Illinois clinics must comply with BIPA to avoid costly lawsuits. The Illinois Biometric Information Privacy Act (BIPA) regulates how businesses handle biometric data like fingerprints and facial scans. Clinics are required to:
- Obtain written consent before collecting biometric data.
- Publish a data retention policy specifying how long data is stored and when it will be destroyed.
- Secure biometric data with industry-standard protections, similar to Social Security numbers.
- Avoid sharing biometric data without explicit consent.
Non-compliance can result in penalties of $1,000 per negligent violation or $5,000 per intentional violation. Recent lawsuits, like Cothron v. White Castle, highlight the financial risks, with damages reaching billions.
Healthcare exemptions apply to data used for treatment, payment, or operations under HIPAA. However, administrative uses, like employee timekeeping or patient check-ins, require strict BIPA compliance. Clinics should audit their systems, implement consent workflows, and align with BIPA to protect both patients and staff.
Types of Biometric Data Covered by BIPA
BIPA Covered vs Excluded Biometric Data Types for Illinois Clinics
What Counts as Biometric Data
Under Illinois BIPA, the term "biometric identifier" has a very specific definition. According to 740 ILCS 14/10, it includes:
- Fingerprints (commonly used in timekeeping systems for employees)
- Retina or iris scans (eye-based identification methods)
- Voiceprints (used in voice recognition technology)
- Scans of hand or face geometry (found in facial recognition or palm scanning systems)
Additionally, BIPA extends its scope to any data derived from these identifiers that can uniquely identify an individual. This is particularly relevant for aesthetics and wellness clinics that use facial analysis tools for cosmetic consultations or skin assessments. For example, if a device maps facial geometry to illustrate potential treatment outcomes, it could fall under the biometric data category regulated by BIPA.
The "derived from" rule is a key aspect of the law. For instance, standard photographs or physical descriptions are not considered biometric data. However, if software analyzes a photograph to extract facial geometry and creates a unique identifier, that process would be regulated under BIPA. On the other hand, BIPA excludes several types of data commonly used in clinical settings.
What BIPA Does Not Cover
BIPA explicitly excludes certain types of data, many of which are often used in medical and clinical environments. For example, diagnostic imaging intended for medical purposes - such as X-rays, CT scans, MRIs, PET scans, and mammograms - is not classified as biometric data under BIPA. These images are used to diagnose or treat medical conditions and are outside the law's scope.
Other exclusions include writing samples, written signatures, photographs, demographic information (like birth dates or addresses), and physical descriptions (such as height, weight, hair color, eye color, or tattoos). Biological samples used for scientific testing, donated organs or tissues, and blood or serum stored for transplants are also exempt.
Clinics also benefit from specific exclusions tied to healthcare. Data collected in a healthcare setting for treatment, payment, or operational purposes under HIPAA is not considered a biometric identifier under BIPA. For instance, a facial scan used to diagnose a skin condition would generally be excluded. However, a fingerprint scan used for administrative purposes, like check-ins, would require full compliance with BIPA, including obtaining written consent and adhering to retention guidelines.
| Data Type | BIPA Status | Clinical Examples |
|---|---|---|
| Fingerprints, facial geometry scans | Covered | Employee timekeeping, patient check-in systems |
| Diagnostic imaging (X-rays, MRIs, CT scans) | Excluded | Medical imaging for diagnosis or treatment |
| HIPAA-regulated patient data | Excluded | Records for treatment, billing, or operations |
| Photographs, physical descriptions | Excluded | Standard patient photos, intake form details |
The distinction between clinical and administrative use is crucial. For example, clinics using facial recognition or fingerprint systems for administrative tasks must adhere to BIPA requirements, such as obtaining explicit consent and maintaining a clear retention policy. Meanwhile, diagnostic imaging and other procedures governed by HIPAA remain outside BIPA's jurisdiction.
BIPA Compliance Requirements for Clinics
Clinics aiming to comply with BIPA must focus on obtaining proper consent, safeguarding data with strong security measures, and addressing the specific needs of both employee and patient biometric data.
