For the third time in 2023, the Illinois Supreme Court addressed the scope of the Illinois Biometric Information Privacy Act (BIPA) — this time in Mosby v. Ingalls Memorial Hospital. In a unanimous decision, the court held that BIPA’s “health care exemption” is not limited to patients’ biometric information (such as fingerprint scans), but also extends to biometric information collected, used, or stored for health care treatment, payment, or operations — regardless of its source.1 This decision also marks the Illinois Supreme Court’s first BIPA-related decision where it adopted the defendants’ proposed interpretation of the statute.
Background on BIPA and the Health Care Exemption
Enacted in 2008, BIPA regulates the collection and possession of biometric data by private entities operating in Illinois. Biometric data includes, for example, fingerprints, voiceprints, eye scans, and face/hand scans (but not photographs or written signatures). BIPA requires entities to comply with certain obligations when collecting this data. Among other things, entities must provide notice to the individual whose biometric data is being collected, obtain written consent from that individual, establish and implement a written data-retention policy, and ensure compliance with limitations on any transfers of biometric data, including prohibitions on the “sale” and “lease” of biometric data.
Notably, BIPA establishes a private right of action, allowing any person to seek statutory or actual damages, attorneys’ fees, and injunctive relief if they have been aggrieved by a BIPA violation. The statutory damages available for a person aggrieved by a BIPA violation are steep, including $1,000 to $5,000 per violation, attorneys’ fees and costs, and the possibility of injunctive relief. In 2019, the Illinois Supreme Court held that a plaintiff may seek damages when the only injury is a violation of BIPA,2 a decision that accelerated the trend of filing putative class action lawsuits under the statute.
Relevant to the Mosby decision, Section 10 of BIPA includes a list of exclusions to the definition of biometric information, which are exempt from BIPA’s requirements. Among other things, Section 10 excludes “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.”3 Given the potential for massive damages, the scope of the health care exemption is critical for companies to understand.
Mosby v. Ingalls Memorial Hospital
The Mosby decision arose from two separate BIPA complaints filed by registered nurses against health care providers and a distributor of a medication-dispensing system. The nurses alleged that they were required to scan their fingerprints to authenticate their identity in order to gain access to a medication-dispensing system that was used to provide medication to patients. The nurses further alleged that the defendants did not obtain the requisite consent under BIPA. The defendants each moved to dismiss the complaints based on Section 10 of BIPA, which provides that biometric information does not include “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [HIPAA].” 740 ILCS 14/10 (emphasis added). The defendants argued that biometric information of health care employees used to access medication-dispensing systems fell under the definitions of “treatment” and “operations” under HIPAA, and therefore the collection of the plaintiffs’ fingerprints for this purpose was exempt under the health care exemption. The circuit courts denied both motions, holding that BIPA’s health care exemption is limited to biometric information collected from health care patients and does not apply to biometric information of health care employees. On a consolidated appeal, the Illinois Appellate Court, in a 2-1 decision, agreed that the health care exemption was limited to patient information. Presiding Justice Mary Mikva dissented, arguing that the first prong — “information captured from a patient in a health care setting” — referred to patient information, while the second prong—“information collected, used, or stored for health care treatment, payment, or operations under [HIPAA]”— referred to information used for particular purposes, regardless of its source. Accordingly, under Justice Mikva’s view, the second category could include biometric information of health care workers as long as the information related to health care treatment, payment, or operations.
The Illinois Supreme Court reversed. Its decision focused on the text of Section 10 and held that the plain language of the statute demonstrates that a patient’s biometric data is not the only category of information within the exemption. Agreeing with Justice Mikva’s dissent, the Supreme Court reasoned that the health care exemption uses the disjunctive “or,” which means the exemption presents “two different alternatives.” The first part of the exemption excludes information from a particular source — patients in a health care setting — and the second part excludes information used for particular purposes — health care treatment, payment, or operations, regardless of the source of that information. Accordingly, the health care workers’ biometric information, when used to access medication-dispensing stations for patient care, falls under the health care exemption and is not subject to BIPA’s requirements.
Importantly, the Illinois Supreme Court noted that it was not construing the health care exemption as broadly excluding all biometric information taken from health care workers. Rather, the second prong of the exemption applies only to biometric information used “for health care treatment, payment, or operations” as defined by HIPAA.
Although the Mosby decision represents a rare victory for BIPA defendants, companies should understand that it does not necessarily mean that all biometric information from health care workers is exempt from BIPA. Courts applying Mosby will likely focus on the particular purposes for which biometric information is collected and possessed. Thus, careful attention to whether such purposes are consistent with HIPAA’s definitions of “health care treatment, payment, and operations,” which are discussed in the Mosby decision, will be important to ensure compliance with BIPA.