At a Glance
On November 30, 2023, the Illinois Supreme Court unanimously held that the BIPA “health care exception” covers health care workers whose fingerprints were collected, stored, and used to access medication and medical supply cabinets.
Despite the employer-friendly ruling, the court cautioned that it is “not construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from health care workers.”
HIPAA-covered entities should evaluate their collection and use of biometric information from employees to ensure that it falls within the law’s exception.
Even if the exception may apply, the best practice is still to comply with BIPA if feasible to avoid litigation over its scope.
The Illinois Biometric Information Privacy Act (BIPA) prohibits companies from collecting, capturing or otherwise obtaining a person’s biometric identifier or biometric information (biometrics) without informed written consent (740 ILCS 14/15). It also requires companies to develop a publicly available written policy for retaining and destroying biometrics.
In recent years, BIPA has been a source of significant class action litigation. Pro-plaintiff decisions from the Illinois Supreme Court have held that no actual harm is required to state a claim; that a five-year statute of limitations applies to all BIPA claims; and that each noncompliant scan of a person’s biometric identifier is a separate violation. Statutory damages are set at $1,000 per negligent violation and $5,000 for each reckless or intentional violation, but juries have discretion to award higher or lower amounts. This has led to multimillion-dollar settlements that have fueled more filings from the plaintiff’s bar.
The Health Care Exception
BIPA excepts from the definition of “biometric identifier” “information captured from a patient in a health care setting or information collected, used or stored for health care treatment, payment or operations under the federal Health Insurance Portability and Accountability Act of 1996” (HIPAA). Courts have struggled with whether this so-called “health care exception” applies only to patients — who are expressly identified in the provision — or if it also covers health care workers. In Mosby v. Ingalls Memorial Hospital, the Illinois Supreme Court held that the exception applies to both.
In Mosby, nurses brought a class action claim alleging that two hospitals illegally collected the plaintiffs’ biometric information to identify them before dispensing medication to patients. The defendants argued that the plaintiffs’ claims were barred under BIPA’s health care exception. However, the trial court and First District Appellate Court both ruled that the exception applied solely to patients. The appellate court analyzed the phrase “information collected, used, or stored for health care treatment, payment, or operations under HIPAA” and concluded that the term “under” meant covered or protected. Because HIPAA protects patients and not employees, the appellate court held that health care employees’ biometrics does not come “under” HIPAA and therefore is not excepted from BIPA. According to the court of appeals, “if the legislature intended to exclude all health care workers from the Act’s protections, it would have done so.”
But in a forceful dissent, Presiding Justice Mary Lane Mikva explained that the majority ignored rules of statutory construction and that the exception should be read in two parts, with the first part applying to patients in a health care setting and the second part applying to biometrics collected for particular purposes defined by HIPAA. That dissent proved prescient — the Illinois Supreme Court quoted it liberally and adopted it in whole.
First, the court focused its analysis on the statute’s use of the word “or.” The court noted that “or” is disjunctive, meaning that it “marks an alternative indicating the various parts of the sentence which it connects are to be taken separately.” The court clarified that when the legislature used the word “or” to separate the Act’s reference to “information captured from a patient in a health care setting” from its reference to “information collected, used, or stored for health care treatment, payment, or operation,” the legislature indicated that “information is exempt from the Act if it satisfies either statutory criterion.
Second, the court further explained that by employing the word “information” at the beginning of each separate clause, the legislature aimed for each clause to reference “a different specified category of information,” and, unlike the first clause, the second clause did not include the word “patient.” Together with the word “or,” the second “information” signifies “[t]hat any information — not just patient information — collected, used, or stored in connection with health care treatment, payment, or operations under HIPAA is exempt” from BIPA.
Third, the court observed that the words “health care treatment, payment, or operations” are terms defined by HIPAA regulations, which “relate to activities performed by the health care provider — not by the patient.”
As a result, the court determined that BIPA excepted from its protections the biometric information of health care workers where that information is collected, used or stored for health care treatment, payment or operations, as HIPAA defines those functions. The court cautioned, however, that in making this conclusion, it was “not construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from health care workers.” Instead, the court explained that the exception only applies to situations where, like in Mosby, biometric information was collected, used and stored to access medications and medical supplies for patient health care treatment.
What This Means for HIPAA-Covered Entities and Other Entities
The Illinois Supreme Court’s ruling in Mosby has at least two notable impacts. First, covered entities under HIPAA are not categorically immune from BIPA lawsuits. The court’s decision made clear that the health care exception is narrow. The analysis is context-specific and depends on whether the biometrics are “collected, used, or stored for health care treatment, payment, or operations.” Under HIPAA, these terms are defined at 45 C.F.R. § 164.501. Accordingly, covered entities will need to pay close attention to how they collect and capture biometrics from their employees outside of these narrow contexts. Consequently, we expect to see further litigation at the trial court level regarding the circumstances under which collection, use and storage of biometrics are for “health care treatment, payment, or operations.”
Second, the ruling leaves open unanswered questions about how the BIPA health care exception applies to patients. For example, the ruling does not address the definition of “patient” or “health care setting.” Unlike “treatment,” “payment,” and “health care operations,” these terms are not defined by HIPAA. Courts have been asked to test the limits of these terms in cases involving the use of virtual try-on glasses, for example. See Vo v. VSP Retail Development Holding, Inc., 2020 WL 1445605 (N.D. Ill. Mar. 2020) (holding that biometrics collected during virtual try-on of eyeglasses fell within the health care exception because scans of plaintiffs’ facial geometry were obtained while they were a “patient” in a “health care setting”); Svoboda v. Frames for America, Inc., 2022 WL 4109719 (N.D. Ill. Sept. 8, 2022) (same). Due to the court’s conclusion that the exception is disjunctive, the terms “patient” and “health care setting” are not modified by HIPAA’s reference to “health care treatment, payment, or operations” and therefore have a potentially broader meaning than federal law.
One thing the Mosby ruling does not change, however, is the best practice when biometric information is at issue: get consent. To avoid litigation, and if it is at all feasible, entities collecting, using or storing biometrics should still comply with BIPA — even if compliance arguably is not required — because plaintiffs’ counsel are less likely to file a lawsuit to test the adequacy of a compliance program than they are to file a lawsuit to challenge the lack of a compliance program.