Illinois Supreme Court holds BIPA health care exemption applies to employees
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
On November 30, 2023, the Illinois Supreme Court issued an important opinion interpreting the Illinois Biometric Information Privacy Act (BIPA) in Mosby v. Ingalls Mem. Hosp., 2023 IL 129081, holding that BIPA’s health care exemption applies not just in the patient context, but in the employment context as well. The Mosby opinion is a key win for BIPA defendants—especially for health care entities and their biometric technology vendors—as the decision clarifies that BIPA’s health care exemption extends to the use of health care worker biometric information when done so for purposes relating to health care treatment, operations, and payment under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Mosby decision
Mosby involved consolidated BIPA class action lawsuits filed by health care workers against their health care entity employers and the vendor that supplied their employers with biometric-powered medication dispensing systems to provide patient care, i.e., to authenticate employees’ identities for purposes of accessing controlled and restricted medications.
The defendants moved to dismiss the suits, arguing that BIPA’s Section 10 health care exemption—which provides that “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal [HIPAA]”—barred the BIPA claims asserted against them where the plaintiffs’ biometric information was used to restrict access to protected health information and medication, and to provide health care treatment and operations pursuant to HIPAA. The defendants’ arguments were rejected at the trial court level, based on the reasoning that the health care exemption was limited in scope to patient information protected under HIPAA. Those trial court decisions were subsequently appealed to the Illinois Supreme Court.
On appeal, the Illinois Supreme Court held that the language of Section 10 refers not just to patient biometric information, but also to the biometric information of health care workers when that information is used to provide patient care. The Mosby court explained that under the plain language of Section 10, biometric information is exempt from BIPA if it satisfies either of two separate statutory criterion: (1) information that is captured from a patient in a health care setting; or (2) information that is collected, used, or stored for health care treatment, payment, or operations under HIPAA.
In other words, Section 10’s health care exemption excludes from BIPA’s coverage information from a particular source—a patient in a health care setting—as well as information used for a particular purpose—health care treatment, payment, or operations—regardless of the information’s source.
Impact of Mosby
Mosby is a relatively rare positive development for companies that use biometrics in the midst of an increasingly challenging BIPA legal landscape. In 2019, the Illinois Supreme Court issued its seminal BIPA opinion in Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, holding that actual damages are not required to recover under the Illinois statute, and paving the way for an extremely high volume of BIPA class action lawsuits that have continued apace now for almost four years.
In February 2023, the Illinois Supreme Court further altered the legal landscape with its decision in Cothron v. White Castle Sys., Inc., holding that separate BIPA claims accrue each time biometric information is collected or disclosed in violation of the law, as opposed to only the first instance of non-compliance. Cothron has expanded the scope of potential BIPA liability exposure exponentially, as the opinion allows for the recovery of statutory damages for each instance of BIPA non-compliance—not just the first violation.
Mosby will undoubtedly have a tangible impact on the scope of BIPA liability exposure faced by hospitals and similar health care entities that utilize biometric-powered solutions to facilitate patient care, along with their biometric technology providers. Pursuant to Mosby, health care entities and their technology providers now have a complete defense to BIPA class action claims where the biometric information of health care workers is used for a purpose that relates directly to health care treatment, payment, or operations, as those terms are defined under HIPAA.
What to do now
Challenging a BIPA class action through assertion of Section 10’s health care exemption is a particularly powerful tool that can be utilized at the pleading stage to procure an early dismissal from costly, bet-the-company biometric privacy litigation. Importantly, however, the Illinois Supreme Court did not construe the health care exemption as a broad, categorical exclusion of all biometric information collected from health care workers. Instead, the health care exemption found in Section 10 only excludes from BIPA’s protections the biometric information of health care workers where that information is collected, used, or stored for purposes of health care treatment, payment, or operations, as those functions are defined by HIPAA.
Thus, for example, a health care worker’s biometric information, used to permit access to controlled medication dispensing stations for patient care, would fall under “information collected, used, or stored for health care treatment, payment, or operations under [HIPAA],” exempting such data from the scope of BIPA pursuant to Section 10. Conversely, the use of health care worker biometric information for purposes of tracking worker time and attendance—such as through the use of a biometric-powered fingerprint timeclock—could potentially fall outside the scope of the health care exemption.
As such, health care entities, as well as technology vendors that supply biometric-powered solutions to the health care sector, should complete an assessment to ascertain whether the health care exemption at issue in Mosby applies to its specific operations. To do so, companies that operate or otherwise do business in the health care sector and utilize biometric information should consult with experienced biometric privacy counsel, who can assist in evaluating whether BIPA’s health care exemption extends to their specific operations—as applicability of the exemption will likely turn on the purposes for which health care employee biometric information is used.
About the author
David J. Oberly is Of Counsel in the Washington, D.C. office of Baker Donelson, and a member of the firm’s Biometric Privacy, Artificial Intelligence, and Data Protection, Privacy & Cybersecurity practices. Recognized as “one of the nation’s foremost thought leaders in the biometric privacy space” by LexisNexis, David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. In addition, David has deep experience in litigating bet-the-company BIPA class action disputes. He is also the author of Biometric Data Privacy Compliance & Best Practices—the first and only full-length treatise of its kind to provide a comprehensive compendium of biometric privacy law. He can be reached at firstname.lastname@example.org. You can follow David on X at @DavidJOberly.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.