Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14)
Illinois state law regulating the collection, retention, use, and destruction of biometric identifiers, with a private right of action and statutory damages per violation.
Primary source
740 ILCS 14 — Illinois General Assembly →https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
Additional sources
The Illinois Biometric Information Privacy Act (BIPA) — 740 ILCS 14 — regulates the collection, capture, purchase, receipt, sale, lease, trade, or other use of biometric identifiers (retina/iris scans, fingerprints, voiceprints, scans of hand or face geometry) and biometric information derived from them.
Core requirements:
- Written policy: publicly available retention schedule and destruction guidelines.
- Written notice: before collecting, the entity must inform the subject in writing of the specific purpose and the term of collection, use, and storage.
- Written release: the subject must provide a written release authorizing the collection.
- Sale prohibition: cannot sell, lease, trade, or otherwise profit from biometric data.
- Disclosure restrictions: limited circumstances allow disclosure (subject's consent, completion of financial transaction, required by law, valid warrant or subpoena).
- Reasonable security: safeguards required.
Private right of action (740 ILCS 14/20): per the Illinois Supreme Court's Cothron v. White Castle (2023) decision, each scan or transmission can constitute a separate violation. Statutory damages: $1,000 per negligent violation; $5,000 per intentional or reckless violation. BIPA litigation has produced settlements in the hundreds of millions.
For Illinois healthcare practices using biometric authentication on EHR workstations or biometric identifiers in clinical care, the BIPA notice/consent/policy posture must be in place before deployment.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
HIPAA Privacy Rule: General Rules for Uses and Disclosures (45 CFR 164.502)
state-leg · State OverlayCalifornia Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code 56-56.37)
state-AG · State OverlayNew York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act, N.Y. Gen. Bus. Law § 899-bb)
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationCalifornia Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code 56-56.37)California state law providing broader patient confidentiality protections than HIPAA for medical information held by providers, contractors, and certain employers.
- RegulationNew York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act, N.Y. Gen. Bus. Law § 899-bb)New York data breach and information security law requiring reasonable administrative, technical, and physical safeguards for private information of NY residents, with expanded breach notification.
- RegulationHIPAA Privacy Rule: General Rules for Uses and Disclosures (45 CFR 164.502)The general rules covered entities follow for any use or disclosure of protected health information, including the minimum necessary standard and treatment, payment, and operations exceptions.
- ComplianceIllinois Healthcare Compliance: BIPA, GIPA + State Medical Records RulesIllinois BIPA (740 ILCS 14/) and GIPA (410 ILCS 513/) vs HIPAA for medical practices: where the state statutes bite harder, private right of action, and penalty math.
- StateAlaska healthcare compliance overlayAlaska has no state-specific medical-information privacy statute beyond HIPAA, and no health-data-only breach rule.
- StateAlabama healthcare compliance overlayAlabama was the last U.
- StateArkansas healthcare compliance overlayArkansas's Personal Information Protection Act adds 'medical information' to the categories triggering breach notification but does not impose health-information-specific privacy rules beyond HIPAA.
- StateArizona healthcare compliance overlayArizona broadened its breach statute in 2018 to add medical information, health insurance identifiers, biometric data, and online credentials.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.