Over the last few years, hundreds of putative class actions have been filed under the Illinois Biometric Information Privacy Act (BIPA), which governs the collection, use, and storage of biometric information belonging to Illinois residents. Among the biggest targets of recent BIPA lawsuits are healthcare providers, including hospitals, long-term care facilities, and nursing homes.
Biometric data is no longer just a figment of science fiction writers’ imaginations. In recent times, private companies and governments have begun collecting and using individuals’ biometric data on a routine basis. Biometric technology is most commonly used to identify or verify an individual using that person’s unique biological characteristics, such as fingerprints, facial structure, and voiceprints. Healthcare providers have employed biometric technology in numerous ways already, including monitoring patients’ locations, restricting access to secure areas and facilities to authorized individuals, and tracking employee time, to name just a few.
Most Americans take advantage of the benefits of this technology every day, including by unlocking a smartphone, bank account, or door lock with a thumbprint or image of their face. The convenience and safety advantages inherent in replacing passwords and keys with biometric identifiers have helped generate a boom in the biometric technology industry.
On the other hand, the highly sensitive nature of biometric data has raised privacy and security concerns among the public. In response to these concerns, a few states have enacted statutes that impose numerous requirements on companies that collect, use, store, or transmit biometric data. The most prominent and restrictive of these laws is the Illinois Biometric Information Privacy Act (BIPA). BIPA requires companies subject to its restrictions to obtain written consent from Illinois residents whose biometric data they collect, use, or store, and imposes retention requirements for the data.
Although there are similar laws in Texas and Washington, BIPA is unique in that it provides for a private right of action. BIPA allows for recovery of $1,000 per violation of the statute ($5,000 per reckless or intentional violation), plus fees. Not surprisingly, plaintiffs’ lawyers have filed hundreds of class action lawsuits under BIPA in the last few years alone, with potential damages stretching well into the millions (or even billions) of dollars. Dozens of the BIPA suits filed in Illinois state and federal courts in the last year have been against healthcare providers of all types, including hospitals, skilled nursing facilities, long-term care centers, and home health services.
Healthcare Industry Targeted
The number of BIPA class actions filed against businesses in the healthcare industry has grown over the last year. The industry is an increasing target for BIPA class action claims for two primary reasons.
First, in January 2019, the Illinois Supreme Court held that plaintiffs need not suffer an injury other than a statutory violation to pursue a BIPA claim. Defendants have since struggled to find viable defenses in BIPA class actions, and are often faced with pressure to settle early in litigation.
Second, businesses in the industry are adopting biometric technology for a variety of uses, leaving them particularly vulnerable to claims by employees (and former employees and contractors), as well as visitors and even vendors. Importantly, information collected under Health Insurance Portability and Accountability Act (HIPAA) is not subject to BIPA’s protections and requirements. That said, companies collecting biometric data would be wise to review their policies and practices as they relate to patients, as well. In any event, at least one Illinois appellate court has held that the HIPAA exemption does not apply to medical employee information.
The healthcare industry is seeing “template” cases like those that target many industries. For example, nursing home staff have filed suits arising from their employers’ practice of collecting hand geometry scans for time-keeping or security purposes. These complaints allege that the defendants failed to document to its employees that they were collecting, retaining, or disseminating the biometric data in violation of the statute. BIPA’s consent requirement can be satisfied through the terms of an employment contract, but many employees are unaware of this fact.
Beyond these “low-hanging fruit” BIPA actions, there has been a recent trend of claims particular to healthcare applications of biometric data collection. For example, one recent class action involved a fingerprint scanning system that allowed pharmacists to access pharmacy computer systems. Another BIPA class action, against a hospital, was brought by medical personnel who accessed a medication storage facility via a fingerprint scanning system.
In each of these cases, the plaintiffs allege that the defendant companies failed to obtain their written consent to collect, store, and/or use their biometric information. These suits often also allege that the plaintiffs are not advised, in writing, of the purpose and length of time for which the biometric data would be used, or how the information would be destroyed. Companies must meet each of these BIPA requirements under the statute.
Companies that collect, use, or store biometric data from Illinois residents should review their policies and practices to ensure compliance with BIPA, as well as other state-specific statutes. Even those companies that may not be subject to BIPA would be wise to review their data collection practices, including whether any technology used may inadvertently collect or disseminate biometric data. A number of other states are considering biometric-specific legislation, and federal legislation may be on the horizon. Finally, while there have been few breaches involving biometric data, that is another risk that companies should consider.
About the Authors
Erin Pope is the Senior Vice President, Chief Compliance Officer for Golden Living in Plano, Texas.
Frank Nolan is a litigation partner in the New York office of Eversheds Sutherland. Frank represents companies in litigation arising from BIPA and other consumer protection statutes and counsels clients on complying with these and other laws.
Andrew Weiner, also with Eversheds Sutherland (US) LLP in New York is a not yet admitted to practice.