As previously noted, the Illinois Biometric Information Privacy Act (BIPA) has invited a great deal of litigation, often resulting in interpretations favorable toward plaintiffs. As a result, we advise employers who use biometric technology in Illinois workplaces to adhere carefully to their obligations under BIPA. While that advice won’t change, employers operating in the health care sector can take some – though not too much – comfort in a recent ruling that limits their exposure under this law.

In Mosby v. Ingalls Memorial Hospital, the Illinois Supreme Court delved into a lengthy analysis of several of BIPA’s plain words and phrases to conclude that the biometric information of health care workers collected, used, or stored for health care treatment, payment, or operations is excluded from BIPA’s purview. In other words, for the first time, the state’s highest court has found an exception – albeit a narrow one – that limits employer liability under BIPA.

A Lesson in Statutory Construction: Every Word Counts

BIPA’s definitions section includes an explanation of the term “Biometric identifier.” The text of this definition begins with a succinct list of possible forms of biometric data (i.e., “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”), followed by five detailed sentences that set forth things that are NOT biometric identifiers for purposes of this law. Among these is the following phrase:

Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. [Emphasis added].

Following the guiding principle that each word in a statute is to be “given a reasonable meaning and not rendered superfluous,” the Court analyzed the plain meaning of the statute’s language, focusing on a simple word – “or” – to conclude that the Illinois legislature clearly intended that enumerated criteria for exceptions from the statute’s definition of protected biometric identifiers are not lumped together.

Specifically, the Court found that the use of “or” as a disjunctive in the above phrase connotes two different alternatives and thus exempts from BIPA data or information that satisfies either statutory criterion. Further parsing the statute’s text, the Court held that, by using the word “information” at the beginning of two separate clauses, the legislature indicated that each of the two clauses generally exempts a different specified category of information. The Court gave “under” the natural interpretation of “subject to the authority, control, guidance, or instruction of” HIPAA.

Next, applying the nearest-reasonable-referent canon of statutory construction—also known as the last antecedent rule, which provides, “when syntax in a legal instrument involves something other than a parallel series of nouns or verbs, a prepositive or postpositive modifier normally applies only to the nearest reasonable referent”—the Court acknowledged that the second sub-exclusion is not limited to information captured from a patient. Adhering to the jurisprudential principle that a series-qualifier canon is highly sensitive to context, the Court decided the qualifying phrase “under HIPAA” only applied to the second sub-exclusion, noting that the application of last antecedent is limited by “the intent of the legislature, as disclosed by the context and reading of the entire statute.”  Because the Illinois legislature borrowed from HIPAA regulations throughout BIPA, the Court held the legislature’s decision to use the phrase “health care treatment, payment, or operations”—followed by the prepositional phrase “under [HIPAA]”—makes clear that the legislature was directing readers to HIPAA to discern the meaning of those terms, which relates to activities performed by the health care provider [and/or its employees] and not by the patient.

The Takeaway for Illinois Health Care Employers: Limited Relief From BIPA

The Mosby decision does not extend a broad, categorical exclusion to the entire health care industry. Since HIPAA defines “operations” as conducting quality assessment and improvement activities (including, among other things, patient safety activities and protocol development; reviewing the competence or qualifications of health care professionals; and conducting or arranging for medical review and auditing functions, including fraud and abuse detection and compliance programs), the activities of “the covered entity to the extent that the activities are related to covered functions” are exempt and/or otherwise excluded under BIPA.

At issue in the underlying action was nurses’ biometric information collected, used, and stored in connection with their access to medications and medical supplies for patient health care treatment. Such data is excluded from coverage under BIPA because the information was collected, used, or stored for health care treatment, payment, or operations as defined under HIPAA. Accordingly, the Illinois Supreme Court reversed the appellate court and remanded the case to the circuit court for further proceedings.

While the Mosby plaintiff did not prevail, health care employers should not construe this case as absolution from all BIPA obligations. The exclusion applies to providers engaged in the activities set forth by HIPAA but may not extend to workers that are not clearly involved in health care treatment, payment, or operations. Thus, we continue to counsel caution and compliance when collecting, using, or storing biometric data in Illinois.

EBG Staff Attorney Elizabeth A. Ledkovsky contributed to the preparation of this post.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.