Dec 82023

In a Win for Defendants, Illinois Supreme Court Holds That Health Care Exemption Under BIPA Is Not Limited to Patients’ Biometric Information

Kathleen Carlson, Neil H. Conrad, Lawrence P. Fogel, Geeta Malhotra and Andrew F. Rodheim
, , ,

For the third time in 2023, the Illinois Supreme Court addressed the scope of the Illinois Biometric Information Privacy Act (BIPA) — this time in Mosby v. Ingalls Memorial Hospital. In a unanimous decision, the court held that BIPA’s “health care exemption” is not limited to patients’ biometric information (such as fingerprint scans), but also extends to biometric information collected, used, or stored for healthcare treatment, payment, or operations — regardless of its source.1 This decision also marks the Illinois Supreme Court’s first BIPA-related decision where it adopted the defendants’ proposed interpretation of the statute.

Background on BIPA and the Health Care Exemption

Enacted in 2008, BIPA regulates the collection and possession of biometric data by private entities operating in Illinois. Biometric data includes, for example, fingerprints, voiceprints, eye scans, and face/hand scans (but not photographs or written signatures). BIPA requires entities to comply with certain obligations when collecting this data. Among other things, entities must provide notice to the individual whose biometric data is being collected, obtain written consent from that individual, establish and implement a written data-retention policy, and ensure compliance with limitations on any transfers of biometric data, including prohibitions on the “sale” and “lease” of biometric data.

Notably, BIPA establishes a private right of action, allowing any person to seek statutory or actual damages, attorneys’ fees, and injunctive relief if they have been aggrieved by a BIPA violation. The statutory damages available for a person aggrieved by a BIPA violation are steep, including $1,000 to $5,000 per violation, attorneys’ fees and costs, and the possibility of injunctive relief. In 2019, the Illinois Supreme Court held that a plaintiff may seek damages when the only injury is a violation of BIPA,2 a decision that accelerated the trend of filing putative class action lawsuits under the statute.

Relevant to the Mosby decision, Section 10 of BIPA includes a list of exclusions to the definition of biometric information, which are exempt from BIPA’s requirements. Among other things, Section 10 excludes “information captured from a patient in a healthcare setting or information collected, used, or stored for healthcare treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.”3 Given the potential for massive damages, the scope of the healthcare exemption is critical for companies to understand.

Mosby v. Ingalls Memorial Hospital

The Mosby decision arose from two separate BIPA complaints filed by registered nurses against healthcare providers and a distributor of a medication-dispensing system. The nurses alleged that they were required to scan their fingerprints to authenticate their identity in order to gain access to a medication-dispensing system that was used to provide medication to patients. The nurses further alleged that the defendants did not obtain the requisite consent under BIPA. The defendants each moved to dismiss the complaints based on Section 10 of BIPA, which provides that biometric information does not include “information captured from a patient in a healthcare setting or information collected, used, or stored for healthcare treatment, payment, or operations under [HIPAA].” 740 ILCS 14/10 (emphasis added). The defendants argued that biometric information of healthcare employees used to access medication-dispensing systems fell under the definitions of “treatment” and “operations” under HIPAA, and therefore the collection of the plaintiffs’ fingerprints for this purpose was exempt under the healthcare exemption. The circuit courts denied both motions, holding that BIPA’s healthcare exemption is limited to biometric information collected from healthcare patients and does not apply to biometric information of healthcare employees. On a consolidated appeal, the Illinois Appellate Court, in a 2-1 decision, agreed that the healthcare exemption was limited to patient information. Presiding Justice Mary Mikva dissented, arguing that the first prong — “information captured from a patient in a health care setting” — referred to patient information, while the second prong—“information collected, used, or stored for healthcare treatment, payment, or operations under [HIPAA]”— referred to information used for particular purposes, regardless of its source. Accordingly, under Justice Mikva’s view, the second category could include biometric information of healthcare workers as long as the information related to healthcare treatment, payment, or operations.

