After years of rulings that have expanded the reach of the 2008 Illinois Biometric Privacy Act ("BIPA"), the Illinois Supreme Court issued a ruling on November 30, 2023 rejecting further expansion of the application of BIPA. The Court, in Mosby v. Ingalls Memorial Hospital, held that employee biometric information that is collected, used, and stored for purposes of health care treatment, payment, or operations under HIPAA does not constitute a violation of BIPA.

The case arose following the filing of a class action lawsuit by a nurse employed by Ingalls Memorial Hospital whose fingerprints had been regularly collected and stored by an onsite medication dispensing machine without her consent as she alleged was required under BIPA. The case centered around the language of the 2008 Act, which excludes from the definition of protected biometric identifiers "information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [HIPAA]."

In short, the Plaintiff argued that the collection and storage of a health care professional's biometric information without following BIPA's notice and consent requirements violated BIPA. Defendants argued that the technical language of BIPA excludes such collections from protection as they are supporting patient "health care treatment, payment, or operations under HIPAA."

Based on an in-depth textual and linguistic analysis, the Court agreed with Defendants, holding that the collection and storage of such information from employees in the course of health care treatment, payment, or health care operations does not violate BIPA even if performed without notice and consent processes. This ruling effectively strengthens the security of health care-related IT systems, and thus, overall patient safety, by allowing employee biometric information to be readily used to control access and ensure that the appropriate health care professional is dispensing the correct medications for patients. Importantly, the Court functionally recognized the need to ensure the integrity and accuracy of delivery of health care services as part of overall health care operations and treatment.

Additionally, the Court's decision serves as a first blunting of what has become a bit of a weapon in business litigation. BIPA cases exploded following the Court's 2019 ruling that plaintiffs may sue for violations of BIPA regardless of whether the non-compliant collections created harm.

While the Court's decision is specific to the clauses at issue, it also suggests a willingness to explore a more measured and balanced approach to competing privacy rights. Focusing only on safeguarding individual privacy can result in missing broader issues of safety and security, particularly in a health care environment. The Court's present ruling demonstrates that balancing such competing interests can more reliably serve both.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.