Further Reading: Health Data, Genetic Data, and Biometric Privacy

The sources below provide deeper engagement with the themes introduced in Chapter 12. They are organized by topic and include legal analyses, empirical research, investigative journalism, and policy reports. Annotations describe what each source covers and why it is relevant to the chapter's core questions.

Health Data Privacy and HIPAA

U.S. Department of Health and Human Services. "Summary of the HIPAA Privacy Rule." HHS.gov. The official summary of HIPAA's Privacy Rule, written by the agency responsible for its enforcement. Covers the rule's scope, the definition of protected health information, permissible uses and disclosures, individual rights, and enforcement mechanisms. Essential for understanding the specific provisions discussed in Section 12.1 and for identifying the boundaries of what HIPAA does and does not protect.

McGraw, Deven, and Kenneth D. Mandl. "Privacy Protections to Encourage Use of Health-Relevant Digital Data in a Learning Health System." npj Digital Medicine 4 (2021): Article 2. An analysis of the gap between HIPAA's coverage and the modern digital health landscape, with specific attention to health apps, wearables, and patient-generated health data. The authors propose a risk-based framework that would extend privacy protections beyond HIPAA's entity-based approach. Directly relevant to Section 12.1.2's discussion of the regulatory gap for consumer health data.

Landi, Heather. "The Health Data That HIPAA Doesn't Protect." Fierce Healthcare, May 2021. An accessible journalistic overview of the data types and entities that fall outside HIPAA's scope, including fertility apps, mental health chatbots, and wellness platforms. The article provides concrete examples of the regulatory gap discussed in Section 12.1.2 and is useful for students seeking to understand the practical implications of HIPAA's limitations.

Genetic Privacy: Science, Law, and Ethics

Erlich, Yaniv, Tal Shor, Itsik Pe'er, and Shai Carmi. "Identity Inference of Genomic Data Using Long-Range Familial Searches." Science 362, no. 6415 (2018): 690-694. A rigorous quantitative analysis demonstrating that more than 60% of Americans of European descent can be identified through genetic genealogy databases, even if they have never taken a genetic test — because a sufficiently large fraction of their distant relatives have. This paper provides the scientific foundation for the consent externality discussed in Section 12.2 and the Golden State Killer case study.

Ram, Natalie, Christi J. Guerrini, and Amy L. McGuire. "Genealogy Databases and the Future of Criminal Investigation." Science 360, no. 6393 (2018): 1078-1079. A concise policy commentary by three leading scholars, published shortly after the Golden State Killer arrest. The authors outline the privacy implications of law enforcement use of consumer genealogy databases and propose governance principles including warrants, oversight, and transparency. Essential reading for the debate over investigative genetic genealogy.

Roberts, Jessica L. "Progressive Genetic Ownership." Notre Dame Law Review 93 (2018): 1105-1164. A legal analysis arguing that property-based frameworks for genetic data are insufficient and proposing a "progressive ownership" model that accounts for the shared nature of genetic information. Roberts' work is particularly relevant to the consent externality problem — how to govern data that belongs, in a biological sense, to multiple people.

Green, Robert C., and Nita A. Farahany. "Regulation: The FDA Is Overcautious on Consumer Genomics." Nature 505 (2014): 286-287. A commentary examining the tension between consumer access to genetic information and regulatory caution, written by two prominent scholars in genetics and neuroethics. Relevant to understanding the regulatory landscape for DTC genetic testing described in Section 12.2.1 and the debate over whether consumers should have unrestricted access to their own genetic data.

National Human Genome Research Institute. "Genetic Information Nondiscrimination Act (GINA)." NHGRI Fact Sheet. The official fact sheet from the NIH's genomics institute, explaining GINA's provisions, scope, and limitations. A clear, authoritative reference for the legislative analysis in Section 12.2.2, particularly useful for identifying the specific categories of insurance and employment decisions covered and not covered by GINA.

Biometric Privacy: Facial Recognition and Beyond

Buolamwini, Joy, and Timnit Gebru. "Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification." In Proceedings of the Conference on Fairness, Accountability, and Transparency (FAT)*, 77-91. PMLR, 2018. The landmark study documenting accuracy disparities in commercial facial recognition systems across race and gender. Buolamwini and Gebru tested systems from IBM, Microsoft, and Face++ and found error rates of up to 34.7% for darker-skinned women compared to less than 1% for lighter-skinned men. This paper is the empirical foundation for the accuracy disparity discussion in Section 12.3.3 and the Robert Williams case study.

