Illinois Healthcare Compliance: BIPA, GIPA + State Medical Records Rules
8 min read · Last reviewed May 23, 2026
Illinois layers two state statutes on top of HIPAA that have no federal analog: the Biometric Information Privacy Act (740 ILCS 14/) and the Genetic Information Privacy Act (410 ILCS 513/). Both carry a private right of action with statutory damages — BIPA at $1,000 negligent / $5,000 intentional-reckless and GIPA at $2,500 negligent / $15,000 intentional-reckless per violation — the single biggest divergence from HIPAA, which has no individual cause of action at all.
What Illinois BIPA and GIPA actually require
The Biometric Information Privacy Act, enacted in 2008 and codified at 740 ILCS 14/, regulates private entities that collect, capture, purchase, or otherwise obtain a person's biometric identifier (fingerprint, voiceprint, retina or iris scan, scan of hand or face geometry). It does not cover writing samples, signatures, photographs alone, or demographic data. The core obligations at 740 ILCS 14/15: a written policy publicly available, a retention and destruction schedule, written informed consent before collection, and a ban on selling biometric data.
The Genetic Information Privacy Act at 410 ILCS 513/ prohibits employers and insurers from soliciting, requesting, requiring, or purchasing genetic testing or genetic information. Healthcare providers can use genetic information for treatment, but cannot disclose it without specific written authorization that names the recipient.
Layered on top is the Illinois Medical Patient Rights Act at 410 ILCS 50/3, which gives patients an enforceable right to access their records, and the Personal Information Protection Act at 815 ILCS 530/, which handles breach notification.
Where Illinois is stricter than HIPAA
Where Illinois BIPA bites healthcare is the fingerprint timeclock for staff and the patient biometric check-in kiosk. HIPAA has no specific biometric data rule — biometric identifiers are PHI when linked to a patient, but employer use of staff fingerprints is outside HIPAA entirely. BIPA covers both, with mandatory written consent, a public retention policy, and statutory damages enforceable by the individual.
| Topic | HIPAA | Illinois | Stricter | |---|---|---|---| | Biometric data | Treated as PHI when linked; no specific rule | BIPA: written consent, written policy, retention schedule, no sale | Illinois | | Genetic information | GINA at the federal level; HIPAA covers as PHI | GIPA: written authorization naming recipient required for any disclosure | Illinois | | Private right of action | None — only HHS/OCR enforcement | BIPA and GIPA: individuals sue directly with statutory damages | Illinois | | Patient access timeline | 30 days, one 30-day extension (45 CFR 164.524) | Medical Patient Rights Act: reasonable time, generally 30 days | Tie | | Breach notification | 60 days from discovery to individual | PIPA: most expedient time, no fixed outer deadline but generally read as 45 days; AG notice if >500 IL residents | HIPAA on individual; Illinois on AG breadth | | Staff biometric data | Not covered | BIPA applies fully — fingerprint timeclocks, hand-geometry scanners | Illinois | | Marketing authorization | 45 CFR 164.508(a)(3) authorization required | Same plus GIPA bar on genetic data, BIPA bar on biometric sale | Illinois |
The Illinois Supreme Court decided in Rosenbach v. Six Flags (2019) that a plaintiff does not need to allege actual harm beyond a BIPA violation to have standing — the technical violation itself is the injury. In Cothron v. White Castle (2023) the court held each separate scan was a separate violation, but the Illinois General Assembly responded with a statutory amendment effective August 2, 2024 (Public Act 103-769). Current 740 ILCS 14/20(b)–(c) provides that repeated collection or disclosure of the same biometric identifier from the same person by the same method is a single violation with at most one recovery. The pre-amendment per-scan math still drives exposure for conduct before August 2, 2024 — class actions filed against pre-amendment timeclock use can plead Cothron — but for ongoing 2026 collection the math is one violation per person per collection-or-disclosure method.
Where HIPAA is stricter than Illinois
HIPAA is broader in some areas. The Security Rule at 45 CFR Part 164, Subpart C imposes administrative, physical, and technical safeguards that BIPA and GIPA do not address. Illinois has no equivalent risk-analysis requirement, no encryption standard, no audit-log standard. A practice that follows BIPA scrupulously but ignores the HIPAA Security Rule is still federally non-compliant.
