On February 25, 2022, an Illinois appellate court held that finger-scan information collected by a healthcare provider from its employees does not fall within the Illinois Biometric Information Privacy Act’s (BIPA) exclusion for “information collected, used, or stored for health care treatment, payment[,] or operations under the federal Health Insurance Portability and Accountability Act of 1996” (HIPAA).
In Mosby et al. v. Ingalls Memorial Hospital, et al., the lead plaintiff alleged that she was employed as a registered nurse and was required to scan her fingerprint to gain access to a medication dispensing system. She further alleged that she did not receive the disclosures required by BIPA or provide informed written consent to the collection of her biometric information.
Defendants argued that their conduct was exempt from BIPA. At issue was Section 10 of BIPA, which provides the following exclusion:
“Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [HIPAA].”
Defendants argued that the medication dispensing system is for healthcare and treatment as those terms are defined by HIPAA and that the medication dispensing system aids in patient safety, quality of care, and billing by providing an audit trail for diversion, fraud, and abuse detection.
In response to a certified question from the trial court at the motion to dismiss stage, the Illinois appellate court rejected defendants’ position. The court held that the exemption for “information collected, used, or stored for healthcare treatment, payment, or operations under [HIPAA]” only applies to information protected “under HIPAA,” which the court concluded is limited to patient information. The court also expressed concern that defendants’ reasoning would have the effect of excluding hospitals from BIPA, when the statute does not so provide.
This decision is a setback to healthcare providers that have sought to avoid BIPA claims by pointing to their use of alleged biometric information from employees for healthcare treatment, payment, or operations. Hospitals and other healthcare providers in Illinois should ensure that, prior to collecting any biometric information from employees, they have met BIPA’s requirements.