The purpose of this Biometric Data Policy (“Policy”) is to set forth the policy and procedures for the collection, use, safeguarding, storage, retention, and destruction of biometric data by the University of Chicago Medical Center.


The University of Chicago Medical Center (“UCMC” or “Hospital”) utilizes or may utilize various technologies which involve the use of retina or iris scans, fingerprints, voiceprints, or scan of hand or face geometry, or information based on the above, in order to identify or verify the identity of individuals. Data generated from these technologies is referred to as Biometric Data. Biometric Data does not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act.

UCMC captures, collects, stores, uses, and may disclose the Biometric Data for the purposes of protecting access to, and giving certain authorized employees and/or contractors (“Authorized Users”) access to patient private information in systems which allow access to same, certain Hospital owned devices, and restricted areas of the Hospital which may contain patient private information, patients, medications, or other confidential and sensitive information or materials, in connection with UCMC’s healthcare treatment, payment and operations and consistent with UCMC’s obligations as a covered entity under the Health Insurance Portability and Accountability Act.


All UCMC employees, contractors, or other Authorized Users who provide Biometric Data to UCMC are required to consent and to enter a written release, as a condition of employment or work at or with UCMC, to UCMC’s capture, collection, storage, and/or use, and where applicable disclosure, of Biometric Data by signing an Informed Written Consent for the Collection, Storage, and Use of Biometric Data (the “Consent”), which will detail the purpose, nature and scope of use, and length of term of same, of such Biometric Data.

This Policy is available to all employees through the UCMC intranet and is available to members of the public at https://www.uchicagomedicine.org/about-us/privacy-practices 

UCMC will store, transmit and protect any Biometric Data from disclosure using a reasonable standard of care and in the same or more protective manner in which UCMC stores, transmits and protects other confidential and sensitive information. Any Biometric Data captured, collected, stored, used, or disclosed by UCMC will be permanently deleted and destroyed by UCMC, and where applicable its vendors or contractors, including Biometric Data contained or stored on any back-up database or devices, within 90 days after the Authorized User’s last use of the technology utilizing Biometric Data.UCMC will adhere to this schedule and destruction guideline absent a valid warrant or subpoena issued by a court of competent jurisdiction, or unless otherwise required by law.

This Policy is intended to comply with all federal, state, and local laws, and will be interpreted and applied in order to comply with all applicable laws, including but not limited to the Illinois Biometric Information Privacy Act and consistent with UCMC’s obligations as a covered entity under HIPAA.

If any provision of this Policy or any part of this Policy contravenes any law, or if the operation of any provision of this Policy is determined by law or otherwise to be unenforceable, then such offending provision or part of this Policy shall be severed and the remaining provisions given full force and effect.

If you have any questions about this Policy, please contact the Privacy Program at 773-834-9716.

Interpretation, Implementation and Revision

The UCMC Information Technology, Pharmacy Informatics Departments, and Privacy Program, in conjunction with the Office of Legal Affairs, is responsible for the interpretation and revisions of this policy. Each reporting department is responsible for the implementation of this policy.