Dental HIPAA HubGet Compliant →
Illinois State Law

Illinois Dental Privacy: Protecting Your Practice from BIPA Lawsuits

Illinois is the most legally dangerous state in the US for businesses using biometric technology. The Biometric Information Privacy Act (BIPA) — combined with federal HIPAA obligations — creates a dual compliance burden that has generated hundreds of class action lawsuits against employers, including dental practices. If your practice uses a fingerprint time clock, facial recognition check-in, or any other biometric system without written staff consent, you are already in violation.

$5,000

BIPA: per person, intentional violation

$1,000

BIPA: per person, negligent violation

2024

HB 3199 amendment — per-person counting

No harm

Required to sue under BIPA

The BIPA threat is not theoretical: Illinois courts have certified BIPA class actions against employers with as few as 10–20 employees. A dental practice with 15 staff members using a fingerprint time clock without consent faces $15,000–$75,000 in statutory damages before attorney's fees — and class members can include every employee who ever scanned in.

Dental-Specific Compliance Platform

Get HIPAA-Compliant with Medcurity

Medcurity guides Illinois dental practices through HIPAA and BIPA documentation requirements — Security Risk Analysis, BAA management, staff training records, and audit-ready compliance documentation.

See How It Works for Illinois Practices →

BIPA vs. HIPAA — Two Different Threats

HIPAA and BIPA protect different types of data and are enforced in completely different ways. Illinois dental practices face both.

RuleFederal HIPAAIllinois BIPA
What data is protectedPatient medical records (PHI)Biometric identifiers: fingerprints, facial geometry, retina scans
Who can sue your practiceNo private right of action — OCR onlyAny employee or patient — directly in court
Proof of harm requiredN/A (no private suits)No — statutory damages apply without proving harm
Fine per negligent violation$100–$50,000 per violation$1,000 per person
Fine per intentional violationUp to $50,000 per violation$5,000 per person
Class action riskLow (OCR-driven, not class actions)High — multiple IL class actions against small businesses
Written consent required before collectionNo specific biometric consentYes — before any biometric data is captured

The 2024 BIPA Amendment (HB 3199) — What Changed

Illinois amended BIPA in August 2024 to address a wave of lawsuits that threatened to bankrupt small businesses. Under the original law, courts held that each individual fingerprint scan was a separate violation — meaning a practice with daily timeclock use over two years could face thousands of violations per employee.

Before HB 3199

Each individual scan = separate violation. 500 scans × $1,000 = $500,000 per employee. Class action = total business destruction.

After HB 3199 (2024)

One violation per person per type of biometric data. 15 employees × $1,000 = $15,000 minimum. Class action still viable — just no longer existential for every case.

Bottom line: HB 3199 prevented total collapse — it did not eliminate BIPA risk. Illinois dental practices remain on the lawsuit target list.

BIPA Compliance Checklist for Illinois Dental Practices

Six steps to eliminate or dramatically reduce your BIPA exposure.

1

Stop using biometric time clocks without consent — immediately

If your practice uses fingerprint or facial recognition for employee attendance and staff have not signed written BIPA consent forms, pause the system today. Each day of non-consensual collection is a separate exposure event. Switching to a PIN-based or badge system eliminates BIPA risk entirely while you remediate.

2

Obtain written consent from every employee — current and new

Before collecting any biometric data, each employee must sign a written consent form that: (1) describes what biometric data is being collected and why, (2) identifies how long it will be stored, and (3) explains when it will be destroyed. This must be obtained before first collection — retroactive consent has limited legal value.

3

Publish a Biometric Data Retention and Destruction Policy

BIPA requires you to publicly available written policy establishing a retention schedule and destruction guidelines for biometric data. This must be posted in your office and on your website. The policy must specify that data will be destroyed within 3 years of collection or when the employment relationship ends, whichever comes first.

4

Audit your vendors for biometric data handling

If a third-party time clock vendor, HR platform, or patient check-in system collects biometric data on your behalf, they are subject to BIPA. Your contract with that vendor must include BIPA-compliant data handling terms. Confirm the vendor has their own consent and retention policies.

