The Illinois Supreme Court has shielded hospitals and health care equipment maker Becton Dickinson from potentially financially catastrophic class action lawsuits brought by trial lawyers on behalf of nurses who claim their privacy rights were violated when hospitals required them to scan their fingerprints to verify their identity when accessing special drug lockers to dispense patient medication.
The ruling from the unanimous state Supreme Court was delivered Nov. 30. The opinion was authored by Justice David Overstreet, one of the court's two Republican justices.
In the decision, Overstreet and his colleagues agreed that requiring nurses to scan their fingerprints to unlock the medication dispensing drawers did not run afoul of Illinois' stringent biometrics privacy law, because those kinds of scans were protected by an exemption provided to biometric scans conducted "in a health care setting ... for health care treatment, payment or operations" under the federal Health Insurance Portability and Accountability Act (HIPAA).
James Zouras
| Stephan Zouras LLP
"We are not construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from health care workers," Overstreet wrote. "Here, the nurses’ biometric information, as alleged in the complaints, was collected, used, and stored to access medications and medical supplies for patient health care treatment and is excluded from coverage under the Act because it is “information collected, used, or stored for health care treatment, payment, or operations under [HIPAA].”
The decision marked a rare win for employers and other businesses that have been targeted by thousands of potentially very costly class actions under the unique Illinois state law known as the Biometric Information Privacy Act (BIPA.)
Since 2015, a growing cadre of class action law firms have used the law to file thousands of class action lawsuits and amass billions of dollars, collectively, in attorney fees from settlements from businesses frightened by the prospect of facing potential "annihilative" and "catastrophic" payouts at the hands of juries.
Enacted in 2008, the Illinois BIPA law states it is designed to safeguard the unique biometric identifying information of consumers and employees of businesses. These biometric identifiers can include fingerprints, retinas or facial geometry, among others.
The law was inspired by the collapse of the company known as Pay by Touch, which had been among those pioneering the ability of consumers to pay for goods and services by linking their banking information to fingerprints, or other unique biometric identifiers.
To coerce compliance with the law, the BIPA measure included steep financial penalties of $1,000 to $5,000 per violation, depending on how willful plaintiffs can prove the business may have been in not complying with the law.
A sizable portion of the lawsuits that have followed have targeted big tech companies, like headline-grabbing lawsuits against Facebook-parent company Meta and Google, among many others.
However, the vast majority of the litigation to date have targeted employers of all sizes and types in Illinois. Most of those lawsuits have taken aim at companies that require workers to scan their fingerprints or other biometric identifiers to punch in and out of work shifts, or that use face- or voice-scanning tech to monitor employees on the job.
However, a number of those class action lawsuits have also targeted hospitals and health care tech vendors claiming they improperly required nurses to scan fingerprints when they dispensed patient medications from secured drug lockers.
Particularly, many of those lawsuits have taken aim at Becton Dickinson and hospitals that use its Pyxis medication dispensing systems, which are designed to allow nurses to ensure patients accurately receive their medications, while reducing the risk of drug theft in hospitals.
Employers and vendors, like BD and hospitals, could face potentially astronomical payouts worth many millions or even billions of dollars from the lawsuits. Under recent Illinois Supreme Court rulings, the court's Democratic supermajority ruled that businesses could be facing payouts up to $5,000 for each time a worker scanned a fingerprint over a timespan beginning five years before filing suit.
Thus, with nurses scanning their fingerprint each time they access the medication lockers, numerous times per day, potential damages facing BD and the hospitals could spiral into ruinous sums.
Lawyers bringing the lawsuits typically claim 15%-40% of all settlements in legal fees.
In the consolidated cases that landed before the Illinois Supreme Court, attorneys with the firm of Stephan Zouras LLP, of Chicago, had filed one of those lawsuits against Becton Dickinson, as well as several health care organizations, including Ingalls Memorial Hospital in suburban Harvey and University of Chicago Medicine Community Health & Hospital Division.
The lawsuits were brought on behalf of a class of nurses, led by named plaintiffs Lucille Mosby and Yana Mazya.
The lawsuit, just as the vast majority of similar class actions, accused BD and the hospitals of failing to comply with BIPA's technical notice and consent provisions before requiring nurses to scan their fingerprints to access the medication lockers.
In response, BD and the hospitals argued they should be protected from the lawsuits by the HIPAA-specific exemptions contained within the law.
That exemption is one of several industry-specific exemptions provided in the law. Other exemptions protect governments from being sued under the BIPA law. Another protects those engaged in banking and financial services, which perhaps could have been used by the company whose failure inspired the law, Pay By Touch, to protect itself, should it have been sued under the BIPA law.
However, at the Illinois Supreme Court, the court's Democratic and Republican justices alike agreed the lower courts had misinterpreted the law, and the exemption applies to biometric information collected from health care workers, as well as patients.
"... The legislature’s decision to use the phrase 'health care treatment, payment, and operations' and to immediately follow it with the prepositional phrase 'under [HIPAA]' makes clear that the legislature was directing readers to HIPAA to discern the meaning of those terms," Overstreet wrote. "HIPAA’s definitions of these terms relate to activities performed by the health care provider - not by the patient.
"... Pursuant to its plain language, the Act excludes from its protections the biometric information of health care workers where that information is collected, used, or stored for health care treatment, payment, or operations, as those functions are defined by HIPAA," Overstreet wrote. "A health care worker’s biometric information, used to permit access to medication dispensing stations for patient care, falls under 'information collected, used, or stored for health care treatment, payment, or operations under [HIPAA]' and is exempt from the Act’s protections."
The plaintiffs attempted to counter by arguing that reasoning was too broad, and would essentially allow all health care employers in Illinois to shield all of its employee biometric scanning practices from the law, including workers who aren't engaged in health care operations, including "a landscaper mowing the lawn."
But Overstreet and the court said that interpretation of its ruling "simply ignore(s) that HIPAA includes carefully crafted definitions for each of these terms that place limits on the scope of the exclusion."
So, the court indicated hospitals and other health care providers could still be targeted by lawsuits on behalf of employees using a fingerprint-scanning timeclock, like virtually all other employers in the state, but not from health care professionals who must scan fingerprints in the act of providing patient care.
BD and the health care organizations were represented by attorneys Bonnie Keane DelGobbo, Joel Griswold and Amy L. Lenz, of the firm of Baker & Hostetler LLP, of Chicago; and Matthew C. Wolfe and William F. Northrip, of Shook Hardy & Bacon LLP, of Chicago.
Plaintiffs were represented by attorneys James B. Zouras, Ryan F. Stephan, Andrew C. Ficzko, Catherine T. Mitchell and Molly E. Stemper, of the Stephan Zouras firm.