing (such as 23andMe or AncestryDNA). What are the key privacy differences between these two contexts? Which regulatory framework applies to each?

A.4. Explain the Genetic Information Nondiscrimination Act (GINA) of 2008. What does it protect against, and what are its limitations? Identify at least two significant gaps in GINA's coverage.

A.5. Section 12.3 defines biometric data and distinguishes between physiological biometrics (fingerprints, iris patterns, facial geometry) and behavioral biometrics (gait, typing patterns, voice). Why does the chapter argue that biometric data poses unique privacy risks compared to other categories of personal data?

A.6. Explain the Illinois Biometric Information Privacy Act (BIPA) as described in Section 12.3.2. What are its key requirements, and why has it been considered the strongest biometric privacy law in the United States?

A.7. Section 12.1.3 describes VitraMed's first privacy incident. Summarize what happened. Using the concepts from this chapter, identify which legal frameworks applied and which did not — and why the gaps matter.

Part B: Applied Analysis ⭐⭐

Analyze scenarios, arguments, and real-world situations using concepts from Chapter 12.

B.1. Consider the following scenario:

A university health center uses an electronic health records system that stores student medical visits, prescriptions, mental health counseling notes, and immunization records. The health center shares aggregate data (not individual records) with the university's Office of Institutional Research to help identify patterns in student health that may affect retention. A student newspaper requests the aggregate data under a public records request.

Analyze this scenario using the regulatory frameworks from Chapter 12. Does HIPAA apply to the university health center? Does FERPA? Could the aggregate data create re-identification risks (connect to Chapter 10)? What governance measures should be in place?

B.2. Eli learns that the Detroit Police Department has been using a facial recognition system supplied by a private vendor. The system searches a database of driver's license photos maintained by the Michigan Secretary of State. Eli wants to know: - (a) Is the collection of facial geometry from driver's license photos governed by any biometric privacy law? - (b) Does BIPA apply in Michigan? - (c) What legal protections, if any, exist for people whose faces are searched by the system without their knowledge?

Research and answer each question, drawing on the chapter's discussion of biometric privacy law and the Robert Williams case.

B.3. Mira's father, Vikram, tells her that VitraMed is considering a partnership with a DTC genetic testing company. The genetic company would offer VitraMed's clinic patients discounted genetic testing in exchange for access to the patients' electronic health records (with patient consent). The combined dataset — genetic data plus clinical records — would be used for research on gene-disease correlations.

Analyze this proposal from three perspectives: - (a) Legal: Which laws apply to each dataset (genetic data, clinical records, combined dataset)? What consent requirements exist? - (b) Ethical: Even with patient consent, what ethical concerns does this raise? Consider the interests of genetic relatives who did not consent. - (c) Technical: What privacy-preserving approaches from Chapter 10 could be used to enable the research while limiting risk?

B.4. Section 12.2.3 discusses how law enforcement used GEDmatch to identify the Golden State Killer through familial DNA matching. A distant relative of the suspect had uploaded their DNA profile to GEDmatch, and investigators created a fake profile to search for genetic matches.

Evaluate this use of genetic genealogy databases from three perspectives: - (a) A victim of the Golden State Killer's crimes - (b) The distant relative whose DNA profile was used without their knowledge - (c) A civil liberties attorney

For each perspective, identify the strongest argument for or against this investigative technique.

B.5. A health insurance company proposes using wearable fitness data (steps, heart rate, sleep) to offer "personalized wellness discounts" to customers who share their data. Customers who do not share their data pay the standard premium; customers who share data and meet activity targets receive a 15% discount.

Analyze this program using the frameworks from this chapter: - (a) Does HIPAA apply to the insurer's use of wearable data? - (b) Does GINA apply if the wearable detects patterns associated with genetic conditions? - (c) Is the program meaningfully voluntary? - (d) What are the distributional effects — who benefits and who is harmed?

B.6. Dr. Adeyemi poses the following question to the class: "If your face is a biometric identifier that can be captured by any camera in any public space, and you cannot change your face the way you can change a password, then does the concept of 'consent' even make sense for facial recognition? Can you consent to something you cannot avoid?"

Write a structured response (200-300 words) engaging with this question. Consider the difference between opt-in consent, opt-out consent, and situations where neither model applies.

Part C: Real-World Application Challenges ⭐⭐-⭐⭐⭐

These exercises ask you to investigate your own data environment and real-world practices.

C.1. ⭐⭐ HIPAA Scope Exercise. Make a list of every entity that holds your health-related data (doctor's office, hospital, pharmacy, health insurance company, fitness app, wellness program, genetic testing service, mental health app, telehealth platform). For each, determine whether it is a HIPAA-covered entity, a business associate, or neither. Which entities holding your most sensitive health data are outside HIPAA's scope?

C.2. ⭐⭐ DTC Genetic Testing Privacy Policies. Visit the privacy policies of two DTC genetic testing companies (e.g., 23andMe, AncestryDNA, MyHeritage). For each, identify: (a) what they do with your genetic data, (b) whether they share data with third parties (and who), (c) what happens to your data if you delete your account, (d) whether they cooperate with law enforcement requests, and (e) what happens to your data if the company is acquired or goes bankrupt. Write a one-page comparison.

