On November 30, the Illinois Supreme Court unanimously ruled that the Biometric Information Privacy Act (BIPA) does not apply to health care workers whose fingerprints are collected, stored, and used to access medication and medical supplies.

The underlying case involved claims by a pair of nurses — representing an associated class — who sued their employer, the Ingalls Memorial Hospital (and other associated entities), based on its use of fingerprint-enabled medication storage. The claims alleged that the hospital’s use of fingerprint-enabled storage devices violated BIPA because the hospital failed to properly notify the nurses and their colleagues when their fingerprints were collected and stored[1]. In response, the defendants argued that BIPA has a built-in exception for the collection, use, and storage of biometric information needed for “health care treatment, payment, or operations” under the federal Health Insurance Portability and Accountability Act of 1996, or HIPAA. While the plaintiffs acknowledged the existence of the exemption, they argued that the exemption related exclusively to patients, and not their health care providers.

Accordingly, the Illinois Supreme Court’s ruling centered on whether biometric information (including fingerprint scans), collected from health care workers — as opposed to patients — qualified as “information collected, used, or stored for health care treatment, payment, or operations” under HIPAA, which is expressly excluded from BIPA’s definition of “biometric identifiers.”

The justices were unanimous in reversing the appellate court — reasoning that “the nurses’ biometric information, as alleged in the complaints, was collected, used, and stored to access medications and medical supplies for patient health care treatment and was excluded from coverage under the act because it is ‘information collected, used, or stored for healthcare treatment, payment, or operations under [HIPAA].'” The Illinois Supreme Court was clear, however, that its decision should not be understood as an umbrella exemption of health care workers’ biometric information from the statute. “We are not construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from health care workers,” Justice Overstreet wrote. Rather, it is the context of the information collection that governs BIPA’s purview, with the instant case falling within the exemption because the collection was related to health care treatment, payment, or operations under HIPAA.

The Illinois Supreme Court’s ruling represents a stark departure from the recent onslaught of plaintiff-friendly rulings pertaining to BIPA. In 2023 alone, BIPA defendants have borne witness to three separate and significant defeats. On February 2, the Illinois Supreme Court held that a five-year statute of limitations period applied to all sections of BIPA, partially reversing a previous ruling by the Illinois Appellate Court, which held that a one-year statute of limitations applied in certain instances. On February 17, the Illinois Supreme Court held that a claim is triggered upon each biometric scan rather than just the first — vastly compounding the potential damages available to plaintiffs. Then, on June 26, the U.S. District Court for the Southern District of Illinois held that a claim under BIPA does not require a plaintiff to plead that the data collected is used for identification purposes. Given the prevailing trend of plaintiff-friendly rulings, this holding is an altogether unexpected result.

Takeaway

Companies implicated by this ruling should swiftly engage counsel to apprise both plaintiffs and the court of their newly established defense. This ruling will result in millions saved on attorneys’ fees, litigation expenses, and settlement costs. However, companies should not relax merely because a single defendant-friendly ruling has finally been issued under BIPA. Private entities collecting biometric information must remain vigilant in their efforts to comply with BIPA and other associated privacy protections. Indeed, the exposure that BIPA presents is too significant to risk litigation. Over the last five years, upwards of 2,000 suits have been filed under BIPA, including several high-exposure settlements, such as a $650 million class-action settlement in 2020, wherein the defendant ultimately paid more than $400 each to more than one million Illinoisans. And just last year, in the first jury trial test of the law, a federal jury granted $228 million in damages in a class-action case against BNSF Railways — though the railroad was granted a new trial this summer, which wiped out the award, leading BNSF to ultimately settle the case in September. Given the dearth of technical defenses to the statute, private entities must institute policies and practices that satisfy the statute’s strictures and should engage counsel to ensure full compliance before litigation becomes inevitable.

[1] Cases involving fingerprint scans are at the forefront of BIPA litigation, with an Illinois court recently issuing the first summary judgment win for a BIPA class. In Thompson v. Matcor Metal Fabrication Inc., a class of metal fabricators won a pre-trial liability judgment regarding claims that their employer unlawfully required members to participate in fingerprint-scanning protocols in violation of BIPA.