As previously noted, the Illinois Biometric Information Privacy Act (BIPA) has invited a great deal of litigation, often resulting in interpretations favorable toward plaintiffs. As a result, we advise employers who use biometric technology in Illinois workplaces to adhere carefully to their obligations under BIPA. While that advice won’t change, employers operating in the health care sector can take some – though not too much – comfort in a recent ruling that limits their exposure under this law.
In Mosby v. Ingalls Memorial Hospital, the Illinois Supreme Court delved into a lengthy analysis of several of BIPA’s plain words and phrases to conclude that the biometric information of health care workers collected, used, or stored for health care treatment, payment, or operations is excluded from BIPA’s purview. In other words, for the first time, the state’s highest court has found an exception – albeit a narrow one – that limits employer liability under BIPA.
A Lesson in Statutory Construction: Every Word Counts
BIPA’s definitions section includes an explanation of the term “Biometric identifier.” The text of this definition begins with a succinct list of possible forms of biometric data (i.e., “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”), followed by five detailed sentences that set forth things that are NOT biometric identifiers for purposes of this law. Among these is the following phrase:
Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. [Emphasis added].
Following the guiding principle that each word in a statute is to be “given a reasonable meaning and not rendered superfluous,” the Court analyzed the plain meaning of the statute’s language, focusing on a simple word – “or” – to conclude that the Illinois legislature clearly intended that enumerated criteria for exceptions from the statute’s definition of protected biometric identifiers are not lumped together.
Specifically, the Court found that the use of “or” as a disjunctive in the above phrase connotes two different alternatives and thus exempts from BIPA data or information that satisfies either statutory criterion. Further parsing the statute’s text, the Court held that, by using the word “information” at the beginning of two separate clauses, the legislature indicated that each of the two clauses generally exempts a different specified category of information. The Court gave “under” the natural interpretation of “subject to the authority, control, guidance, or instruction of” HIPAA.
Next, applying the nearest-reasonable-referent canon of statutory construction—also known as the last antecedent rule, which provides, “when syntax in a legal instrument involves something other than a parallel series of nouns or verbs, a prepositive or postpositive modifier normally applies only to the nearest reasonable referent”—the Court acknowledged that the second sub-exclusion is not limited to information captured from a patient. Adhering to the jurisprudential principle that a series-qualifier canon is highly sensitive to context, the Court decided the qualifying phrase “under HIPAA” only applied to the second sub-exclusion, noting that the application of last antecedent is limited by “the intent of the legislature, as disclosed by the context and reading of the entire statute.” Because the Illinois legislature borrowed from HIPAA regulations throughout BIPA, the Court held the legislature’s decision to use the phrase “health care treatment, payment, or operations”—followed by the prepositional phrase “under [HIPAA]”—makes clear that the legislature was directing readers to HIPAA to discern the meaning of those terms, which relates to activities performed by the health care provider [and/or its employees] and not by the patient.
The Takeaway for Illinois Health Care Employers: Limited Relief From BIPA
The Mosby decision does not extend a broad, categorical exclusion to the entire health care industry. Since HIPAA defines “operations” as conducting quality assessment and improvement activities (including, among other things, patient safety activities and protocol development; reviewing the competence or qualifications of health care professionals; and conducting or arranging for medical review and auditing functions, including fraud and abuse detection and compliance programs), the activities of “the covered entity to the extent that the activities are related to covered functions” are exempt and/or otherwise excluded under BIPA.
At issue in the underlying action was nurses’ biometric information collected, used, and stored in connection with their access to medications and medical supplies for patient health care treatment. Such data is excluded from coverage under BIPA because the information was collected, used, or stored for health care treatment, payment, or operations as defined under HIPAA. Accordingly, the Illinois Supreme Court reversed the appellate court and remanded the case to the circuit court for further proceedings.
While the Mosby plaintiff did not prevail, health care employers should not construe this case as absolution from all BIPA obligations. The exclusion applies to providers engaged in the activities set forth by HIPAA but may not extend to workers that are not clearly involved in health care treatment, payment, or operations. Thus, we continue to counsel caution and compliance when collecting, using, or storing biometric data in Illinois.
Elizabeth A. Ledkovsky contributed to this article.