In a Win for Defendants, Illinois Supreme Court Holds That Health Care Exemption Under BIPA Is Not Limited to Patients’ Biometric Information

For the third time in 2023, the Illinois Supreme Court addressed the scope of the Illinois Biometric Information Privacy Act (BIPA) — this time in Mosby v. Ingalls Memorial Hospital. In a unanimous decision, the court held that BIPA’s “health care exemption” is not limited to patients’ biometric information (such as fingerprint scans), but also extends to biometric information collected, used, or stored for healthcare treatment, payment, or operations — regardless of its source.1 This decision also marks the Illinois Supreme Court’s first BIPA-related decision where it adopted the defendants’ proposed interpretation of the statute.

Background on BIPA and the Health Care Exemption

Enacted in 2008, BIPA regulates the collection and possession of biometric data by private entities operating in Illinois. Biometric data includes, for example, fingerprints, voiceprints, eye scans, and face/hand scans (but not photographs or written signatures). BIPA requires entities to comply with certain obligations when collecting this data. Among other things, entities must provide notice to the individual whose biometric data is being collected, obtain written consent from that individual, establish and implement a written data-retention policy, and ensure compliance with limitations on any transfers of biometric data, including prohibitions on the “sale” and “lease” of biometric data.

Notably, BIPA establishes a private right of action, allowing any person to seek statutory or actual damages, attorneys’ fees, and injunctive relief if they have been aggrieved by a BIPA violation. The statutory damages available for a person aggrieved by a BIPA violation are steep, including $1,000 to $5,000 per violation, attorneys’ fees and costs, and the possibility of injunctive relief. In 2019, the Illinois Supreme Court held that a plaintiff may seek damages when the only injury is a violation of BIPA,2 a decision that accelerated the trend of filing putative class action lawsuits under the statute.

Relevant to the Mosby decision, Section 10 of BIPA includes a list of exclusions to the definition of biometric information, which are exempt from BIPA’s requirements. Among other things, Section 10 excludes “information captured from a patient in a healthcare setting or information collected, used, or stored for healthcare treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.”3 Given the potential for massive damages, the scope of the healthcare exemption is critical for companies to understand.

Mosby v. Ingalls Memorial Hospital

The Mosby decision arose from two separate BIPA complaints filed by registered nurses against healthcare providers and a distributor of a medication-dispensing system. The nurses alleged that they were required to scan their fingerprints to authenticate their identity in order to gain access to a medication-dispensing system that was used to provide medication to patients. The nurses further alleged that the defendants did not obtain the requisite consent under BIPA. The defendants each moved to dismiss the complaints based on Section 10 of BIPA, which provides that biometric information does not include “information captured from a patient in a healthcare setting or information collected, used, or stored for healthcare treatment, payment, or operations under [HIPAA].” 740 ILCS 14/10 (emphasis added). The defendants argued that biometric information of healthcare employees used to access medication-dispensing systems fell under the definitions of “treatment” and “operations” under HIPAA, and therefore the collection of the plaintiffs’ fingerprints for this purpose was exempt under the healthcare exemption. The circuit courts denied both motions, holding that BIPA’s healthcare exemption is limited to biometric information collected from healthcare patients and does not apply to biometric information of healthcare employees. On a consolidated appeal, the Illinois Appellate Court, in a 2-1 decision, agreed that the healthcare exemption was limited to patient information. Presiding Justice Mary Mikva dissented, arguing that the first prong — “information captured from a patient in a health care setting” — referred to patient information, while the second prong—“information collected, used, or stored for healthcare treatment, payment, or operations under [HIPAA]”— referred to information used for particular purposes, regardless of its source. Accordingly, under Justice Mikva’s view, the second category could include biometric information of healthcare workers as long as the information related to healthcare treatment, payment, or operations.

The Illinois Supreme Court reversed. Its decision focused on the text of Section 10 and held that the plain language of the statute demonstrates that a patient’s biometric data is not the only category of information within the exemption. Agreeing with Justice Mikva’s dissent, the Supreme Court reasoned that the healthcare exemption uses the disjunctive “or,” which means the exemption presents “two different alternatives.” The first part of the exemption excludes information from a particular source — patients in a healthcare setting — and the second part excludes information used for particular purposes — healthcare treatment, payment, or operations, regardless of the source of that information. Accordingly, the healthcare workers’ biometric information, when used to access medication-dispensing stations for patient care, falls under the healthcare exemption and is not subject to BIPA’s requirements.

Importantly, the Illinois Supreme Court noted that it was not construing the healthcare exemption as broadly excluding all biometric information taken from healthcare workers. Rather, the second prong of the exemption applies only to biometric information used “for health care treatment, payment, or operations” as defined by HIPAA.

Although the Mosby decision represents a rare victory for BIPA defendants, companies should understand that it does not necessarily mean that all biometric information from healthcare workers is exempt from BIPA. Courts applying Mosby will likely focus on the particular purposes for which biometric information is collected and possessed. Thus, careful attention to whether such purposes are consistent with HIPAA’s definitions of “health care treatment, payment, and operations,” which are discussed in the Mosby decision, will be important to ensure compliance with BIPA.

For additional information about steps companies can consider taking to help address BIPA risks, see our prior alerts (February 10, 2023 alert) (February 22, 2023 alert).

1Mosby v. Ingalls Memorial Hospital, 2023 IL 129081, ¶ 54.
2See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186.
3740 ILCS 14/10.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.