Since its enactment, numerous questions have arisen involving the Illinois Biometric Information Privacy Act (“BIPA”), including which statute of limitations applies to the Act, whether employees are able to pursue BIPA lawsuits against their employers, the amount of damages available to plaintiffs in BIPA lawsuits, and when BIPA causes of action accrue, among others. As previously discussed here and here, Illinois courts are poised to address several of these issues in 2022. For example, in February, the Illinois Supreme Court resolved the issue of whether the Illinois Workers’ Compensation Act precludes employees from filing BIPA lawsuits against their employers. The court determined that the Workers’ Compensation Act’s exclusivity provision does not apply to BIPA lawsuits.
On February 25, 2022, the Illinois First District Court of Appeals addressed another long-standing issue involving the scope of BIPA: specifically, whether an exclusion in BIPA for biometric information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA applies to biometric information collected by a healthcare provider from its employees. In the case Mosby v. Ingalls Mem. Hosp., 2022 IL App (1st) 200822, the First District concluded that the exception does not apply to this situation.
The plaintiff in Mosby worked for the defendant Northwestern Memorial Lake Forest Hospital as a registered nurse. She alleged that as a condition of her employment, she was required to scan her fingerprint to gain access to a medication dispensing system. The plaintiff filed suit against her employer, alleging that it violated BIPA by: 1) not informing the plaintiff in writing of the specific purpose and length of time for which her biometric information was being collected, stored, and used; 2) failing to provide a publicly available retention schedule and guidelines for permanently destroying her biometric information; 3) failing to obtain a written release from the plaintiff to collect, store, or otherwise use her biometric information; and 4) failing to obtain the plaintiff’s consent before disclosing disseminating her biometric information to a third party.
The defendant moved to dismiss the plaintiff’s lawsuit pursuant to an exclusion contained in Section 10 of BIPA. That exclusion states that biometric information and identifiers of the type protected by BIPA do not include: 1) information captured from a patient in a healthcare setting; or 2) information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA. 740 ILCS 14/10. The defendant argued that the exclusion applied because the plaintiff’s biometric information that was collected was used for healthcare treatment, payment, or operations pursuant to HIPAA. The circuit court denied the motion to dismiss, finding that the Section 10 exception applies only to information taken from a patient, prompting the defendant to appeal.
On appeal, the defendant argued that the plain language of the Section 10 exclusion in BIPA demonstrates that employee biometric information used in medication dispensing systems is not protected by BIPA. More specifically, the defendant maintained that the collection, use, and storage of healthcare workers’ biometric information is for “health care” and “treatment” and that those terms are expressly defined by HIPAA. The defendant further argued that the biometric information collected through the medication dispensing system was used for “health care operations” and “payment” because the system provided an audit trail and aided in patient safety, quality of care, and accurate billing. Finally, the defendant argued that the use of the word “or” in Section 10 indicates that it applies to two different situations; the first being biometric information obtained from a patient in a healthcare setting, and the second being biometric information collected for healthcare treatment, payment, or operations under HIPAA.
The appellate court rejected the defendant’s arguments, finding that the Section 10 exclusion applies to: 1) biometric information collected from a patient in a healthcare setting; and 2) biometric information that is already protected under HIPAA. According to the court, the use of the term “or” in Section 10 means that patient biometric information and biometric information protected by HIPAA are alternatives that are to be considered separately. HIPAA did not protect the plaintiff’s biometric information HIPAA applies only to patient information and she was an employee, not a patient.
The court also rejected the defendant’s proposed interpretation of the Section 10 exclusion. The defendant argued that the exclusion should be read as applying when biometric information is collected, used, or stored for the type of “health care” and “treatment” defined by HIPAA. While both of those terms are defined in HIPAA, the court explained that the Section 10 exclusion uses the phrase “under HIPAA,” not “as defined by HIPAA.” Moreover, the court indicated that the biometric information of employees is not defined or protected “under HIPAA.” Thus, the court concluded that the plain language of section 10 does not exclude healthcare employee biometric information from BIPA’s protections because they are neither patients nor protected under HIPAA.
Finally, the court noted that if the Illinois legislature intended to create a wide-ranging exemption under BIPA for hospitals, it would have done so in the blanket exclusion provision of BIPA. Section 25 of BIPA excludes from the Act’s coverage financial institutions subject to Title V of the Gramm-Leach-Bliley Act and employees, contractors, or subcontractors of local government or the State.
While the First District Appellate Court’s opinion temporarily resolves this issue, as with many other questions involving BIPA, we expect the Illinois Supreme Court ultimately will address this issue.