Written Consent and Notification Rules
Before collecting biometric data, clinics must provide individuals (or their authorized representatives) with a written notice. This notice should clearly explain the type of data being collected, the purpose behind the collection, and the retention period. Written consent, whether through an informed release or an electronic signature, must be obtained before any data is captured.
For employees, this consent can be integrated into employment agreements or provided as a separate document that must be signed before implementing biometric systems like fingerprint-based time clocks. For patients, an explicit acknowledgment is required before capturing biometric data.
Clinics are prohibited from sharing biometric data with third parties unless the individual consents, the disclosure is needed to complete a financial transaction requested by the individual, or it is mandated by law.
Data Security and Retention Requirements
Once consent is secured, clinics must ensure that biometric data is stored and transmitted securely, meeting BIPA's standards. This includes using encryption for data both in transit and at rest, following industry-standard security protocols. Security measures for biometric data should be as stringent as those applied to other sensitive information, such as social security numbers or financial account details.
Clinics are also required to establish a publicly available written retention policy. This policy must specify how long biometric data will be retained and outline the procedures for its permanent destruction. Importantly, this policy must be in place before data is collected. Failure to publish a retention policy in advance constitutes a violation of BIPA. For instance, J&M Plating Inc. faced legal consequences for not implementing a retention schedule until years after starting to use fingerprint scanners for employees.
"The court's ruling indicates that the mere failure to have a retention schedule – regardless of whether there is evidence of over-retention of biometric data... is a violation of BIPA." - Data Protection Report
Biometric data must be destroyed either when the original purpose for its collection is fulfilled or within three years of the individual’s last interaction with the clinic, whichever comes first.
| Requirement | Description |
|---|---|
| Written Notice | Must inform individuals that biometric data is being collected or stored. |
| Specific Purpose | Must explain why the biometric data is being collected. |
| Retention Term | Must specify how long the data will be retained. |
| Written Release | Must be signed by the individual or their representative. |
| Public Policy | A written retention and destruction schedule must be publicly accessible. |
| Security Standard | Must follow or exceed industry-standard security protocols. |
Compliance for Employees vs. Patients
It’s essential to differentiate between how BIPA applies to employee and patient data. Biometric data collected for healthcare purposes, such as treatment, payment, or operations under HIPAA, is generally exempt from BIPA. However, biometric data collected for non-healthcare administrative purposes - like employee fingerprint scanners or patient check-ins - requires full compliance, including written consent and retention policies.
For example, a facial scan used to diagnose a medical condition or plan a cosmetic procedure typically falls under the healthcare exemption and does not require BIPA compliance. On the other hand, biometric data collected for non-clinical purposes, such as fingerprint scanners for employee timekeeping or facial recognition for building access, is fully regulated under BIPA.
To ensure compliance, clinics should audit their biometric data collection practices. This includes distinguishing between clinical uses, which may fall under HIPAA exemptions, and administrative uses, which require adherence to BIPA guidelines. Employment contracts for staff should be updated to include BIPA-compliant consent language, and patient data collection processes should be reviewed to determine whether the healthcare exemption applies.
Healthcare Exclusion and Legal Uncertainty
How the Healthcare Exclusion Works
Under BIPA, the healthcare exclusion applies to biometric data collected in healthcare settings when it's used for purposes regulated by HIPAA, such as treatment, payment, or healthcare operations. However, this exclusion is strictly limited to data used for these specific purposes.
For instance, a fingerprint scan used to access medication would fall under the exclusion. On the other hand, using the same fingerprint for general timekeeping purposes would not qualify. Similarly, biometric data collected for research is excluded because HIPAA’s definition of "healthcare operations" does not include research activities.
"The health care exception is narrow. The analysis is context-specific and depends on whether the biometrics are 'collected, used, or stored for health care treatment, payment, or operations.'" - Faegre Drinker Biddle & Reath LLP
A notable case, Marino v. Gunnar Optiks LLC (2024), further clarified the scope of this exclusion. The court ruled that customers using virtual try-on tools for non-prescription items do not qualify as "patients" since they are not receiving medical care from licensed professionals.