HIPAA also covers a wider data set: any individually identifiable health information held by a covered entity, regardless of biometric or genetic character. BIPA and GIPA are surgical — they regulate two specific data classes and have HIPAA carve-outs for treatment, payment, and operations uses.
Breach notification timeline
Illinois breach notification runs under the Personal Information Protection Act at 815 ILCS 530/10. The statute requires notice to affected Illinois residents in the most expedient time possible and without unreasonable delay. Where the breach involves more than 500 Illinois residents, the entity must notify the Illinois Attorney General. PIPA does not preempt HIPAA — covered entities follow both, and the HIPAA 60-day individual-notice deadline at 45 CFR 164.404 is the operative federal floor.
For BIPA-specific breaches — biometric data exposure — the practical reading is that the PIPA timeline applies, but plaintiffs have used the underlying BIPA violation (lack of consent, lack of policy) as the basis for class action damages rather than the breach itself.
Penalties + private right of action
This is where Illinois law diverges most sharply.
BIPA damages under 740 ILCS 14/20: $1,000 per negligent violation, $5,000 per intentional or reckless violation, plus reasonable attorneys' fees and costs, plus injunctive relief. The August 2, 2024 amendment to 740 ILCS 14/20(b)–(c) caps recovery at a single violation for repeated collection or disclosure of the same biometric identifier from the same person by the same method — so a fingerprint timeclock that scans the same employee thousands of times now counts as one violation per employee per method, not one per scan. Cothron's per-scan math remains relevant only to pre-August-2024 conduct.
GIPA damages under 410 ILCS 513/40: $2,500 per negligent violation, $15,000 per intentional or reckless violation, plus reasonable attorneys' fees and costs. (Note: GIPA's per-violation amounts are higher than BIPA's; the structure is parallel but not identical.)
PIPA does not create a private right of action for breach notification failures; the Illinois Attorney General enforces it with civil penalties under the Consumer Fraud Act, which can reach $50,000 per violation.
HIPAA, by contrast, has no private right of action. HHS Office for Civil Rights enforces with civil monetary penalties capped by tier at 45 CFR 160.404, and aggregate annual caps were adjusted by HITECH and subsequent HHS notices. State AGs can also enforce HIPAA under section 13410(e) of HITECH, but individuals cannot.
The practical takeaway: HIPAA penalty exposure is real but rare and federally controlled. BIPA exposure is class-action driven, scaled with every scan for pre-August 2, 2024 conduct under Cothron, and has produced settlements in the tens and hundreds of millions for large defendants. Under current 740 ILCS 14/20(b)–(c) as amended by PA 103-769, ongoing 2026 exposure is one recovery per person per collection-or-disclosure method — still material at scale, but no longer per-scan. For a small practice with a staff fingerprint timeclock, the dominant Illinois risk is BIPA, not HIPAA.
Compliance checklist for in-state practices
For any Illinois practice using biometric or genetic data outside pure treatment use:
- Publish a written biometric data policy with a retention and destruction schedule, posted publicly or in a staff-accessible location, before collecting any biometric data.
- Obtain written informed consent from every employee or patient before collecting a fingerprint, hand geometry scan, voiceprint, retina or iris scan, or face geometry scan. Save the signed consent for the retention period.
- Audit every staff timeclock, patient kiosk, and visitor sign-in device for biometric collection. If you scan, BIPA applies.
- For any genetic testing not done for treatment, obtain GIPA-compliant written authorization that names the recipient of the information.
- Update the Notice of Privacy Practices and patient intake to address BIPA and GIPA disclosures separately from HIPAA authorizations.
- Confirm Medical Patient Rights Act access timelines align with HIPAA's 30-day rule and document the access response on every record request.
- For breach response, run a parallel PIPA assessment alongside the HIPAA 45 CFR 164.404 analysis. If more than 500 Illinois residents are affected, notify the Illinois AG.
Compliance binder covers the HIPAA backbone of these requirements with state-specific privacy notice content. Illinois practices using biometric data also need standalone BIPA policies and consent forms, which are outside the standard HIPAA binder scope.
Cross-references: see Virginia CDPA for medical practices and Washington's My Health My Data Act for other state statutes that, like BIPA, create private rights of action that HIPAA does not.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Illinois Healthcare Compliance: BIPA, GIPA + State Medical Records Rules. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Does BIPA apply to our patient fingerprint reader at the front desk?
