2022 IL App (1st) 200822
Ill. App. Ct.2022Background
- Plaintiffs (Mosby and Mazya) are hospital employees required to scan fingerprints to access medication-dispensing systems; they sued hospitals (and related vendors) alleging violations of the Biometric Information Privacy Act (BIPA) for failing to provide notices, retention schedules, consent, and disclosures.
- Defendants moved to dismiss arguing BIPA §10 excludes biometric information “collected, used, or stored for health care treatment, payment, or operations under” HIPAA, so employee fingerprints used in medication systems fall outside BIPA.
- Circuit courts denied defendants’ dismissal motions, concluding the statutory carveout does not encompass employee biometric data and that plaintiffs need not show lack of knowledge or intentionality at pleading stage.
- Defendants sought interlocutory review under Illinois Supreme Court Rule 308; the appeals were consolidated and this court was asked to answer the certified question whether the HIPAA-related exclusion applies to healthcare workers’ biometric information.
- The appellate court answered the certified question in the negative: the §10 exclusion does not cover employee biometrics used in medication-dispensing systems; the case was remanded for further proceedings.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether BIPA §10’s exclusion for “information collected, used, or stored for health care treatment, payment, or operations under” HIPAA covers biometric information of healthcare employees used in hospital medication-dispensing systems | Mosby/Mazya: §10 excludes patient information and information actually protected under HIPAA; employee biometrics are neither and remain protected by BIPA | Northwestern/Ingalls: the disjunctive “or” and the HIPAA-language mean biometric data used in healthcare treatment/payment/operations (including employee fingerprints used to secure medication systems and create audit trails) are excluded from BIPA | No. The exclusion covers (1) information captured from a patient in a health‑care setting and (2) information protected “under” HIPAA. Employee fingerprints are neither patients’ data nor protected under HIPAA, so §10 does not exempt them from BIPA. |
| Whether courts may interpret §10 to add a broad hospital/employee exemption given statutory language and policy considerations | Plaintiffs: statutory text does not create a sweeping hospital/employee exemption; courts cannot rewrite statutes to add such an exemption | Defendants: a broader reading is sensible and aligns with HIPAA policy and HHS guidance encouraging biometrics in health care | The court declined to rewrite or expand the statute; where the legislature wanted blanket exclusions it expressly did so elsewhere in BIPA, so courts must apply §10’s plain language. |
Key Cases Cited
- Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019) (BIPA standing and statutory damages framework)
- Ultsch v. Illinois Municipal Retirement Fund, 226 Ill. 2d 169 (Ill. 2007) (plain‑meaning rule and statutory construction principles)
- Zahn v. North American Power & Gas, LLC, 2016 IL 120526 (Ill. 2016) (court cannot rewrite clear statutory language)
- Goldberg v. Brooks, 409 Ill. App. 3d 106 (1st Dist. 2011) (disjunctive “or” means alternatives considered separately)
- Kaider v. Hamos, 2012 IL App (1st) 111109 (1st Dist. 2012) (clarity of statutory language precludes reading in ambiguity)