In the first win for defendants facing Illinois Biometric Information Privacy Act (BIPA) litigation before the Illinois Supreme Court, the Court in Mosby v. Ingalls Memorial Hospital held that BIPA excludes from its protections the biometric information of healthcare workers where that information is collected, used, or stored for healthcare treatment, payment, or operations.
Key Components of BIPA
BIPA, a law with applicability across all industry sectors, requires private entities that obtain biometric information or identifiers to first inform the subject in writing that their information is being collected and stored, inform the subject of the specific purpose and term for collection and storage, and secure a written release from the subject. BIPA also prohibits the disclosure of biometric information without the subject’s consent.
Private entities also cannot sell, lease, trade, or profit from a person’s biometric information. Further, BIPA requires a private entity in possession of biometric identifiers and information to develop a publicly available written policy establishing a retention schedule and providing guidelines for the permanent destruction of the information.
Any person aggrieved by a BIPA violation may file suit to recover statutory damages of $1,000 for each negligent violation or $5,000 for each intentional or reckless violation, plus reasonable attorney fees and costs. To establish standing, actual harm is not required and mere procedural violations are sufficient.
Healthcare Exemption
BIPA contains several carveouts for what is not considered a “biometric identifier” under the statute. Among other things, “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 [HIPAA].” 740 ILCS 14/10.
Case Background
In Mosby, the plaintiff, a registered nurse at Ingalls Memorial Hospital, alleged that she used a medication dispensing cabinet that utilized a fingerprint scanner. The use of these cabinets has increased in recent years to curb theft or diversion of medications and ensure that medications are dispensed to the proper patient.
The complaint alleged that the hospital violated BIPA by using the medication cabinet scanning device to collect, use, and/or store the plaintiff’s finger scan data without complying with BIPA’s notice and consent provisions and by disclosing her purported biometric data to third parties without first obtaining her written consent.
The manufacturer of the medication dispensing cabinet filed a motion to dismiss arguing that the complaint should be dismissed because (1) the biometric data that was collected, used, and/or stored restricted access to protected health information and medication and (2) the data was used for healthcare treatment and operations pursuant to HIPAA.
The Illinois circuit court held that the BIPA healthcare exception only applied to patient information protected under HIPAA. Further, the lower court held that “if the legislature intended to exempt health care employees entirely, it would have expressly done so.” Accordingly, the court denied the motion to dismiss.
Similarly, a registered nurse at a Lake Forest hospital sued her employer and the manufacturer of the medication dispensing cabinet, making similar allegations related to the medication dispensing cabinet. The circuit court in that case also held that the exclusion only applied to patient information. The appeal was consolidated with plaintiff Mosby’s case before the Illinois appellate court.
The Illinois appellate court also held that the healthcare exclusion only applied to patient information. The court granted the defendants’ petition for leave to appeal to the Illinois Supreme Court.
Supreme Court Opinion
The Illinois Supreme Court sought to answer of whether the exception “refers exclusively to a patient’s biometric information or includes a health care worker’s biometric information used to access patient medications and provide patient care.”
In reversing the appellate court, the Supreme Court held that, “[p]ursuant to its plain language, the Act excludes from its protections the biometric information of health care workers where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by HIPAA.”
The Court did warn, however, that “[it was] not construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from health care workers.” The exception applied only because “the nurses’ biometric information, as alleged in the complaints, was collected, used, and stored to access medications and medical supplies for patient health care treatment.”
How We Can Help
If you have questions regarding the application of BIPA and the healthcare exception to information your organization collects, please reach out to the authors of this post or your usual Morgan Lewis contact. The Morgan Lewis team has an extensive background not only advising clients on BIPA compliance across all industries, including healthcare, but also litigating and trying cases in both state and federal courts.