Illinois Dental Privacy: Protecting Your Practice from BIPA Lawsuits
Illinois is the most legally dangerous state in the US for businesses using biometric technology. The Biometric Information Privacy Act (BIPA) — combined with federal HIPAA obligations — creates a dual compliance burden that has generated hundreds of class action lawsuits against employers, including dental practices. If your practice uses a fingerprint time clock, facial recognition check-in, or any other biometric system without written staff consent, you are already in violation.
$5,000
BIPA: per person, intentional violation
$1,000
BIPA: per person, negligent violation
2024
HB 3199 amendment — per-person counting
No harm
Required to sue under BIPA
The BIPA threat is not theoretical: Illinois courts have certified BIPA class actions against employers with as few as 10–20 employees. A dental practice with 15 staff members using a fingerprint time clock without consent faces $15,000–$75,000 in statutory damages before attorney's fees — and class members can include every employee who ever scanned in.
ADA-Endorsed Solution
Get HIPAA-Compliant with Compliancy Group
Compliancy Group covers your HIPAA obligations including Illinois-specific documentation requirements. For BIPA, their platform's policy templates help you document consent and retention schedules.
See How It Works for Illinois Practices →BIPA vs. HIPAA — Two Different Threats
HIPAA and BIPA protect different types of data and are enforced in completely different ways. Illinois dental practices face both.
| Rule | Federal HIPAA | Illinois BIPA |
|---|---|---|
| What data is protected | Patient medical records (PHI) | Biometric identifiers: fingerprints, facial geometry, retina scans |
| Who can sue your practice | No private right of action — OCR only | Any employee or patient — directly in court |
| Proof of harm required | N/A (no private suits) | No — statutory damages apply without proving harm |
| Fine per negligent violation | $100–$50,000 per violation | $1,000 per person |
| Fine per intentional violation | Up to $50,000 per violation | $5,000 per person |
| Class action risk | Low (OCR-driven, not class actions) | High — multiple IL class actions against small businesses |
| Written consent required before collection | No specific biometric consent | Yes — before any biometric data is captured |
The 2024 BIPA Amendment (HB 3199) — What Changed
Illinois amended BIPA in August 2024 to address a wave of lawsuits that threatened to bankrupt small businesses. Under the original law, courts held that each individual fingerprint scan was a separate violation — meaning a practice with daily timeclock use over two years could face thousands of violations per employee.
Before HB 3199
Each individual scan = separate violation. 500 scans × $1,000 = $500,000 per employee. Class action = total business destruction.
After HB 3199 (2024)
One violation per person per type of biometric data. 15 employees × $1,000 = $15,000 minimum. Class action still viable — just no longer existential for every case.
Bottom line: HB 3199 prevented total collapse — it did not eliminate BIPA risk. Illinois dental practices remain on the lawsuit target list.
BIPA Compliance Checklist for Illinois Dental Practices
Six steps to eliminate or dramatically reduce your BIPA exposure.
Stop using biometric time clocks without consent — immediately
If your practice uses fingerprint or facial recognition for employee attendance and staff have not signed written BIPA consent forms, pause the system today. Each day of non-consensual collection is a separate exposure event. Switching to a PIN-based or badge system eliminates BIPA risk entirely while you remediate.
Obtain written consent from every employee — current and new
Before collecting any biometric data, each employee must sign a written consent form that: (1) describes what biometric data is being collected and why, (2) identifies how long it will be stored, and (3) explains when it will be destroyed. This must be obtained before first collection — retroactive consent has limited legal value.
Publish a Biometric Data Retention and Destruction Policy
BIPA requires you to publicly available written policy establishing a retention schedule and destruction guidelines for biometric data. This must be posted in your office and on your website. The policy must specify that data will be destroyed within 3 years of collection or when the employment relationship ends, whichever comes first.
Audit your vendors for biometric data handling
If a third-party time clock vendor, HR platform, or patient check-in system collects biometric data on your behalf, they are subject to BIPA. Your contract with that vendor must include BIPA-compliant data handling terms. Confirm the vendor has their own consent and retention policies.
Review patient-facing biometric technology
Any technology that uses facial recognition to identify patients at check-in, or that captures biometric data for clinical purposes, requires separate BIPA consent from patients — distinct from your standard HIPAA consent forms. Patient BIPA consent must be voluntary and cannot be a condition of receiving treatment.
Run a Security Risk Analysis to document your HIPAA posture
An SRA is still the #1 document OCR requests in any HIPAA investigation. With BIPA exposure creating new litigation risk, Illinois dental practices should ensure their overall compliance documentation is airtight — a documented SRA demonstrates good-faith compliance effort to both OCR and state courts.
2026 Dental HIPAA SOP Kit — Includes Biometric Consent Templates
47 ready-to-use templates including BIPA-compliant biometric consent forms, data retention and destruction policy templates, staff acknowledgment forms, and HIPAA documentation. One-time $149 — instant delivery.
Get the SOP Kit — $149 →Frequently Asked Questions — Illinois BIPA & Dental Practices
Does BIPA apply to Illinois dental practices?
Yes. Illinois BIPA applies to any private entity — including dental practices of any size — that collects, stores, or uses biometric identifiers such as fingerprints or facial geometry. Using a fingerprint time clock for employee attendance without written consent and a published retention policy is a BIPA violation.
What are the BIPA fines for dental practices?
BIPA provides statutory damages of $1,000 per person for negligent violations and $5,000 per person for intentional or reckless violations. After a 2024 amendment (HB 3199), violations are counted per person per type of violation — not per individual scan. A practice with 10 employees using a fingerprint clock without consent faces $10,000–$50,000 in exposure before attorney's fees.
What did the 2024 BIPA amendment (HB 3199) change?
HB 3199 (signed August 2024) changed how BIPA violations are counted. Previously, courts held that each individual fingerprint scan was a separate violation — meaning daily timeclock scans over two years could generate thousands of violations per employee, threatening total business destruction. HB 3199 limits claims to one violation per person per type of biometric data collected. This prevented catastrophic class action exposure but did not eliminate it — a dental practice with 15 employees still faces $15,000–$75,000 per BIPA lawsuit.
Does my dental practice need a BIPA consent form even if we only use biometrics for employees, not patients?
Yes. BIPA protects both employees and patients. If your practice uses a fingerprint or facial recognition time clock for staff attendance, every employee must sign a written consent form before their biometric data is collected. Illinois employers — including dental practices — have faced BIPA class actions brought entirely by their own employees.
How is BIPA different from HIPAA for Illinois dental practices?
HIPAA protects patient medical information and is enforced by federal regulators (OCR). BIPA protects biometric data (fingerprints, facial scans) and is enforced by private lawsuits — any employee or patient can sue your practice directly without filing a complaint with any agency. BIPA requires no proof of harm and has no federal equivalent, making it a uniquely Illinois risk.