5

Review patient-facing biometric technology

Any technology that uses facial recognition to identify patients at check-in, or that captures biometric data for clinical purposes, requires separate BIPA consent from patients — distinct from your standard HIPAA consent forms. Patient BIPA consent must be voluntary and cannot be a condition of receiving treatment.

6

Run a Security Risk Analysis to document your HIPAA posture

An SRA is still the #1 document OCR requests in any HIPAA investigation. With BIPA exposure creating new litigation risk, Illinois dental practices should ensure their overall compliance documentation is airtight — a documented SRA demonstrates good-faith compliance effort to both OCR and state courts.

📋

2026 Dental HIPAA SOP Kit — Includes Biometric Consent Templates

47 ready-to-use templates including BIPA-compliant biometric consent forms, data retention and destruction policy templates, staff acknowledgment forms, and HIPAA documentation. One-time $149 — instant delivery.

Get the SOP Kit — $149 →

HIPAA Audits in Chicago: What Dental Practices Need to Know

Chicago-area dental practices face above-average OCR audit exposure. Illinois leads the nation in HIPAA complaint volume per capita, and OCR's Chicago regional office (Region V) is one of the most active enforcement offices in the country. Understanding what triggers a Chicago HIPAA audit — and what documentation you need — is essential for any dental practice in the greater Chicago area.

What Triggers a HIPAA Audit in Chicago

The vast majority of OCR investigations in Illinois are triggered by patient complaints — not random audits. The most common triggers for Chicago dental practices: (1) responding to a negative Google or Yelp review with patient information, (2) a data breach that required notification, and (3) a current or former employee complaint. OCR Region V in Chicago also monitors breach notifications nationally and selects cases for investigation based on breach size and practice response time.

HIPAA Compliance Guidelines for Chicago Dental Practices

Chicago dental practices must meet all federal HIPAA requirements plus Illinois-specific additions. The HIPAA guidelines that OCR Region V most commonly cites in Chicago investigations: missing or outdated Business Associate Agreements, failure to complete an annual Security Risk Analysis, and inadequate breach response documentation. Illinois PIPA (Personal Information Protection Act) also imposes a 45-day breach notification window — stricter than HIPAA's 60-day federal requirement.

What OCR Requests in a Chicago Dental Audit

When OCR Region V opens an investigation of a Chicago dental practice, the initial document request is consistent across cases: (1) current Security Risk Analysis with date, (2) signed BAAs for all vendors, (3) staff training records for the past 3 years, (4) current Notice of Privacy Practices, (5) breach log. Practices that can produce these documents quickly and completely are in a fundamentally different position than practices that cannot.

HIPAA Compliance Assessments for Chicago Practices

A HIPAA compliance assessment — also called a Security Risk Analysis (SRA) — is the foundational document OCR requires from every dental practice. For Chicago-area practices, the SRA must account for Illinois-specific requirements including PIPA notification timelines and BIPA if biometric devices are used. The HHS SRA Tool is available free at healthit.gov. Managed platforms like Compliancy Group and Medcurity guide practices through the SRA with dental-specific questions and generate documentation automatically.

Full guide: How often should dental practices conduct HIPAA audits? →

Chicago Metro HIPAA Compliance — Burr Ridge, Hinsdale, Schaumburg & Surrounding Areas

OCR Region V enforces HIPAA across all of Illinois — including the Chicago suburbs. Dental practices in Burr Ridge, Hinsdale, Schaumburg, Morton Grove, Naperville, and Downers Grove face the same federal HIPAA requirements and Illinois-specific BIPA obligations as downtown Chicago practices. The geographic distance from Chicago does not reduce enforcement exposure: OCR investigates complaints regardless of practice location, and Illinois BIPA lawsuits are filed by state courts with jurisdiction across all Illinois counties.

