In a country that is still struggling with an opioid epidemic, and where there are enough rules and laws regulating the dispensing of medication to fill a tome, it makes sense that medical providers across the nation are turning to technology to monitor who is accessing narcotics and medicines. Federal and state laws require that healthcare facilities and providers store certain medications, and most importantly controlled substances, in locked cabinets. As technology has advanced, it has become commonplace for such cabinets to be secured by fingerprint or facial recognition access, and guidance recognizes cabinets secured by such biometric access systems as meeting the definition of a “locked” system. However, if you are a medical provider with employees located in Illinois, Texas or Washington, your use of biometric medical cabinet locks or dispensaries, such as the Pyxis or Omnicell systems, could lead to greater liability if you are not taking certain steps.
Illinois (740 ILCS 14/1 et seq.), Texas (Tex. Bus. & Com. §503.001) and Washington (Wash. Rev. Code § 19.375.010 et seq.) each have biometric collection laws that require companies to take certain actions before they collect biometrics from employees who are residents of those states (there is a limited exemption for patient biometrics). In general, the laws of Illinois, Texas and Washington require that companies first provide notice to employees (e.g., nurses, doctors and others with access to the lock/dispensary systems) of the fact that their biometrics may be collected. “May” is an important qualifier here because there is still an open legal question as to whether these systems actually collect biometrics. Plaintiffs’ lawyers and regulators will say they do, whereas defendant companies and device manufacturers will often take the opposite position. However, if the objective of compliance is to minimize risk, then the conservative approach in Illinois, Texas and Washington is to develop a policy that notifies your employees that you or your service providers may be collecting biometrics.
While that notice will be enough to satisfy Washington’s biometric law, those of Texas and Illinois require more. In Texas and Illinois, companies must also collect the consent of their employees before collecting their biometrics. In Illinois, companies also must make publicly available their biometric collection policy, which includes details on, for example, the purpose of the collection, the document retention rules applicable to the biometric information and the use and/or disclosure of biometrics.
Failure to comply with the biometric laws in Illinois, Texas and Washington brings with it varying degrees of risk. The Washington and Texas laws are exclusively enforced by the state attorneys general. To date, Washington’s attorney general has not initiated any public actions, and Texas’ attorney general only recently brought its first action. The Texas law, however, includes damages of up to $25,000 per violation. The very immediate risk, however, is Illinois, where there is a private right of action, statutory damages of as much as $5,000 per scan and a five-year limitations period. As a result, the Biometric Information Privacy Act (BIPA) has become one of the most active class action spaces in Illinois, with new putative class actions filed almost every working day, and the state and federal courts handling a docket of more than 1,000 biometric cases. In short, the risk of a class action for failing to comply with BIPA is extreme.
While HIPAA covered entities and business associates are used to being exempt from a wide variety of state privacy laws, courts in Illinois have interpreted the collection of employee biometrics—even for the dispensing of medication—to not be HIPAA-covered or -related activities, and thus outside the HIPAA carve-outs in Illinois’ biometric law. Moreover, every legislative cycle, other states consider enacting biometric statutes similar to the laws in Illinois, Texas and Washington. As a result, medical providers should take the following steps:
Determine whether they are collecting fingerprint or other potential biometric information in the ordinary course of business (g., biometric medical dispensary systems, locks or even employee time clocks).
If they are collecting such information, implement a biometric collection policy and notice.
In Texas and Illinois, collect the consent of their employees.
In Illinois, publicly post their biometric collection policy.
If you need assistance with any of these steps, please contact your regular McDermott Will & Emery lawyer or contact the authors of this article.