New BIPA Decision from the Illinois Supreme Court on the Healthcare Exemption
by Abigail E. Rocap and Viridiana Marcial
In a big win for the healthcare industry and healthcare policyholders, on November 30, 2023, the Illinois Supreme Court issued its much-anticipated decision in Mosby v. The Ingalls Memorial Hospital. The Court held that the exemption in Section 10 of the Biometric Information Privacy Act (“BIPA”) applied to employee biometric information collected for identification purposes to access medical dispensing systems. Section 10 provides as follows: “Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [HIPAA]” (the “Healthcare Exemption”).
The Mosby case arose from two consolidated cases that were filed against certain Illinois hospitals and their medical device vendors. In each lawsuit, the plaintiffs, who were registered nurses employed by the defendant hospitals, alleged that the respective facilities required employees to scan their fingerprints for identification into medical dispensing systems that provided materials for patient care. The plaintiffs alleged the defendants violated BIPA by using the devices to collect, use, store, and disclose their biometric data without complying with BIPA’s notice and consent provisions.
The defendants filed motions to dismiss arguing that the biometric data was collected for health care treatment and operations pursuant to HIPAA and, thus, the data was excluded under the Healthcare Exemption. The trial courts denied the defendants’ motions to dismiss, holding that the Healthcare Exemption did not apply because it was limited to patient information protected under HIPAA, not the biometric information of health care employees. On a consolidated appeal, the Illinois Appellate Court agreed with the trial courts and found that the Healthcare Exemption did not apply.
The Illinois Supreme Court disagreed. In its decision, the Court focused on whether the language following “or” in the Healthcare Exemption, i.e., “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [HIPAA],” refers exclusively to a patient’s biometric information (as the lower courts found) or includes a health care worker’s biometric information used to access patient medications and provide patient care.
The Court relied on Illinois case law finding that the word “or” connotes a disjunctive, as well as Illinois case law requiring that each word in a statute be given a reasonable meaning and not rendered superfluous. The Court held that the first part of the Healthcare Exemption excludes information from a particular source – i.e., a patient in a health care setting – and the second part excludes information used for a particular purpose – i.e., health care treatment, payment, or operations (regardless of the information’s source).
The Court also addressed the “under HIPAA” language in the second part of the Healthcare Exemption. The Appellate Court had concluded that “under” HIPAA meant the Healthcare Exemption only applied to information protected by HIPAA, i.e., patient information. The Court disagreed, finding that the reference “under” HIPAA defines the meaning of the words immediately preceding it, i.e., “health care treatment, payment, or operations.” The Court explained that HIPAA’s definitions of those terms relate to activities performed by the health care provider, not the patient. As such, the Court found that the plain language of the Healthcare Exemption excludes biometric information of health care workers when that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined in HIPAA. Accordingly, a healthcare worker’s biometric information used to access medication dispensing stations for patient care falls within the Healthcare Exemption.
Finally, the Court responded to concerns that the defendants were seeking a broad exemption of the entire health care industry. The Court stated that it was “not construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from health care workers.” The Court noted that its ruling is based on the specific allegations at issue, which concerned “information collected, used, or store for health care treatment, payment or operations under HIPAA.”