The Illinois Supreme Court reversed. Its decision focused on the text of Section 10 and held that the plain language of the statute demonstrates that a patient’s biometric data is not the only category of information within the exemption. Agreeing with Justice Mikva’s dissent, the Supreme Court reasoned that the healthcare exemption uses the disjunctive “or,” which means the exemption presents “two different alternatives.” The first part of the exemption excludes information from a particular source — patients in a healthcare setting — and the second part excludes information used for particular purposes — healthcare treatment, payment, or operations, regardless of the source of that information. Accordingly, the healthcare workers’ biometric information, when used to access medication-dispensing stations for patient care, falls under the healthcare exemption and is not subject to BIPA’s requirements.

Importantly, the Illinois Supreme Court noted that it was not construing the healthcare exemption as broadly excluding all biometric information taken from healthcare workers. Rather, the second prong of the exemption applies only to biometric information used “for health care treatment, payment, or operations” as defined by HIPAA.

Although the Mosby decision represents a rare victory for BIPA defendants, companies should understand that it does not necessarily mean that all biometric information from healthcare workers is exempt from BIPA. Courts applying Mosby will likely focus on the particular purposes for which biometric information is collected and possessed. Thus, careful attention to whether such purposes are consistent with HIPAA’s definitions of “health care treatment, payment, and operations,” which are discussed in the Mosby decision, will be important to ensure compliance with BIPA.

For additional information about steps companies can consider taking to help address BIPA risks, see our prior alerts (February 10, 2023 alert) (February 22, 2023 alert).

1Mosby v. Ingalls Memorial Hospital, 2023 IL 129081, ¶ 54.
2See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186.
3740 ILCS 14/10.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Kathleen Carlson

Chicago

kathleen.carlson@sidley.com

Neil H. Conrad

Chicago

nconrad@sidley.com

Lawrence P. Fogel

Chicago

lawrence.fogel@sidley.com

Geeta Malhotra

Chicago

gmalhotra@sidley.com

Andrew F. Rodheim

Chicago

arodheim@sidley.com

You might also like
District Court Finds Communications Decency Act Provides Automotive Device Manufacturer Immunity for Clean Air Act Violations

On March 28, 2024, in US v. EZ Lynk, the U.S. District Court for the Southern District of New York dismissed the Department of Justice’s (DOJ) claim that an automotive device manufacturer violated Section 203 of the Clean Air Act (CAA), holding that Section 230 of the Communications Decency Act (CDA) provided complete immunity from CAA liability for the sale of certain aftermarket automotive devices. This decision of first impression offers an important precedent in the automotive industry and beyond. The decision gives effect to the CDA as drafted and will make it significantly harder for the government to hold manufacturers and online retailers liable for content, including software, created and sold by third parties.

Cybersecurity Takeaways From White House Tech Report

On Feb. 26, the White House’s Office of the National Cyber Director (ONCD), released a report on how technology manufacturers and software developers can improve the cybersecurity posture of the U.S. This report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” aligns with the Biden administration’s current, intense focus on combatting ever-increasing cyberthreats through software development and software manufacturer accountability. In this article, published by Law360 on March 26, Sidley lawyers Alan Charles Raul, Stephen McInerney and Vishnu Tirumala discuss the ONCD report and provide key take-aways for software developers and manufacturers, their senior management, and boards.

New Hampshire’s Comprehensive Data Privacy Legislation

As the state boasting the headquarters of the International Association of Privacy Professionals, many have been watching the development of the New Hampshire comprehensive consumer data privacy law with great interest, wondering if it may be a practical model for the nation. On March 6, 2024, Governor Chris Sununu signed SB 255-FN (“the Act”) into law. In some respects, New Hampshire’s privacy law is comparatively more moderate than some other state laws. For instance, the New Hampshire Secretary of State’s rulemaking authority under the Act is currently limited to establishing requirements for privacy notices. This narrow extension of rulemaking authority is a divergence from the broad rulemaking authority granted by California, Colorado, and other states. The New Hampshire law does not allow for a private right of action. There is a right to cure alleged violations through the first year the law is in force; afterwards, the opportunity to cure is left to the Attorney General’s discretion. The legislation will take effect on January 1, 2025.