Yes, if the reader collects, stores, or uses a fingerprint or fingerprint template to identify or verify patients or staff, it is covered biometric information under 740 ILCS 14/10. BIPA requires written informed consent before collection, a public retention and destruction schedule, and a written policy. HIPAA's authorization rules do not satisfy BIPA — BIPA is separate. A staff timeclock that scans fingerprints triggers the same obligations.
We are a HIPAA-covered entity. Doesn't that exempt us from BIPA and GIPA?
Partly. BIPA at 740 ILCS 14/10 exempts patient information governed by HIPAA from the definition of biometric identifier when the information is used for treatment, payment, or operations. GIPA at 410 ILCS 513/30 has a similar HIPAA carve-out for treatment uses. But staff fingerprint timeclocks, marketing-list genetic ancestry tests, and any non-TPO use of biometric or genetic data fall outside the carve-out and remain regulated.
How big are BIPA class action settlements actually getting?
BIPA settlements have ranged from low six figures for small employers to nine figures for large platforms. The statute sets statutory damages at $1,000 per negligent violation and $5,000 per intentional or reckless violation under 740 ILCS 14/20, plus attorneys' fees. The Illinois Supreme Court ruled in Cothron v. White Castle (2023) that each scan was a separate violation, but the Illinois General Assembly amended 740 ILCS 14/20(b)–(c) effective August 2, 2024 to provide that repeated collection or disclosure of the same biometric identifier from the same person by the same method counts as a single violation with at most one recovery. Cothron's per-scan math now applies only to pre-amendment conduct.
Does the Illinois Medical Patient Rights Act add anything beyond HIPAA's access rule?
The Medical Patient Rights Act (410 ILCS 50/3) requires hospitals and most providers to honor patient access to medical records and to permit inspection or copying within a reasonable time. Illinois practice has settled on a 30-day window consistent with HIPAA's 45 CFR 164.524, but the state statute layers on a private cause of action for unreasonable refusal and specific copying-fee caps under 735 ILCS 5/8-2001.
What about GIPA — when does it actually apply to a primary care practice?
GIPA (410 ILCS 513/15 and /25) restricts the use of genetic testing information by employers, insurers, and others. For a practice, GIPA most often surfaces when staff are asked about family history during wellness programs, when a third-party wellness vendor collects genetic data, or when ordering genetic testing for non-treatment purposes. GIPA carries its own statutory-damages structure under 410 ILCS 513/40 — $2,500 per negligent violation and $15,000 per intentional or reckless violation — separate from BIPA's $1,000/$5,000 scheme.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 740 ILCS 14/https://www.ilga.gov/legislation/ilcs/ilcs5.asp?ActID=3004&ChapterID=57
- 410 ILCS 513/https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=1567&ChapterID=35
- 410 ILCS 50/3https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=1525&ChapterID=35
- 815 ILCS 530/https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67
- 45 CFR Part 164, Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- 45 CFR 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
- 45 CFR 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- ComplianceOhio Healthcare Compliance: Data Protection Act + State SpecificsOhio Data Protection Act (Ohio Rev. Code § 1354) vs HIPAA: the affirmative defense framework, named cybersecurity frameworks, and what Ohio breach notification adds.
- CompliancePennsylvania Healthcare Compliance: Breach Notification + Practice OperationsPennsylvania Breach of Personal Information Notification Act (73 Pa. C.S. § 2301) vs HIPAA: the concurrent AG notice rule, medical record retention, and where state law bites a PA practice.
- ComplianceVirginia CDPA for Medical Practices: Where It Stacks on HIPAAVirginia Consumer Data Protection Act (Va. Code § 59.1-575) vs HIPAA: the HIPAA carve-out, what intake forms and marketing lists still trigger CDPA, and AG penalty math.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- RegulationIllinois Biometric Information Privacy Act (BIPA, 740 ILCS 14)Illinois state law regulating the collection, retention, use, and destruction of biometric identifiers, with a private right of action and statutory damages per violation.
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- StateIllinois healthcare compliance overlayIllinois has two statutes that put healthcare-adjacent practices in the country's most litigated privacy environment: BIPA for biometrics (fingerprint timeclocks, facial-recognition check-in, voiceprint authentication) and GIPA for genetic information.