unanimously holding that the BIPA’s exclusion for “information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA]” can apply to the biometric data of health care workers (not only patients). The Supreme Court determined that the relevant sentence of § 10 excludes from the definition of “biometric identifier” data that may be collected in two distinct (rather than overlapping) scenarios – namely, biometric identifiers do not include (i) information captured from a patient in a health care setting or (ii) information collected, used, or stored for health care treatment, payment, or operations under HIPAA. Id. ¶ 37 (“[T]he phrase prior to the ‘or’ and the phrase following the ‘or’ connotes two different alternatives. The Illinois legislature used the disjunctive ‘or’ to separate the [BIPA’s] reference to ‘information captured from a patient in a health care setting’ from ‘information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA].’Pursuant to its plain language, information is exempt from the [BIPA] if it satisfies either statutory criterion.”) (internal citations omitted). The Supreme Court agreed with the defendants that the two categories of information are different because information excluded under the first clause originates from the patient, whereas information excluded under the second clause may originate from any source. Regarding the second clause, the Supreme Court observed that the Illinois legislature borrowed the phrase “health care treatment, payment, and operations” from the federal HIPAA regulations. Accordingly, the Supreme Court determined that “the legislature was directing readers to the HIPAA to discern the meaning of those terms,” which meanings “relate to activities performed by the health care provider – not by the patient.” Id. ¶ 52. Thus, the Supreme Court held that a health care worker’s data used to permit access to medication- dispensing stations for patient care qualifies as “information collected, used, or stored for health care treatment, payment, or operations under [the HIPAA]” and is exempt from the statute’s scope. The Illinois Supreme Court’s decision in Mosby comes as welcome news for companies facing privacy- related class actions – particularly those operating in the health care space. Relying on Mosby , defendants will likely add the BIPA’s “health care exception” to their arsenal of defenses in a wider array of cases moving forward. Importantly, for purposes of the second “HIPAA prong” of the statute’s “health care exception,” federal HIPAA regulations govern the definitions of the terms “health care treatment,” “payment,” and “operations.” Given that the regulatory definitions of those terms are broad, see 45 C.F.R. § 160.103 and § 164.501, defendants in BIPA litigation will likely test the breadth of the exception in future cases presenting facts that may be less obviously tied to health care treatment, health care payment, and/or health care operations compared to the facts at issue in Mosby . In Rogers, et al. v. BNSF Railway Co., 2023 U.S. Dist. LEXIS 113278 (N.D. Ill. June 30, 2023), the plaintiff filed a class action lawsuit alleging that BNSF unlawfully required truck drivers entering the company ’ s facilities to provide their biometric information through a fingerprint scanner. He claimed that BNSF collected the drivers’ fingerprints without first obtaining informed written consent or providing a written policy that complied with the BIPA and therefore violated §§ 15(a) and (b) of the BIPA. BNSF argued that it did not operate the biometric equipment and instead sought to shift blame to a third-party vendor who operated the biometric equipment that collected the drivers’ fingerprints. The case proceeded before a jury (the first time any class action had gone to a full trial with claims under the BIPA). Following the jury ’ s finding of liability, the court entered a judgment against BNSF in the amount of $5,000 per violation, for a total amount of $228 million. BNSF moved to vacate the judgment or for a new trial, and the court granted the motion. The court ordered a new trial in which jurors would be informed that damages are optional in BIPA cases, and be provided the chance to determine penalties themselves. The court also ruled that a jury should also be allowed to determine the amount of penalties in such a case due to the U.S. Constitution ’ s Seventh Amendment right to trial by jury. The new trial would be limited solely to whether BNSF should have to pay damages, and if so, the amount of damages. The court did not vacate the portion of jury finding that BNSF should be held liable for its fingerprint collection system breaching BIPA. (Subsequently, the case settled.)
18
© Duane Morris LLP 2024
Duane Morris Privacy Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online