Is Your Digital Health or Remote Patient Monitoring Company Violating the BIPA?

Update: Head to our resource page “Responding to COVID-19: Resources for Telehealth and Remote Patient Monitoring

Lawsuits have exploded in the last year, increasing the risk for companies nationwide. 

Historically, biometric data – think fingerprint scans to “clock in” and face recognition technology for identifying potential suspects – has been collected by employers, law enforcement, and financial institutions and used for security purposes. As technology evolves and becomes more sophisticated, companies—including digital health, telemedicine, and RPM companies—are beginning to incorporate biometric data from consumers and patients into their solutions, expanding the breadth of the use of biometric tools. For example, this month Pear Therapeutics licensed voice biomarkers from Winterlight Labs Inc., a company that develops digital markers to assess patient speech. Pear Therapeutics plans to use this voice data to detect early signs of Alzheimers disease. Other digital health companies are exploring the use of face scanning to detect changes in behavioral and neurological health.

There are numerous other examples of companies pairing digital health solutions with biometric data to improve outcomes for patients. At the same time, companies are facing increased scrutiny of their privacy practices in the wake of the controversial Google-Ascension deal (which continues to make headlines) and ongoing litigation involving Facebook’s use of data. One law in particular, the Illinois Biometric Information Privacy Act (BIPA), has resulted in thousands of lawsuits all over the country, causing headaches for companies that collect biometric data. 

Passed by the legislature back in 2008, Illinois became the first state to regulate the collection of biometric information, and it remains the only law of its kind that allows private individuals to file a lawsuit for damages stemming from a violation.  The recent spate of litigation based on BIPA includes individual and class action law suits against Facebook, Vimeo, and Google, among other smaller players, resulting in case law that has evolved significantly over the last year. Digital health and remote patient monitoring companies should pay attention to the restrictions and obligations imposed by BIPA if they are collecting (or plan to collect) biometric data from individuals in Illinois. 

Does BIPA apply to my digital health company?

The law applies to companies in any state that collect, store, or use biometric information collected from individuals in Illinois. The stated purpose of BIPA is to protect Illinois residents’ biometric data and deter identity theft—it does this by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric data. Biometric information is any information, regardless of how it is captured, converted, stored, or shared, based on a biometric identifier used to identify an individual. A biometric identifier is “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” This definition is broad enough to include a simple photograph of a person’s face.

One significant carveout excludes many digital health companies’ operations from BIPA. The law explicitly excludes “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.” Therefore, it is unlikely in most cases that digital health and remote patient monitoring companies that are exclusively acting as “business associates” to healthcare payor or provider customers will be subject to this law. However, there are hundreds of digital health and remote patient monitoring companies who serve consumers directly or whose contracts are directly with employers rather than healthcare providers and payers. These companies would not be exempt from BIPA, even though they are collecting what may otherwise be construed as healthcare information. 

The definition also excludes “biological materials regulated under the Genetic Information Privacy Act”, so there also seems to be an explicit intent not to include DNA testing companies, who are subject to a different, though still strict, law in Illinois. 

Similar to laws passed in Washington, Illinois, and Texas, the applicability of BIPA is quite broad, but unlike these other two laws, the law provides a pathway for an individual to sue companies directly for violations. In addition, a recent Illinois Supreme Court ruling, Rosenbach v. Six Flags Entertainment Corporation et al., established that individuals do not need to prove any actual harm in order to bring an action against a violator. On January 21,  The U.S. Supreme Court denied Facebook, Inc.’s petition to overturn a 9th Circuit case that ruled that even “intangible harms” can be the basis for a BIPA suit. It also ruled that plaintiffs could file suit in California based on the Illinois law, so we are likely to see more suits filed in the tech-savvy 9th Circuit in coming months. 

What does BIPA Compliance Look Like?

  1. Policies and Procedures. Companies that collect biometric data must develop and adhere to a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first.

  2. Consent. Companies cannot collect or obtain biometric information until they have (1) informed the subject (or an authorized representative) that the biometric identifier is being collected, (2) informed the subject why it is being collected, how long it is being collected, stored, and used, AND (3) collected a written release.

  3. Sale Prohibited. Companies may not sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information

  4. No Redisclosure Without Consent. Companies may not disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless (1) the subject (or an authorized representative) provides consent, (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject (or an authorized representative); (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; OR (4) the disclosure is required pursuant to a valid warrant or subpoena.

  5. Data Protection. Companies in in possession of biometric information must (1) use an industry standard of care when storing, transmitting, and protecting such information from disclosure, AND (2) such standard must be at least as protective as the standard the company uses to protect other confidential and sensitive information. 

What Happens If I Violate BIPA?

The law provides a “personal right of action” for individuals, which means a person can sue your company directly. HIPAA, for example, has no private right of action. Only the federal government can enforce that law. The law also grants an individual a right to injunction, which means that a judge can order you to stop using the information until the case is adjudicated. In addition, violations carry the following statutory penalties:

  • Negligent Violation: The greater of $1,000 in liquidated damages or actual damages + Attorneys’ Fees

  • Intentional or Reckless Violation. The greater of $5,000 or actual damages + Attorneys’ Fees

It is not settled in case law (because these cases are being brought in courts around the country) as to whether the liquidated damages cap is an aggregated total or a “per incident” amount. If, in your jurisdiction, it is considered to be a “per violation” cap, your company could be facing severe financial consequences if a court determines you guilty of violating the statute. In addition, the law includes no statute of limitations, so an individual can file suit long after he or she discovers a violation. 

Most importantly, and the likely reason for the recent explosion in litigation on this law, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp that the law does not require that an individual show they suffered any actual harm to prevail in a suit. This removes traditional barriers to litigation that would otherwise apply. Taken together, this means that the risk profile has shifted significantly toward more liability for companies that don’t comply. 

How Should My Digital Health or RPM Company be Thinking about BIPA Compliance?

Online Authentication Mechanisms

Juul Labs, Inc. was recently served a class action BIPA lawsuit based on its online age verification process. The complaint alleges that Juul improperly scans and store consumers’ facial geometry in violation of BIPA. Companies that use this type of online authentication should put in place a BIPA Compliance Plan. 

Cyberliability

Companies that collect biometric data should be sure that their liability coverage will protect them against suit in multiple jurisdictions based on BIPA and other biometric and general privacy laws.

Employee Time and Attendance Tracking

WeWork has also been involved in BIPA litigation because they use fingerprint scanners to track the use of their coworking spaces. If you’re using this for your employees, you should be thinking about a BIPA Compliance Plan. 

Collection of information for Health and Wellness Purposes

Innovative diagnostic and treatment software applications in several sectors, including behavioral health, neurology, and ophthalmology, are already collecting biometric information that could trigger applicability of BIPA. This includes images of the retina or iris, facial geometry, DNA, and voice prints. This information can be analyzed and translated into data that assists in the diagnosis or treatment of an individual. If your company is collecting biometric data directly from consumers/patients, you should be thinking about a BIPA Compliance Plan. If you’re receiving information from a third party Covered Entity or Business Associate, you’re likely exempt from this law, but you should also evaluate whether other state laws apply (And make sure you’re adhering to HIPAA and your Business Associate Agreement!).

Is Your Company At Risk?

With nearly 400 BIPA suits ongoing right now, companies that collect biometric information need to begin to evaluate whether the law is applicable, and if so, how to implement a compliance plan. These companies will need to develop a set of policies and procedures, employee or customer consent forms and processes, and review vendor contracts to guard this information.

Reduce risk and increase opportunities with an experienced healthcare attorney. Click here to find out how we help businesses just like yours