Analyzing Fee Restrictions for Health IT and EHI Under ONC’s Final Information Blocking Rule

McDermott Will & Emery
Contact

McDermott Will & Emery

OVERVIEW


The Office of the National Coordinator for Health Information Technology recently released a final rule under the 21st Century Cures Act to promote interoperability of health IT and advance access, exchange or use of electronic health information (EHI). The final rule has significant implications for how health IT developers, health care providers and other stakeholders price access to application programming interfaces (APIs) and other technology used to access, exchange or use EHI. This On the Subject discusses the framework for determining whether license fees and other charges for use of such technology would comply with the final rule’s exceptions to the Cures Act’s information blocking prohibition and condition of certification for certified APIs.

IN DEPTH


On March 9, 2020, the Office of the National Coordinator for Health Information Technology (ONC) released its final rule under the 21st Century Cures Act to implement various policies to promote interoperability of health information technology (IT) and advance access, exchange or use of electronic health information (EHI) for continuity of care and other appropriate purposes. The final rule amends the certification requirements under the ONC Health IT Certification Program and identifies health IT pricing practices that do not fall under the Cures Act’s information blocking prohibition.

These final policies have significant implications for how certified health IT developers, health care providers, health information networks (HINs) and health information exchanges (HIEs) (collectively, actors) license and charge for technology to enable access, exchange or use of EHI with patients and other technology and service providers, health care providers and health plans.

Subject to limited exceptions, EHI covered by the information blocking prohibition includes electronic protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations (EPHI) to the extent that the EPHI is part of a patient’s electronic medical record or another designated record set under HIPAA, regardless of whether the records are used or maintained by or for a HIPAA covered entity. However, until the date 24 months after the publication of the final rule in the Federal Register, EHI is limited to the data elements represented in the US Core Data for Interoperability (USCDI) standard adopted under the health IT certification provisions of the final rule.

This On the Subject discusses the analytical framework for determining whether license fees and other charges for use of application programing interfaces (APIs) and other technology used to access, exchange or use EHI comply with the final rule’s information blocking exceptions and condition of certification for certified APIs. It also recommends practical next steps for implementing the final rule’s fee restrictions.

For more information about the final rule, including provisions that are not directly related to fees and other charges, see McDermott’s prior Special Report comprehensively covering the information blocking provisions of the final rule.

Does the information blocking prohibition restrict charges for health IT used to access, exchange and use EHI?

The final rule generally defines information blocking to mean a practice by an actor that is likely to interfere with, prevent or materially discourage access, exchange or use of EHI unless the practice is required by law or covered by an exception in the final rule. Because of this broad definition, any fees or other charges that an actor charges patients, health care providers, health plans, technology or service providers or other third parties for access, exchange or use of EHI or technology to enable such access, exchange or use, potentially implicate the information blocking prohibition. Consequently, those fees and charges, unless required by law, would need to fit within an information blocking exception to protect the actor from potential information blocking liability.

What information blocking exceptions protect licensee fees and other charges for use of health IT used to access, exchange and use EHI?

The final rule includes the following three exceptions for license fees and other charges for interoperability elements and other fees for use of technology that may interfere with EHI access, exchange or use. A fee or other charge that meets the definition of information blocking must satisfy at least one of these exceptions:

  • Content and Manner Exception
  • Fees Exception
  • Licensing Exception

Content and Manner Exception

The Content and Manner Exception allows an actor and a party that requests EHI to negotiate mutually agreeable terms (including fees) for access, exchange and use of EHI. To be protected under the Content and Manner Exception, the actor must respond to a request for EHI with the subset of EHI identified by the USCDI data elements until the date 24 months after the publication of the final rule in the Federal Register. After that date, actors must respond with all EHI in a designated record set as discussed above.

In terms of the manner of response, an actor must fulfill a request for access, exchange or use of the required content in the manner requested, unless (1) the actor cannot technically fulfill the request, or (2) the actor and requestor are unable to reach mutually agreeable terms. If an actor fulfills a request in the manner requested, the limitations in the Fee Exception and Licensing Exception would not apply. Thus, the actor would have the opportunity to negotiate mutually agreeable fees and other terms with requestors.

If the actor does not fulfill a request in the requested manner, then the actor must fulfill the request in one of three alternative manners specified in the exception without unnecessary delay. When an actor fulfills a request in an alternative manner, the fees charged would have to meet the Fees Exception or the Licensing Exception.

Fees Exception

The Fees Exception allows an actor to charge fees, including those that result in a reasonable profit margin, for accessing, exchanging or using EHI, provided that the fee is:

  • Based on objective and verifiable criteria, uniformly applied for similarly situated people/requests;
  • Reasonably related to the actor’s costs;
  • Reasonably allocated among all similarly situated people; and
  • Based on costs not already recovered for the same instance of the service to a provider or third party.

