State high court finds medical personnel exemption to biometric information privacy law

231130-bipa-opinion-lead-aa

Justice David Overstreet wrote the unanimous opinion for a case in which the Illinois Supreme Court found that the state’s Biometric Information Privacy Act does not apply to health care workers required to use fingerprint scanners to dispense medicine. | Capitol News Illinois illustration by Andrew Adams

The Illinois Supreme Court on Thursday ruled the state’s strongest-in-the-nation biometric information privacy law does have an exemption: health care workers who use fingerprints or similar scans to access things like medication, materials or patient health information.

The nurses alleged their hospitals’ use of these medicine cabinets violated Illinois’ Biometric Information Privacy Act by not properly notifying them or their colleagues when their fingerprints were collected and stored.

But the hospitals maintained BIPA has a built-in exemption for the collection, use and storage of biometric information needed for “health care treatment, payment or operations” under the federal Health Insurance Portability and Accountability Act, or HIPAA.

Writing for his colleagues, Justice David K. Overstreet sided with the hospitals, citing the law’s “plain language” exemption to health care workers’ biometric information being “used to permit access to medication dispensing stations for patient care.”

In oral arguments in front of the court in September, the nurses’ attorney Jim Zouras claimed siding with the hospitals would mean “the General Assembly decided that as much as 10 percent of the Illinois workforce should have no biometric privacy protection whatsoever simply by virtue of working in the health care field.”

Read more: As state Supreme Court weighs another BIPA lawsuit, lawmakers mull child data privacy framework

But the court’s opinion countered that claim.

“We are not construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from health care workers,” Overstreet wrote. “Here, the nurses’ biometric information, as alleged in the complaints, was collected, used, and stored to access medications and medical supplies for patient health care treatment and is excluded from coverage under the Act because it is ‘information collected, used, or stored for health care treatment, payment, or operations under [HIPAA].’”

While an appellate court had sided with the nurses, the supreme court reversed that decision, agreeing with the circuit court judge’s original finding.

The Illinois Health and Hospital Association, which filed an amicus brief in the case, praised the court’s ruling on Thursday.

“Today’s decision correctly interprets that the legislature intended an exemption for biometric information when it is being used for ‘treatment,’ ‘payment’ and ‘operation’ purposes – such as fingerprint scans to access medical cabinets to efficiently dispense lifesaving medications, while also preventing drug diversion,” IHA spokesperson Paris Ervin said in a statement. “We are pleased that today’s decision will allow hospitals and healthcare providers to focus on what they do best – care for their patients and communities.”

Industrywide implications

Thursday’s opinion is a departure from the court’s recent rulings in other cases related to BIPA, the law that allows individual customers and employees to sue businesses that don’t properly disclose the collection or storage of information like fingerprint, face, eye or voice scans.

BIPA-related litigation has exploded in the last several years as the widespread adoption of scanning technology has caught up to concepts envisioned in the 2008 law. Illinois was the first state to adopt such a law 15 years ago, and though two other states have imitated the statute, Illinois’ is the only law that allows a private right for individuals to sue.

Since roughly 2018, upwards of 2,000 suits have been filed under BIPA, followed by several high-profile, high-dollar settlements – including a $650 million class-action settlement with Facebook in 2020.  The social media giant paid more than 1 million Illinoisans over $400 each.

Earlier this year, the state’s high court issued two rulings strengthening BIPA. In the first case, a unanimous majority found the law unequivocally provided a five-year statute of limitations on lawsuits against companies that collected biometric information from employees or customers without proper notice – instead of the one-year time limit argued by the business community.

Read more: Illinois’ biometric privacy law strengthened by latest high court ruling

Two weeks later, a divided court ruled that each time a person’s biometric data is collected constitutes a separate violation of BIPA, which under the law means $1,000 in damages for “negligent” violations or $5,000 for “reckless” or “intentional” violations. However, the court didn’t address how damages can accrue under BIPA, meaning it’s still unclear whether each violation means another $1,000 or $5,000 can be added to calculate a total for damages.

Read more: Court rulings supercharge Illinois’ strongest-in-nation biometric privacy law

Last year, in the first jury trial test of the law, a federal jury granted $228 million in damages in a class-action case against BNSF Railways. But the railroad was granted a new trial this summer, wiping out the award. BNSF ultimately settled the case in September.

All those legal developments have sparked lobbying efforts from industry groups representing business interests, which have been pushing for amendments to BIPA for the last few years.

Negotiations to possibly reopen BIPA to address the high court’s February rulings fell apart during the final weeks of the General Assembly’s spring legislative session in May.

Miss Clipping Out Stories to Save for Later?

Click the Purchase Story button below to order a print of this story. We will print it for you on matte photo paper to keep forever.

Current Weather

MON
51°
30°
TUE
40°
35°
WED
45°
41°
THU
51°
48°
FRI
55°
47°

Trending Stories