C.3. ⭐⭐⭐ Facial Recognition in Your Environment. Spend one day documenting every camera you encounter — on streets, in stores, at your workplace or campus, at transit stations. For each camera, assess: Is it likely equipped with facial recognition? Who operates it? What laws govern its use? Is there a posted privacy notice? Write a one-page reflection on the extent of facial recognition infrastructure in your daily environment and the level of notice you receive.

C.4. ⭐⭐⭐ Biometric Data Inventory. Make a list of every biometric data point you have provided to a device, service, or institution (fingerprint for phone unlock, face scan for device authentication, voice profile for a smart assistant, photo for a driver's license or passport, iris scan at an airport). For each, identify: (a) who holds the data, (b) where it is stored (on-device or in the cloud), (c) what law governs its use, and (d) whether you can delete it. Present your findings in a table and write a paragraph about what you learned.

Part D: Synthesis & Critical Thinking ⭐⭐⭐

These questions require you to integrate multiple concepts from Chapter 12 and think beyond the material presented.

D.1. The chapter identifies three categories of sensitive data — health, genetic, and biometric — each governed by different legal frameworks (HIPAA, GINA, BIPA/state laws). But these categories increasingly overlap: a biometric scan can reveal health conditions (facial analysis can suggest certain genetic disorders), genetic data reveals information about health, and health records increasingly contain biometric identifiers.

Write a 400-500 word analysis of the governance challenges created by this convergence. Should there be a unified framework for all sensitive biological data, or are sector-specific laws preferable? What would a unified framework need to include?

D.2. Section 12.2 raises the problem of genetic relatives. When one person submits their DNA to a genetic testing service, they are also providing information about their siblings, parents, children, and extended family — none of whom consented. This creates a privacy externality that is structurally different from most data privacy problems.

Analyze this externality. How is it similar to and different from the privacy externalities discussed in Chapter 11 (data brokers, breach costs)? Can informed consent ever be meaningful for genetic data when the data subject's decision affects non-consenting relatives? Propose a governance mechanism that addresses this specific problem.

D.3. The Robert Williams case (Section 12.3.3) demonstrates that facial recognition systems have documented accuracy disparities by race and gender, with error rates highest for darker-skinned women. The chapter presents this as both a technical problem (bias in training data) and a structural problem (deployment in contexts where errors lead to arrest and detention).

Consider the following argument: "The solution to biased facial recognition is better facial recognition — more diverse training data, better algorithms, and higher accuracy standards. Once the technology is accurate for everyone, the equity concerns disappear."

Evaluate this argument. Is accuracy the only equity concern? What other issues remain even if the technology becomes perfectly accurate for all demographic groups?

D.4. Mira is troubled by the VitraMed privacy incident. She realizes that the same patient data that could save lives through predictive analytics could also be misused — by insurers, employers, or data brokers. She asks Dr. Adeyemi: "Is there a way to build a health data system that enables research and clinical care while making misuse structurally impossible — not just prohibited by policy, but architecturally prevented?"

Drawing on concepts from Chapters 10, 11, and 12, propose an architectural design for such a system. What Privacy-Enhancing Technologies would you use? What governance structures would be needed? Where would architectural prevention reach its limits, requiring governance to fill the gap?

Part E: Research & Extension ⭐⭐⭐⭐

These are open-ended projects for students seeking deeper engagement. Each requires independent research beyond the textbook.

E.1. The 23andMe Data Question. In October 2023, 23andMe disclosed a data breach affecting approximately 6.9 million users. Subsequently, the company filed for bankruptcy protection in 2024, raising questions about what happens to the genetic data of its 15 million customers. Research this case and write a 1,200-word report covering: (a) what data was compromised in the breach, (b) what happened to user data during the bankruptcy proceedings, (c) the regulatory response, (d) what legal protections exist (and do not exist) for genetic data held by a bankrupt company, and (e) what reforms you would propose.

E.2. Facial Recognition Bans. Several U.S. cities (San Francisco, Oakland, Boston, Portland, Minneapolis) and some international jurisdictions have banned or restricted government use of facial recognition technology. Research these bans and write a report (800-1,200 words) covering: (a) what each ban prohibits and what it permits, (b) the arguments made for and against the bans, (c) whether the bans have been effective, and (d) your assessment of whether a ban is the right policy tool or whether regulation (accuracy standards, audit requirements, use restrictions) is preferable.

E.3. HIPAA Modernization. HIPAA was enacted in 1996, before the advent of smartphones, health apps, wearable devices, genetic testing, and electronic health records. Research proposals to modernize HIPAA and write a report (800-1,200 words) covering: (a) the most significant gaps in HIPAA's current coverage, (b) at least three specific proposals for modernization (from legislators, academics, or advocacy organizations), (c) the political obstacles to HIPAA reform, and (d) your own recommendations for updating the law.

E.4. Biometric Data in the Workplace. Research the use of biometric data in workplace settings — fingerprint time clocks, facial recognition for security access, voice analysis for call center monitoring, keystroke dynamics for employee monitoring. Write a report (1,000-1,500 words) covering: (a) the types of biometric data collected in workplaces, (b) the legal landscape (BIPA and state laws, labor law, EEOC guidance), (c) at least two specific legal cases involving workplace biometric data, and (d) your assessment of whether current legal protections are adequate.

Solutions

Selected solutions are available in appendices/answers-to-selected.md.