Grother, Patrick, Mei Ngan, and Kayee Hanaoka. "Face Recognition Vendor Test (FRVT) Part 3: Demographic Effects." NIST Interagency Report 8280, December 2019. The most comprehensive government evaluation of facial recognition demographic accuracy, testing 189 algorithms from 99 developers. NIST found that false positive rates for African American and Asian faces were 10 to 100 times higher than for Caucasian faces in many algorithms. This report provides the large-scale empirical evidence supporting the concerns raised by the Gender Shades study.

Garvie, Clare, Alvaro Bedoya, and Jonathan Frankle. "The Perpetual Line-Up: Unregulated Police Face Recognition in America." Georgetown Law Center on Privacy and Technology, 2016. A groundbreaking report documenting the extent of police facial recognition in the United States. The authors found that half of American adults were in a law enforcement facial recognition database (primarily through driver's license photos) and that the vast majority of police departments using facial recognition had no policies governing its use. This report, published four years before the Williams arrest, predicted many of the governance failures that the case revealed.

Ferguson, Andrew Guthrie. The Rise of Big Data Policing: Surveillance, Race, and the Future of Law Enforcement. New York: New York University Press, 2017. A comprehensive examination of how data-driven tools — including facial recognition, predictive policing, and social media monitoring — are reshaping law enforcement, with particular attention to racial equity implications. Ferguson connects technological surveillance to the longer history of over-policing in communities of color. Directly relevant to the civil rights framing of facial recognition discussed in the case study and to Eli's perspective throughout the textbook.

Illinois BIPA and Biometric Privacy Law

Schwartz, Paul M., and Karl-Nikolaus Peifer. "Transatlantic Data Privacy Law." Georgetown Law Journal 106 (2017): 115-179. While not exclusively about biometric privacy, this comparative analysis of U.S. and EU data protection law provides important context for understanding why the U.S. approach to biometric privacy is fragmented (state-by-state BIPA-like laws) while the EU's approach is comprehensive (the GDPR covers biometric data as a "special category"). Useful for understanding the structural differences discussed in Section 12.3.2.

Pernot-Leplay, Emmanuel. "China's Approach on Data Privacy Law: A Third Way Between the U.S. and the EU?" Penn State Journal of Law & International Affairs 8, no. 1 (2020): 49-117. A comparative analysis including China's treatment of biometric data under its Personal Information Protection Law (PIPL). Relevant for students interested in how different legal systems classify and protect biometric data — an increasingly important question as biometric technologies deploy globally.

Emerging Challenges: DTC Testing, Data Bankruptcy, and Convergence

Hazel, James W., and Christopher Slobogin. "Who Knows What, and When?: A Survey of the Privacy Policies Proffered by U.S. Direct-to-Consumer Genetic Testing Companies." Cornell Journal of Law and Public Policy 28 (2019): 35-71. A systematic analysis of privacy policies across DTC genetic testing companies. The authors find significant variation in how companies handle data sharing, law enforcement requests, data retention, and user rights. This paper provides the empirical foundation for the DTC privacy policy concerns raised in Section 12.2.1.

Guerrini, Christi J., Jill O. Robinson, Devan Petersen, and Amy L. McGuire. "Should Police Have Access to Genetic Genealogy Databases? Capturing the Golden State Killer and Other Criminals Using a Controversial New Forensic Technique." PLOS Biology 16, no. 10 (2018): e2006906. A balanced analysis of the arguments for and against law enforcement access to consumer genetic databases, written by bioethicists at Baylor College of Medicine. The authors survey public opinion, review the legal landscape, and propose governance principles. An excellent starting point for the debate examined in the Golden State Killer case study.

Wachter, Sandra. "Normative Challenges of Identification in the Internet of Things: Privacy, Profiling, Discrimination, and the GDPR." Computer Law & Security Review 34, no. 3 (2018): 436-449. An analysis of how the convergence of data categories — health, biometric, behavioral, and genetic — challenges governance frameworks designed for discrete data types. Wachter argues that identification is becoming continuous and ambient, and that privacy law must evolve from protecting categories of data to protecting people from the harms that identification enables. Relevant to the convergence discussion in the chapter's conclusion.

These readings extend the legal, ethical, and technical analysis introduced in Chapter 12. As subsequent chapters explore algorithmic decision-making, bias, and fairness, the concepts of sensitive data categories, accuracy disparities, and consent externalities introduced here will serve as recurring reference points — particularly in Chapter 14 (bias in data and machines) and Chapter 24 (sector-specific governance for health, finance, and education).