Recent legal decisions continue to define and challenge the limits of this exclusion.
Court Cases and What They Mean for Clinics
Recent court rulings have shed light on how the healthcare exclusion is applied in practice, while also highlighting areas of legal ambiguity. For example, the Illinois Supreme Court’s decision in Mosby v. Ingalls Memorial Hospital extended the healthcare exclusion to include biometric data from healthcare employees when used for HIPAA-regulated purposes like treatment, payment, or operations. This clarified that the exclusion isn’t limited to patient data - employee biometrics may also fall under its scope when tied to clinical functions.
"BIPA excludes biometric information of healthcare workers when used for HIPAA-defined treatment, payment, or operations." - Illinois Supreme Court
Despite these clarifications, legal uncertainty persists. Federal courts in Illinois are divided over whether the August 2, 2024 amendment - which limits damages to one violation per person rather than "per scan" - can be applied retroactively. In Gregg v. Central Transport LLC, the court ruled that it does apply retroactively, while in Schwartz v. Supply Network, Inc., the ruling was that it only applies moving forward.
Given these uncertainties, legal experts strongly advise clinics to prioritize compliance. Even if a clinic qualifies for the healthcare exclusion, implementing BIPA-compliant consent and notification processes can serve as a safeguard against shifting legal interpretations and the risk of costly class-action lawsuits. With statutory damages reaching $1,000 per negligent violation and $5,000 per intentional violation, the financial stakes are high.
sbb-itb-02f5876
How to Implement BIPA Compliance in Your Clinic
Identify Where Biometric Data Is Collected
Start by examining your clinic for devices or systems that capture biometric data. This includes fingerprints, facial recognition, iris scans, voiceprints, or hand scans. Common examples are biometric time clocks for tracking employee hours, fingerprint scanners on medication cabinets, and facial recognition cameras at entrances. Don’t overlook patient-facing tools like self-service check-in kiosks or mobile apps that use "selfie" cameras for identity verification.
Next, review contracts with vendors to determine if they process biometric data on your behalf. This step is crucial to ensure you're meeting the "reasonable standard of care" for protecting sensitive information. Mapping out all collection points and uses will prepare you to establish proper consent and notification processes.
Also, differentiate between data regulated by BIPA and data that’s excluded. For instance, x-rays, MRI scans, and CT images aren’t considered biometric identifiers under BIPA. Additionally, if biometric data is used only for HIPAA-covered purposes like treatment or billing, it may fall under the healthcare exclusion. However, non-clinical uses, such as employee timekeeping, typically require full compliance with BIPA.
Develop Consent and Notification Processes
Your written notification must clearly state that biometric data is collected, specify its purpose (e.g., employee time tracking, secure access), and outline the retention period. BIPA also mandates obtaining a "written release" before collecting any biometric information. Electronic signatures, as confirmed in the August 2024 amendment, fulfill this requirement.
Incorporate these consent steps into your workflows. For employees, include BIPA forms in their onboarding paperwork. For patients, add consent language to digital intake forms if you collect biometric data for non-HIPAA purposes. Additionally, publish a retention policy in a visible location, such as your website or waiting room. This policy should specify that biometric data will be destroyed either when it’s no longer needed or within three years of the individual’s last interaction with your clinic, whichever comes first.
"Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse."
– Illinois General Assembly
If you rely on third-party vendors for biometric systems, remember that you remain responsible for any unauthorized disclosures. Conduct regular audits of their compliance measures to ensure they meet BIPA standards. Once your consent processes are in place, integrating them into a practice management platform can simplify compliance.
Leverage Practice Management Software for Compliance
Practice management software can automate consent workflows, from collecting electronic signatures to securely storing records of every release. With BIPA’s high penalties for violations, these tools can also provide alerts when biometric data needs to be destroyed - either after fulfilling its purpose or after three years of inactivity.
