“BIPA” – The Illinois Biometric Privacy Act in the Physician Office
Health care facilities and clinics are using biometric identifiers for recognition and authentication of their employees and patients. The information may include retina or iris scans, fingerprints, voiceprints, hand scans, facial recognition, DNA, and other unique biological information. With the increasing use of biometric technology, physicians should be aware of how the BIPA law affects the handling of this information, as related to both office staff and patients.
Illinois was the first state to pass a law creating standards for how businesses must handle Illinois consumers’ biometric information. The Biometric Information Privacy Act (“BIPA”), passed in 2008, gives individuals the right to control the use of their own biometric data. The most familiar example is fingerprint recognition for smartphone access, but facial and iris recognition is growing in use for building access.
Biometric information includes:
- retina or iris scans,
- hand scans,
- facial geometry,
- DNA, and
- other unique biological information.
BIPA prohibits private companies from collecting or obtaining a person’s biometric identifier or information, unless the company first:
- informs the person in writing that a biometric identifier or biometric information is being collected or stored;
- informs the person in writing of the specific purpose and length of time for which a biometric identifier or biometric information is being collected, stored, and used; and
- receives a written release signed by the subject of the biometric identifier or information.
Therefore, businesses that collect and use biometrics must have their clients or employees sign and return a written form that notifies them that their biometric information is being collected, provides the purpose and length of time for which the information is collected, and gives the business permission to collect it. If an individual refuses to grant permission, the business may not collect or use their biometric identification.
The BIPA law also prohibits any company from selling or in any way profiting from consumers’ biometric information, and it permits subjects of the technology to sue businesses for money damages when the law is violated (for example, collecting biometric information without obtaining consent).
BIPA and Health Care Facilities and Offices – What About the HIPAA Exclusion?
The increasing use of scan-based technology in health care delivery has resulted in multiple lawsuits against health care facilities that allegedly have not complied with BIPA. The only Illinois Supreme Court ruling interpreting BIPA pertains to biometrics used at Six Flags Amusement Park, so there is not yet a Supreme Court ruling on BIPA in a health care facility. Nonetheless, the court ruled in favor of the plaintiff in the Six Flags case, and most of the lower courts have ruled against the health care and other defendants who have been alleged to have violated BIPA. In addition to various lawsuits, multiple legislative amendments have been filed, resulting in great flux in the application of this law.
One of the reasons for controversy in the health care sector is that the BIPA law excludes patient information used for treatment, payment, and health care operations as defined under the HIPAA rules. Many health care defendants who have been sued for BIPA violations have argued this exclusion as a defense; in other words, they do not need to notify or obtain permission for collecting biometric identifiers used to identify and authorize persons who may have access to records or medications to treat patients.
Section 10 of BIPA states that biometric identifiers and information “do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 [HIPAA].” Biometric identifiers do not include X-rays; CT, MRI, or PET scans, mammography, or other images used to diagnose an illness, so health care providers do not need to obtain a BIPA consent for those procedures.
However, many of the BIPA cases against health care defendants were filed by health care employees who claimed the employer facility did not notify employees or give them the opportunity to consent to using biometric identifiers. Employers have argued that the employees’ information (for example, fingerprints) was not covered by the BIPA law (thus, they did not have to notify employees or obtain consent), because the biometric identifier was used for authentication to gain access to medications to be administered to patients. BIPA hospital defendants have argued that this carve-out for healthcare applies because the information was “collected, used or stored for health care treatment, payment or operations under [HIPAA]. They conclude that because the employee data is used to access medication for patient care, to bill patients, and to improve patient safety and quality of health care delivery, these purposes all fall under HIPAA and therefore are exempt under BIPA.
This argument has not been successful in most lower courts, and, as discussed above, no higher Illinois court has yet ruled on this issue. Therefore, the ICS recommends that physician practices who wish to use biometric identifiers for employees or patients comply with BIPA. Simply put, this requires the use of a written form notifying the individual of the collection, use, and duration of the information, and obtaining consent. The ICS has created a form that can be accessed here for this purpose.