Illinois Supreme Court: Certain Collected Biometric Data Is Exempt From BIPA Protections

December 12, 2023

On Nov. 30, 2023, the Illinois Supreme Court, in Mosby v. The Ingalls Memorial Hospital et al., held that certain healthcare providers’ biometric data, used for healthcare operational purposes under the Health Insurance Portability and Accountability Act (HIPAA), is not protected under the Illinois Biometric Information Privacy Act (BIPA). BIPA places robust restrictions on private entities that collect or retain any individual’s biometric identifiers, such as eye scans, fingerprints, voiceprints or biological samples. Under BIPA, no private entity can collect, maintain, purchase or disclose such identifiers without obtaining an individual’s consent, among other requirements.

While BIPA contains these broad protections, it does include exceptions, including an exception for “information collected, used, or stored for health care treatment, payment, or operations under [HIPAA].” In Mosby, the court set out to determine whether this exception applied to healthcare providers’ finger scans that various hospitals and healthcare entities obtained and retained without obtaining a BIPA-compliant consent from the providers.

Specifically, the healthcare providers and class action plaintiffs at issue were nurses whose finger scans were used to access medication dispensing systems and storage containers for patients. Defendants argued that retaining the finger scans was necessary for patient treatment, billing and general healthcare operations, meaning the biometric identifiers were excluded from protection under BIPA and that a provider’s consent to retention of the information by the hospital systems was not required. The lower courts, including the Illinois Appellate Court, rejected the defendants’ arguments and ruled that BIPA protects the nurses’ biometric identifiers because the HIPAA exclusion was intended to apply to patient data and not healthcare provider data.

The Illinois Supreme Court reversed and remanded the Appellate Court’s decision, reasoning that the definitions of “health care treatment,” “payment” and “operations” under HIPAA as referenced in BIPA, “relate to activities performed by the health care provider — not the patient.” Furthermore, the court noted that BIPA’s exception expressly covers (i) “information captured from a patient” “or” (emphasis added) (ii) “information collected, used, or stored for health care treatment, payment, or operations under [HIPAA],” supporting the argument that the Illinois legislature created “two categories of information” through the use of the disjunctive “or.” According to the court, the first clause is expressly limited to patient information, but the second clause — “information collected, used, or stored for health care treatment, payment, or operations under [HIPAA]” — is not limited to patient information. Instead, the second clause is more expansive and applies to “information” “collected, used, or stored,” for “health care treatment, payment, or operations,” regardless of the source. According to the court, the inclusion of the second, more expansive clause evidences the Illinois legislature’s intent that the exception to the consent requirement applies to patients and healthcare providers alike.

In sum, under BIPA, as interpreted by the Mosby decision, Illinois healthcare entities may collect and retain employees’ biometric data without consent or implementation of the safeguards otherwise required under BIPA when such information is collected “for health care treatment, payment, or operations.” Under BIPA, “[h]ealth care treatment, payment, or operations” have the meanings set forth under HIPAA. Therefore, the exception to the consent requirement under BIPA is limited to the use or disclosure of biometric information in connection with these defined functions and does not broadly apply to all uses and disclosures of biometric information. For example, the exemption would not apply to information collected for research purposes because the definition of “health care operations” under HIPAA does not include research. Finally, even where the consent requirements are inapplicable, from a risk management perspective and to foster good employee relationships, employers should take proactive steps to ensure that any retained biometric data is maintained securely.

McGuireWoods attorneys routinely assist healthcare providers and entities with complying with various data privacy and security laws, including HIPAA and BIPA. For assistance with HIPAA or BIPA compliance issues, please contact one of the authors of this article.