For example, Prospyr’s HIPAA-compliant platform offers digital intake forms and tools for tracking BIPA consent. Its electronic signature feature satisfies the "written release" requirement, while its centralized system keeps all compliance documentation organized. By embedding BIPA workflows into your patient management system, you reduce administrative overhead and minimize the risk of missing required notifications.
Beyond consent tracking, compliance software can align BIPA requirements with other regulations, such as HIPAA, helping you meet multiple standards efficiently. These platforms also bolster data security by using encryption and access controls to protect biometric information. Integrating such solutions not only simplifies compliance but also demonstrates your clinic’s dedication to safeguarding sensitive data and maintaining patient trust.
Conclusion
For aesthetics and wellness clinics in Illinois, following BIPA regulations isn't just a suggestion - it's the law. Non-compliance comes with steep penalties: $1,000 for each negligent violation and $5,000 for each intentional or reckless one. The $228 million verdict in the first BIPA class-action jury trial underscores just how costly ignoring these rules can be.
But it's not just about avoiding legal trouble. Complying with BIPA safeguards your clients' biometric data - like fingerprints and facial geometry - which is uniquely tied to each individual. As the Illinois General Assembly highlighted, "Biometrics are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions". This makes protecting such data not only a legal obligation but also a moral one.
Getting started on compliance involves a few key steps. First, audit how and where you collect biometric data. Then, set up clear consent and notification procedures before capturing any information. You’ll also need a retention policy that ensures biometric data is destroyed either within three years of the last interaction or once its purpose is fulfilled. These measures show your dedication to keeping sensitive patient and staff data secure. Thankfully, modern tools make these steps easier to implement.
For example, practice management platforms like Prospyr can simplify compliance by automating consent forms with electronic signatures, tracking retention timelines, and centralizing compliance records. These tools not only help meet BIPA requirements but also align with HIPAA standards, cutting down on administrative work and reducing the risk of violations.
Taking these steps doesn't just protect your clinic from lawsuits - it also strengthens trust with your patients. When people see that their biometric data is handled with care and professionalism, they feel more secure choosing your clinic for their treatments.
FAQs
What are the consequences for clinics that fail to comply with Illinois BIPA?
Failure to follow Illinois BIPA regulations can result in hefty financial and legal consequences for clinics. Under the law, individuals have the right to sue businesses that fail to comply. Penalties include $1,000 per violation for negligent breaches and $5,000 per violation for reckless or intentional violations.
Clinics must prioritize understanding and meeting BIPA's requirements to steer clear of these penalties and ensure the security of their patients' biometric data.
What makes BIPA different from HIPAA when it comes to biometric data?
The Illinois Biometric Information Privacy Act (BIPA) is all about regulating how private entities in Illinois handle biometric data - things like fingerprints, facial scans, or voiceprints. Under BIPA, businesses must obtain informed written consent from individuals before gathering their biometric information. On top of that, it enforces strict rules to protect this sensitive data.
On the other hand, the Health Insurance Portability and Accountability Act (HIPAA) is focused on safeguarding protected health information (PHI) in healthcare environments. While HIPAA doesn’t specifically address biometric data collected in healthcare settings, BIPA steps in with additional requirements. For example, aesthetics and wellness clinics handling biometric data outside of traditional healthcare contexts must adhere to BIPA’s extra privacy safeguards.
What types of biometric data are not covered under Illinois BIPA regulations?
Illinois BIPA specifically excludes certain types of data from its scope. These exceptions include writing samples, written signatures, photographs, demographic details, tattoo descriptions, and physical traits like height, weight, hair color, or eye color. It also does not apply to human biological samples used in scientific research, donated organs or tissues, blood or serum for transplants, or medical imaging such as X-rays, MRIs, or mammograms when used for diagnosis or treatment.
These exclusions highlight that BIPA is designed to safeguard sensitive biometric identifiers - like fingerprints, facial scans, and retina scans - rather than general or medical data.
