And also provides a grammar lesson.

In Mosby v. Ingalls Memorial Hospital, the Illinois Supreme Court determined that the HIPAA exclusion in the IL Biometric Information Privacy Act (BIPA) is broader than the plaintiffs argued. The plaintiffs, hospital nurses, claimed that their hospital employers required them to authenticate into medication dispensing systems using a fingerprint without proper notice and consent as required by BIPA.

The defendants asserted that the BIPA exclusion for HIPAA data extended not only to just patients, but also to other HIPAA data collected from other sources, such as from clinical personnel providing treatment to patients. This distinction is important because damages under BIPA can balloon rapidly – aggrieved parties can recover up to $1,000 per each negligent violation and $5,000 for each intentional or reckless violation. With countless “violations” occurring for each collection and use of biometric information for each person, these numbers can become enormous (even if the latter damages award was vacated). With a narrower exclusion, more people are covered by the law’s protections and can seek redress under it, increasing the potential for large damages awards. The exclusion reads:

Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.

(Emphasis added). At issue was the two-part exclusion – one part mentions information captured from patients specifically, and the second part, after the “or,” does not mention patients, or anyone, for that matter. It refers generally to “information” collected, used, or stored for health care treatment. The question presented to the Court was whether this second part applied to health care workers.

The plaintiff argued, and the lower courts agreed, that the second part of the exclusion only applied to patients, and that the IL legislature differentiated this second part by using the word “collected” rather than “captured,” as indicated in the first part of the exclusion. Therefore, the lower court determined, the biometric data of these nurses was not excluded from BIPA and they could avail themselves of its protections.

According to the Supreme Court, this was not enough reason for the legislature to include a second part of the exclusion – it would have been redundant. Rather, the Supreme Court concluded that, more important, was inclusion of the word “or” and use of the second instance of “information,” indicating the legislature intended to provide for two separate kinds of exclusions: one exclusion based on the source of the data (the patient) and one exclusion based on the purpose of using the data (health care treatment, payment, or operations under HIPAA).

The Court proceeded to conduct an exhaustive analysis on statutory construction, summarized neatly with one small statement buried in the middle of its opinion:

In other words, ‘or’ means ‘or.’ ”

The Court did stop short of claiming anything related to HIPAA might be excluded. To the contrary, one of the two exclusions must be applicable – the data must be from a patient in a healthcare setting or it must be related to treatment under HIPAA. In its own words,

[w]e are not construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from health care workers. Here, the nurses’ biometric information, as alleged in the complaints, was collected, used, and stored to access medications and medical supplies for patient health care treatment….

This is the first time the IL Supreme Court has agreed with a defendant’s interpretation of BIPA’s scope, which is a welcome development for defendants, but as always, processors of biometric information should proceed carefully and ensure they align their processes to the law’s requirements (when and where it applies).