In addition, the fee must not be based on:

  • Competitive considerations;
  • Sales, profit, revenue or other value that the requestor or other party may derive from the access, exchange or use of the EHI;
  • Costs that an actor incurs because it designed or implemented health IT in non-standard ways (unless the requestor agreed to the fee associated with such implementation);
  • Costs associated with intangible assets other than actual development and acquisition costs;
  • Opportunity costs unrelated to the access, exchange or use of EHI; or
  • Any costs leading to the creation of intellectual property if the actor charges a royalty for that intellectual property under the Licensing Exception and the royalty includes development costs of creating that intellectual property.

Additionally, an actor may not charge any of the following fees under the Fees Exception:

  • Fees prohibited under the HIPAA Privacy Rule for individuals’ requests for access to their protected health information;
  • Fees based in any way on the electronic access of an individual’s EHI by the individual, the individual’s personal representatives or others designated by the individual (The final rule defines “electronic access” as “an internet-based method that makes EHI available at the time the EHI is requested and where no manual effort is required to fulfill the request.” So whenever fulfilling individuals’ requests to send EHI to themselves or their personal representatives or others they designate, if the process requires manual effort, such as collating or assembling electronic health records from multiple systems, then the definition of electronic access would not be met and the actor could charge a fee and meet the Fees Exception.);
  • Fees to export EHI to switch health IT or provide EHI to patients, if done through a capability certified to the final rule’s EHI export health IT certification criterion at 45 CFR § 170.315(b)(10) (Certified EHI Export Capability); and
  • Fees to export or convert data from an EHR system, unless the parties agreed to the fee in writing at the time the EHR system was acquired.

In addition, this exception requires health IT developers that create certified API technology (certified API developers) to comply with the new condition of certification for certified APIs as a condition of meeting the Fees Exception.

Licensing Exception

Under the Licensing Exception, an actor’s terms (including those related to fees) for licensing an interoperability element for EHI to be accessed, exchanged or used is not prohibited information blocking when the practice meets all of the conditions discussed below. The final rule defines the term “interoperability element” to mean “hardware, software, integrated technologies or related licenses, technical information, privileges, rights, intellectual property, upgrades, or services that (1) may be necessary to access, exchange or use EHI and (2) are controlled by the actor. Such control includes the ability to confer all rights and authorizations necessary to use the element to enable the access, exchange or use of EHI.”

Upon receiving a request to license an interoperability element for the access, exchange or use of EHI, the actor must begin license negotiations with the requestor within 10 business days from receipt of the request and negotiate a license with the requestor, subject to the licensing conditions below (and other requirements of the Licensing Exception), within 30 business days from receipt of the request. The license for the interoperability element must meet the following conditions:

  • Scope of Rights. The license must provide all rights necessary to: enable the access, exchange or use of EHI and to achieve the intended access, exchange or use of EHI via the interoperability element.
  • Reasonable Royalty. If the actor charges a royalty for the use of the interoperability element, the royalty must be reasonable and comply with the following requirements:
    • The royalty must be non-discriminatory, consistent with the non-discriminatory terms requirement below.
    • The royalty must be based solely on the independent value of the actor’s technology to the licensee’s products, not on any strategic value stemming from the actor’s control over essential means of accessing, exchanging or using EHI.
    • If the actor has licensed the interoperability element through a standards developing organization in accordance with its policies regarding the licensing of standards-essential technologies on terms consistent with the licensing exception, the actor may charge a royalty that is consistent with such policies.
    • An actor may not charge a royalty for intellectual property if the actor recovered any development costs pursuant to the Fees Exception that led to the creation of the intellectual property.

In the final rule preamble, ONC notes that whether a royalty is reasonable for purposes of the Licensing Exception requirement depends on the particular facts and circumstances. ONC also identifies the following non-exclusive list of potential factors for evaluating reasonableness:

    • The royalties received by the actor for the licensing of proprietary elements in other circumstances comparable to reasonable and non-discriminatory licensing circumstances.
    • The rates paid by the licensee for the use of other comparable proprietary elements.
    • The nature and scope of the license.
    • The effect of the proprietary elements in promoting sales of other products of the licensee and the licensor, taking into account only the contribution of the elements themselves and not of the enhanced interoperability that they enable.
    • The utility and advantages of the actor’s interoperability element over the existing technology, if any, that had been used to achieve a similar level of access, exchange or use of EHI.
    • The elements’ contribution to the technical capabilities of the licensee’s products, taking into account only the value of the elements themselves and not the enhanced interoperability that they enable
    • The portion of the profit or selling price that may be customary in the particular business or in comparable businesses to allow for the use of the proprietary elements or analogous elements that are also covered by reasonable and non-discriminatory terms commitments.
    • The portion of the realizable profit that should be credited to the proprietary elements as distinguished from non-proprietary elements; the manufacturing process; business risks; significant features or improvements added by the licensee; or the strategic value resulting from the network effects, switching costs, or other effects of the adoption of the actor’s technology.
    • The opinion testimony of qualified experts.
    • The amount that a licensor and a licensee would have agreed upon (at the time the licensee began using the elements) if both were considering the reasonable and non-discriminatory terms obligation under the Licensing Exception and its purposes, and had been reasonably and voluntarily trying to reach an agreement.
  • Non-Discriminatory Terms. The royalty and other terms on which the actor licenses and otherwise provides the interoperability element must be non-discriminatory and comply with the following requirements:
    • The terms must be based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons and requests.
    • The terms must not be based in any part on:
      • Whether the requestor or other person is a competitor or potential competitor, or will be using EHI obtained via the interoperability elements in a way that facilitates competition with the actor; or
      • The revenue or other value the requestor may derive from access, exchange or use of EHI obtained via the interoperability elements.

