Illinois Supreme Court: Certain Biometric Data Is Exempt From BIPA

On November 30, 2023, the Supreme Court of Illinois ruled in favor of limiting the scope of Biometric Information Privacy Act (BIPA) as it relates to the collection of biometric information from healthcare workers if said biometric information is collected and used for purposes of healthcare treatment, payments, or operations under HIPAA. 

The ruling comes after a lawsuit, Mosby v. The Ingalls Memorial Hospital, was filed against the Ingalls Memorial Hospital by Lucille Mosby, a nurse employed there, both individually and on behalf of others in a similar situation. The hospital utilized medication dispensing systems which required employees to authenticate via finger-scan in order to have access to the medication administered to patients. The issue at hand here was that the technology for the finger scanning belonged to a third party and that biometric data was collected without expressly written consent, and that it appeared as if the biometric data of healthcare staff did not benefit from the same level of protection as that of regular individuals. 

In light of these allegations, there two questions that the Court had to answer:

“Whether the exclusion in Section 10 of [the Biometric Information Privacy Act (Act) (740 ILCS 14/10 (West 2018))] for ‘information collected, used, or stored for healthcare treatment, payment, or operations under the federal Health [I]nsurance [P]ortability and Accountability Act of 1996’ [(HIPAA)] applies to biometric information of healthcare workers (as opposed to patients) collected, used or stored for healthcare treatment, payment or operations under HIPAA,”

and

“Does finger-scan information collected by a healthcare provider from its employees fall within the [Act’s] exclusion for ‘information collected, used, or stored for healthcare treatment, payment, or operations under [HIPAA],’ 740 ILCS 14/10 [(West 2018)], when the employee’s finger-scan information is used for purposes related to ‘healthcare,’ ‘treatment,’ ‘payment,’ or ‘operations’ as those terms are defined by the HIPAA statute and regulations?”

Section 10 of BIPA offers definitions to be considered in the Act and even starts with the definition for ‘biometric identifier,’ which it defines as follows: 

"Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. 

The part cited in the lawsuit states as follows:

Biometric identifiers do not include information captured from a patient in a healthcare setting or information collected, used, or stored for healthcare treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. 

The discussions revolved around the way the statute of the Act was phrased, particularly around the use of the words “information” and “or,” or the way treatment, payment, and operations were defined under HIPAA. The Court’s argument was as follows: 

• The phrase prior to the “or” and the phrase following the “or” connotes two different alternatives. The Illinois legislature used the disjunctive “or” to separate the Act’s reference to “information captured from a patient in a healthcare setting” from “information collected, used, or stored for healthcare treatment, payment, or operations under [HIPAA].” 740 ILCS 14/10 (West 2018). Pursuant to its plain language, information is exempt from the Act if it satisfies either statutory criterion.
• The plain language of the Act also includes repetition of the word “information” at the beginning of each separate clause. By using “information” twice, the legislature indicated that each of the two clauses separated by the “or” generally exempts a different specified category of information. The second clause does not include the word “patient.”
• The appellate court ruled that “the two categories can be seen as protecting (1)information captured from the patient in a healthcare setting and (2) information that is already protected ‘under [HIPAA].
• According to HIPAA, ‘treatment’ means the provision, coordination, or management of healthcare and related services by one or more healthcare providers,” which includes “the coordination or management of healthcare by a healthcare provider with a third party; consultation between healthcare providers relating to a patient; or the referral of a patient for healthcare from one healthcare provider to another.” Id. § 164.501.
• According to HIPAA, “payment” includes “activities undertaken by *** [a] healthcare provider or health plan to obtain or provide reimbursement for the provision of healthcare.” Id. 
• According to HIPAA, “healthcare operations” means, among other things, “the following activities of the covered entity to the extent that the activities are related to covered functions:” conducting quality assessment and improvement activities, including, among other things, patient safety activities and protocol development; reviewing the competence or qualifications of healthcare professionals; and conducting or arranging for medical review and auditing functions, including fraud and abuse detection and compliance programs. Id.

• HIPAA’s definitions of these terms relate to activities performed by the healthcare provider—not by the patient.
• Pursuant to its plain language, the Act excludes from its protections the biometric information of healthcare workers where that information is collected, used, or stored for healthcare treatment, payment, or operations, as those functions are defined by HIPAA. A healthcare worker’s biometric information, used to permit access to medication dispensing stations for patient care, falls under “information collected, used, or stored for healthcare treatment, payment, or operations under [HIPAA]” and is exempt from the Act’s protections pursuant to section 10 of the Act.

In answering in the affirmative to both questions mentioned above, the Court however clarified that it was not “construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from healthcare workers. Here, the nurses’ biometric information, as alleged in the complaints, was collected, used, and stored to access medications and medical supplies for patient healthcare treatment and is excluded from coverage under the Act because it is “information collected, used, or stored for healthcare treatment, payment, or operations under [HIPAA].” 

Now that the Mosby decision has been issued by the Supreme Court, it remains to be seen how this will be extended by lower Courts, if at all. Also, this might lead to the dismissal of other pending BIPA lawsuits against healthcare entities where similar technology for medication management is used.