Burr Ridge & Hinsdale Dental Practices — HIPAA Audit Exposure

Dental practices in Burr Ridge and Hinsdale serve high-income patient populations that tend to be more litigation-aware than average. OCR complaint rates in DuPage County dental practices have increased since 2024. Practices in these suburbs should prioritize: a current Security Risk Analysis, signed BAAs with all imaging labs and billing vendors, and a written breach response procedure. A missing SRA is the single most common HIPAA audit finding in OCR Region V investigations — including suburban practices.

Schaumburg, Morton Grove & North Shore Dental Compliance

Dental practices in Schaumburg, Morton Grove, and the North Shore suburbs (Evanston, Wilmette, Skokie) face HIPAA compliance requirements identical to Chicago proper. These practices are within OCR Region V jurisdiction and subject to the same Illinois PIPA 45-day breach notification window. Schaumburg-area practices with multiple locations or DSO affiliations should pay particular attention to Business Associate Agreement coverage — multi-location BAA gaps are one of the most common OCR findings in suburban Illinois investigations.

BIPA Compliance for Chicago Suburban Dental Practices

Illinois BIPA applies statewide — there is no geographic exemption for suburban practices. Dental practices in Burr Ridge, Hinsdale, Naperville, and Schaumburg using fingerprint time clocks or facial recognition patient check-in must have written staff consent forms, a published biometric data retention policy, and vendor contracts with BIPA-compliant data handling terms. The 2024 HB 3199 amendment reduced per-violation exposure but did not eliminate it — suburban practices remain viable BIPA lawsuit targets.

IT Compliance for Chicago Metro Dental Practices

The 2026 HIPAA Security Rule Final Rule introduced mandatory requirements that affect Chicago metro dental practices regardless of size: multi-factor authentication on all ePHI systems, annual penetration testing, biannual vulnerability scans, and a documented network asset inventory. IT vendors serving dental practices in Burr Ridge, Hinsdale, and Schaumburg must sign HIPAA Business Associate Agreements — a service agreement alone does not meet the BAA requirement. Dental IT companies without a BAA process should be replaced.

Frequently Asked Questions — Illinois BIPA & Dental Practices

Does BIPA apply to Illinois dental practices?

Yes. Illinois BIPA applies to any private entity — including dental practices of any size — that collects, stores, or uses biometric identifiers such as fingerprints or facial geometry. Using a fingerprint time clock for employee attendance without written consent and a published retention policy is a BIPA violation.

What are the BIPA fines for dental practices?

BIPA provides statutory damages of $1,000 per person for negligent violations and $5,000 per person for intentional or reckless violations. After a 2024 amendment (HB 3199), violations are counted per person per type of violation — not per individual scan. A practice with 10 employees using a fingerprint clock without consent faces $10,000–$50,000 in exposure before attorney's fees.

What did the 2024 BIPA amendment (HB 3199) change?

HB 3199 (signed August 2024) changed how BIPA violations are counted. Previously, courts held that each individual fingerprint scan was a separate violation — meaning daily timeclock scans over two years could generate thousands of violations per employee, threatening total business destruction. HB 3199 limits claims to one violation per person per type of biometric data collected. This prevented catastrophic class action exposure but did not eliminate it — a dental practice with 15 employees still faces $15,000–$75,000 per BIPA lawsuit.

Does my dental practice need a BIPA consent form even if we only use biometrics for employees, not patients?

Yes. BIPA protects both employees and patients. If your practice uses a fingerprint or facial recognition time clock for staff attendance, every employee must sign a written consent form before their biometric data is collected. Illinois employers — including dental practices — have faced BIPA class actions brought entirely by their own employees.

How is BIPA different from HIPAA for Illinois dental practices?

HIPAA protects patient medical information and is enforced by federal regulators (OCR). BIPA protects biometric data (fingerprints, facial scans) and is enforced by private lawsuits — any employee or patient can sue your practice directly without filing a complaint with any agency. BIPA requires no proof of harm and has no federal equivalent, making it a uniquely Illinois risk.

Related HIPAA Compliance Guides

HIPAA Compliance by Specialty — Chicago