On November 30, 2023, the Illinois Supreme Court dismissed further expansion of the application of the 2008 Illinois Biometric Privacy Act (“BIPA”) after years of rulings expanding its reach. In Mosby v. The Court, the Court rejected further expansion of the application of BIPA. As a result of a decision by Ingalls Memorial Hospital, BIPA is not violated when employee biometric data is collected, used, and stored for the purposes of health care treatment, payment, or operations.
Defendant nurse instructed onsite medication dispensing machine to regularly collect and store her fingerprints without her consent, as required under BIPA. She filed a class action lawsuit. As a result of the 2008 Act, information captured in a health care setting or collected, used, or stored under HIPAA for the purposes of treatment, payment, or operations is excluded from the definition of protected biometric identifiers.
A health care professional’s biometric information was collected and stored without following BIPA’s notice and consent requirements, according to the Plaintiff, according to BIPA. Defendants claimed that BIPA excluded such collections from protection because they are supporting a patient’s “health care treatment, payment, or operations under HIPAA.”
Having examined the textual and linguistic information in detail, the Court concluded that even if the information is collected and stored without notice or consent, it does not violate BIPA when it is collected and stored in the course of health care treatment, payment, and health care operations.
The ruling strengthens the security of health care-related information technology systems and thus, the safety of patients, by allowing employees to easily use biometric information to control access and ensure the right healthcare professional is dispensing the correct medications for patients.
In addition, as part of the overall health care operations and treatment process, the Court recognized the importance of ensuring the integrity and accuracy of health care services.
As a result of the Court’s decision, what has become something of a weapon in business litigation has been blunted for the first time, and BIPA lawsuits have exploded since the Supreme Court ruled in 2019 that plaintiffs may sue for violations of BIPA regardless of whether non-compliance caused harm.
In addition to providing specific guidance on the clauses at issue, the Court’s decision suggests a willingness to examine competing privacy rights in a more measured and balanced manner. In a health care environment, focusing solely on individual privacy may result in overlooking broader security and safety concerns. The Court’s current ruling illustrates how such competing interests can be balanced more reliably for both parties to benefit.
