Illinois Supreme Court: Finger-Scan Information Collected by Healthcare Providers to Access Medications Is Exempt From BIPA Liability

On November 30, 2023, the Illinois Supreme Court unanimously held in Mosby et al. v. The Ingalls Memorial Hospital et al. that when biometrics of healthcare employees are collected in the course of providing medical services, that biometric collection is exempt from the Illinois Biometric Information Privacy Act (BIPA).


The plaintiff, Lucille Mosby, was a registered nurse employed by UChicago Medicine Ingalls Memorial Hospital. She alleged that she used a medication dispensing system that required her to scan her finger on a device in order to access the medication. Another plaintiff in the case, Yana Mazya, was a registered nurse at Northwestern Medicine Lake Forest Hospital. Mazya, along with Tiki Taylor, a patient care technician, sued the hospital. They alleged that the healthcare providers required scans of fingerprints for identification to access medication dispensing systems and to gain authorized access to stored materials and medications for patients.

The defendants argued that Section 10 of BIPA exempted this collection from the scope of BIPA. Specifically, section 10 provides that biometric identifiers’ “information collected, used, or stored for health care treatment, payment, or operations under” the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is exempt from BIPA. In its opinion, the court honed in on whether this exclusion “includes a health care worker’s biometric information used to access patient medications and provide patient care.” The court answered that narrow question in the affirmative, holding that the exclusion does apply to collection and use of a healthcare worker’s biometric information to access patient medications and to provide patient care.

In its analysis, the court reasoned that the phrase “under HIPAA” in the statutory text made “clear that the legislature was directing readers to HIPAA to discern the meaning of those terms.” The terms “treatment, payment, [and] operations” are defined terms under HIPAA. Healthcare includes “care, services, or supplies related to the health of an individual,” including the “sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.” Treatment means the “provision, coordination, or management of health care and related services by one or more health care providers,” including “the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.” The term “payment” includes “activities undertaken by *** [a] health care provider or health plan to obtain or provide reimbursement for the provision of health care.” Finally, “health care operations” means, in part, “the following activities of the covered entity to the extent that the activities are related to covered functions”: conducting quality assessment and improvement activities, including, among other things, patient safety activities and protocol development; reviewing the competence or qualifications of healthcare professionals; and conducting or arranging for medical review and auditing functions, including fraud and abuse detection and compliance programs.

Reviewing these defined terms in HIPAA, the court explained:

Therefore, the legislature’s decision to use the phrase “health care treatment, payment, and operations” and to immediately follow it with the prepositional phrase “under [HIPAA]” makes clear that the legislature was directing readers to HIPAA to discern the meaning of those terms. HIPAA’s definitions of these terms relate to activities performed by the health care provider—not by the patient.

The court ultimately held that BIPA “excludes from its protections the biometric information of health care workers where that information is collected, used, or stored for health care treatment, payment, or operations as those functions are defined by HIPAA. A health care worker’s biometric information, used to permit access to medication dispensing stations for patient care, falls under ‘information collected, used, or stored for health care treatment, payment, or operations under [HIPAA]’ and is exempt from the Act’s protections pursuant to section 10 of the Act.” See 740 ILCS 14/10

This holding by the court is the first major victory for the defense bar in BIPA cases before the court. Practitioners, however, should be wary of attempts to expand this holding to argue that it creates a categorical exclusion of biometric identifiers taken from healthcare workers. Indeed, the court cautioned that it was not creating a “broad, categorical exclusion of biometric identifiers taken form health care workers.”

© 2024 McDermott Will & Emery
National Law Review, Volumess XIII, Number 342