We're sorry, but OSHAcademy doesn't work properly without JavaScript enabled. Please turn on JavaScript or install a browser that supports Javascript.

625 HIPAA Privacy Training
Skip to main content

625 HIPAA Privacy Training

Illinois BIPA

Biometric Information

The Illinois Biometric Information Privacy Act (BIPA) establishes specific rights for individuals regarding their biometric data and imposes corresponding obligations on private entities that handle such information. "Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. "Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.

The state of Illinois with an overlay of the Illinois flag.
Individual Rights
  1. Informed Consent:
    • Individuals must be informed in writing about the collection, storage, and use of their biometric data. This notice should detail the specific purpose and duration for which the data will be utilized.
    • A written release or consent must be obtained from the individual before collecting their biometric information.
  2. Right to Disclosure:
    • Individuals have the right to know what specific biometric data is being collected, the purpose of its collection, and the duration for which it will be stored.
  3. Prohibition Against Profiteering:
    • Private entities are prohibited from selling, leasing, trading, or otherwise profiting from an individual's biometric data.
  4. Right to Take Legal Action:
    • Individuals have the right to initiate legal proceedings if they believe their biometric data has been mishandled or their rights under BIPA have been violated. Notably, individuals do not need to demonstrate actual harm to qualify as an "aggrieved" party under BIPA.
  5. Accounting of Disclosures:
    • Patients have the right to receive an accounting of certain disclosures of their medical information made by the healthcare provider, ensuring transparency about who has accessed their data.
Provider Obligations
  1. Development of a Retention and Destruction Policy:
    • Before disclosing medical information, providers must secure a valid written authorization from the patient, except in circumstances permitted by law. This authorization should clearly state the information to be disclosed, the purpose of the disclosure, and the recipients.
  2. Secure Storage and Transmission:
    • Entities are required to store, transmit, and protect biometric data using the reasonable standard of care within their industry.
    • Biometric data must be stored, transmitted, and protected in a manner that is the same as or more protective than the manner in which the entity stores, transmits, and protects other confidential and sensitive information.
  3. Restrictions on Disclosure:
    • Entities are prohibited from disclosing or disseminating an individual's biometric data unless:
      • The individual or their legally authorized representative consents to the disclosure.
      • The disclosure completes a financial transaction requested or authorized by the individual.
      • The disclosure is required by state or federal law, municipal ordinance, or pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
  4. Prohibition Against Profiteering:
    • Entities are prohibited from selling, leasing, trading, or otherwise profiting from an individual's biometric data.

Knowledge Check Choose the best answer for the question.

3-10-Illinois. In which situation can an entity disclose an individual’s biometric data without their direct consent?

Back