Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

What is BIPA?

Picture of Kirsten Peremore Kirsten Peremore January 02, 2024

Innovation cybersecurity
What is BIPA?

The Biometric Information Privacy Act (BIPA) is a law enacted in Illinois in 2008 to regulate private entities' collection, use, and storage of biometric data. It primarily aims to protect individuals' unique biometric identifiers, such as fingerprints, retina scans, and facial geometry, from unauthorized use and data breaches.

 

How does BIPA intersect with HIPAA?

BIPA, specific to Illinois, regulates collecting and handling biometric data, such as fingerprints and facial recognition, requiring explicit consent and disclosure from individuals. Section 10 of BIPA excludes information captured from patients in a healthcare setting and otherwise protected under HIPAA. 

Recently, the Illinois Supreme Court delivered a notable ruling regarding the intersection of BIPA and HIPAA, particularly in the healthcare sector. The case involved two nurses who sued Ingalls Memorial Hospital, asserting that the hospital's use of fingerprint-enabled medication storage systems violated BIPA's requirement for notification when collecting biometric data. However, the hospital defended its practices by arguing that this biometric data collection was integral to healthcare operations and thus protected under HIPAA.

Initially, an appellate court sided with the nurses, but the Illinois Supreme Court overturned this decision. The Supreme Court ruled that the hospital's actions were compliant with HIPAA, and therefore, the collection of employee biometric data without explicit notification was permissible. This ruling signifies a notable exception in BIPA's application, specifically in healthcare settings where biometric data aligns with HIPAA's guidelines for patient care, treatment, or operations.

The ruling highlights the need for healthcare institutions to align biometric data usage with HIPAA standards, ensuring that as technology evolves, patient care remains the primary focus while navigating the complexities of privacy laws. This case is a critical example of how federal laws like HIPAA can precede state laws like BIPA.

 

What types of data does BIPA protect?

Under BIPA, the types of biometric data that are protected include:

  • Fingerprints: This is one of the most commonly used biometric identifiers, often employed in various security systems for identity verification.
  • Retina and iris scans: These involve unique patterns in a person's retina or iris and are used in some high-security authentication systems.
  • Voiceprints: Voice characteristics can be analyzed to create a unique representation of a person's voice, used for identity verification in voice recognition systems.
  • Hand or face geometry: This includes measurements and shapes of a person's hand or facial features. Face recognition technology, for example, uses these unique geometric patterns to identify or verify a person's identity.

See also: HIPAA Compliant Email: The Definitive Guide

 

Who does BIPA apply to?

  • Private businesses: Any private company operating in Illinois that collects, stores, or uses biometric data, such as fingerprints, facial recognition, or iris scans.
  • Employers: Companies in Illinois that use biometric data for employee identification or timekeeping purposes.
  • Technology providers: Companies that develop or supply biometric technology or systems used within Illinois, even if the company itself is not based in the state.
  • Educational institutions: Schools, colleges, and universities in Illinois that collect or use biometric data of students or staff.
  • Healthcare providers: While they are subject to HIPAA for patient data, healthcare providers in Illinois must comply with BIPA for biometric data collected from employees, unless the data collection is specifically protected under HIPAA.
  • Retailers and service providers: Businesses that use biometric data for customer identification or personalized services.
  • Financial institutions: Banks and other financial services that employ biometric data for customer authentication.

 

The key requirements of BIPA for private entities

Entities such as who fall under BIPA’s jurisdiction must: 

  • Obtain written consent from individuals before collecting, capturing, or storing their biometric identifiers, such as fingerprints or facial geometry. 
  • Inform individuals in writing about the specific purpose and duration for which their biometric data will be used and stored. 
  • Publicly disclose a policy detailing the guidelines for retaining and permanently destroying the biometric data, ensuring it aligns with the purpose of data collection or within three years of the individual's last interaction with the entity, whichever is earlier. 
  • Not sell, lease, trade, or profit from individuals' biometric information. 
  • Protect and store biometric data with at least the same level of care and security as they would other confidential and sensitive information, ensuring its safety from unauthorized access or use.

See also: Security in biometric identification

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.