By Gerald L. Maatman, Jr. and Tyler Zmick
Duane Morris Takeaways: In the latest ruling in the biometric privacy class action space, the Illinois Supreme Court embraced a broad reading of the “health care exception” in the Illinois Biometric Information Privacy Act (“BIPA”) in Mosby v. Ingalls Memorial Hospital, 2023 IL 129081 (Ill. Nov. 30, 2023). The Illinois Supreme Court held that the statute excludes from its scope data collected in two separate and distinct scenarios: (1) “information captured from a patient in a health care setting”; and (2) information collected “for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Unlike clause (1), the Supreme Court held that the exception in clause (2) is not limited to data obtained from patients and serves to exclude information that originates from any source.
The Mosby ruling is welcome news to BIPA defendants and companies operating in the health care space. In the wake of the decision, courts likely will be asked to define the exact contours of the BIPA’s broadened “health care exception” in cases presenting facts that are less obviously tied to health care treatment, payment, or operations compared to the facts at issue in Mosby.
Case Background
The Plaintiffs in Mosby were nurses who claimed that their hospital-employers required them to use a fingerprint-based medication-dispensing system to verify their identities. Plaintiffs sued their employers and the company that distributed the medication-dispensing system, alleging that Defendants violated §§ 15(a), 15(b), and 15(d) of the BIPA by using the medical-station scanning device to collect, use, and/or store their “finger-scan data” without complying with the BIPA’s notice-and-consent requirements and by disclosing their purported biometric data to third parties without first obtaining their consent.
Defendants moved to dismiss in the trial court, arguing that the claims failed because Plaintiffs’ data was specifically excluded from the BIPA’s scope under § 10 of the statute, which states that “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].” 740 ILCS 14/10. Defendants argued that the latter clause applied in that Plaintiffs’ fingerprints had been used in connection with Plaintiffs providing medicine to patients, meaning their fingerprints were “collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].” Id.
The trial court denied Defendants’ motions. It ruled that § 10’s “health care exception” was limited to patient information protected under the HIPAA and that the exclusion does not extend to information collected from health care workers.
On appeal, the First District of the Illinois Appellate Court affirmed the denial of Defendants’ motions to dismiss. Echoing the trial court, the Appellate Court determined that the biometric data of health care workers is not excluded from the BIPA’s scope and that the relevant provision of § 10 excluded from the BIPA’s protections “only patient biometric information.” Mosby, 2023 IL 129081, ¶ 16; see id. ¶ 17 (“[T]he appellate court held that ‘the plain language of the statute does not exclude employee information from the [BIPA’s] protections because they are neither (1) patients nor (2) protected under HIPAA.’”) (citation omitted).
Appellate Court Judge Mikva dissented from the majority’s opinion. Judge Mikva opined that the legislature meant to exclude from the BIPA’s scope the biometric data of health care workers “where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by the HIPAA.” Id. ¶ 19 (citation omitted). Judge Mikva expressed the view that the first part of § 10’s “health care exception” excludes from the BIPA’s coverage information from a particular source (i.e., patients in a health care setting) and that the second part excludes information used for particular purposes (i.e., health care treatment, payment, or operations), regardless of the source of that information.
The Illinois Supreme Court’s Decision
On further appeal, the Illinois Supreme Court agreed with Appellate Court Judge Mikva’s dissent, unanimously holding that the BIPA’s exclusion for “information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA]” can apply to the biometric data of health care workers (not only patients).
The Supreme Court determined that the relevant sentence of § 10 excludes from the definition of “biometric identifier” data that may be collected in two distinct (rather than overlapping) scenarios – namely, biometric identifiers do not include (i) information captured from a patient in a health care setting or (ii) information collected, used, or stored for health care treatment, payment, or operations under HIPAA. Id. ¶ 37 (“[T]he phrase prior to the ‘or’ and the phrase following the ‘or’ connotes two different alternatives. The Illinois legislature used the disjunctive ‘or’ to separate the [BIPA’s] reference to ‘information captured from a patient in a health care setting’ from ‘information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].’ Pursuant to its plain language, information is exempt from the [BIPA] if it satisfies either statutory criterion.”) (internal citations omitted).
The Supreme Court agreed with Defendants that the two categories of information are different because information excluded under the first clause originates from the patient, whereas information excluded under the second clause may originate from any source. Regarding the second clause, the Supreme Court observed that the Illinois legislature borrowed the phrase “health care treatment, payment, and operations” from the federal HIPAA regulations. Accordingly, the Supreme Court determined that “the legislature was directing readers to the HIPAA to discern the meaning of those terms,” which meanings “relate to activities performed by the health care provider – not by the patient.” Id. ¶ 52.
Thus, the Supreme Court held that a health care worker’s data used to permit access to medication-dispensing stations for patient care qualifies as “information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA]” and is exempt from the statute’s scope.
Implications Of The Decision
After the recent slew of plaintiff-friendly BIPA decisions issued by both state and federal courts, the Illinois Supreme Court’s decision in Mosby comes as welcome news for companies facing privacy-related class actions – particularly those operating in the health care space.
Relying on Mosby, defendants will likely add the BIPA’s “health care exception” to their arsenal of defenses in a wider array of cases moving forward. Importantly, for purposes of the second “HIPAA prong” of the statute’s “health care exception,” federal HIPAA regulations govern the definitions of the terms “health care treatment,” “payment,” and “operations.” Given that the regulatory definitions of those terms are broad, see 45 C.F.R. § 160.103; id. § 164.501, defendants will likely test the breadth of the exception in future cases presenting facts that may be less obviously tied to health care treatment, health care payment, and/or health care operations compared to the facts at issue in Mosby.