Accordingly, the royalty or other compensation terms in the license agreement for the interoperability element may not be a revenue share based on the revenue that the licensee generates from EHI transferred through the interoperability element.

How does the condition of certification for APIs affect license fees and other charges?

ONC finalized a condition of certification for certified APIs that includes, among other requirements, restrictions on the pricing practices of certified API developers. The requirements directly applicable to the fee restrictions are as follows:

  • Permitted Fees Generally. The condition of certification permits certified API developers to charge three categories of permitted fees and expressly allows the permitted fees to include a reasonable profit margin otherwise in accordance with the Fees Exception. All other fees related to certified API technology are prohibited. A certified API developer must ensure that:
    • All permitted fees are based on objective and verifiable criteria that are uniformly applied to all similarly situated hospitals, physician practices and other organizations that deploy certified API technology (API information sources), and persons or entities that create or use software applications that interact with the certified API technology (API users).
    • Permitted fees imposed on API information sources are reasonably related to the certified API developer’s costs to supply certified API technology to, and if applicable, support certified API technology for, API information sources.
    • Permitted fees to supply and support certified API technology are reasonably allocated among all similarly situated API information sources.
    • Fees are not based on whether API information sources or API users are competitors or potential competitors, or will use the API in a way that facilitates competition with the certified API developer.
  • Three Categories of Permitted Fees. The condition of certification permits the following categories of fees for certified API technology:
    • Permitted Fee: Development, Deployment and Upgrades. A certified API developer may charge fees to an API information source to recover the costs reasonably incurred by the certified API developer to develop, deploy and upgrade certified API technology.
    • Permitted Fee: Recovering API Usage Costs. A certified API developer may charge fees to an API information source related to the use of certified API technology, provided that the fees are limited to the recovery of incremental costs reasonably incurred by the certified API developer when it hosts certified API technology for the health care provider or other API information source.
    • Permitted Fee: Value-Added Services. A certified API developer may charge fees to an API user for value-added services related to certified API technology, as long as the services are not necessary to efficiently and effectively develop and deploy production-ready software that interacts with the certified API technology.
  • Prohibited Fees. Consistent with the Fees Exception, the condition of certification prohibits a certified API developer from charging a fee for:
    • Costs associated with intangible assets other than actual development or acquisition costs of such assets;
    • Opportunity costs unrelated to the access, exchange or use of EHI; and
    • Any costs that led to the creation of intellectual property if the actor charged a royalty for that intellectual property pursuant to the Licensing Exception and the royalty included the development costs for the creation of the intellectual property.
  • Non-Discrimination. A certified API developer must meet the following non-discrimination requirements when setting fees and other terms with respect to certified API technology:
    • Provide the certified API technology to an API information source on terms that are no less favorable than the certified API developer provides to itself and its own customers, suppliers, partners and other persons with whom it has a business relationship;
    • Base the terms for the provision of certified API technology on objective and verifiable criteria that are uniformly applied to all substantially similar or similarly situated classes of persons and requests;
    • Not offer different terms or services based on whether a competitive relationship exists or would be created; and
    • Not offer different terms or services based on the revenue or other value that another party may receive from using the API technology.
  • Description of API Fees. The certified API developer must describe all fees that it charges for the use of its certified API technology in detailed, plain language. The description must include all material information, including the persons or classes of persons to whom the fee applies; the circumstances in which the fee applies; and the amount of the fee, which for variable fees must include the specific variables and methodologies used to calculate the fee.
  • Record-Keeping Requirements. A certified API developer must keep detailed records of any fees charged with respect to the certified API technology, the methodologies used to calculate the fees and the specific costs to which such fees are attributed. In the final rule preamble, the ONC states it expects that “the accounting practices already used by health IT developers will largely support the health IT developer to meet this requirement. Examples of these practices by health IT developers include the methods used to track their own investments, determine how to bill and issue invoices to their customers, document receipt of payment, and to maintain overall accurate financial records of business transactions.”

What is the analytical framework for determining whether charges for health IT comply with an information blocking exception under the final rule and, if applicable, the condition of certification for APIs?

If an entity desires to impose a fee or other charge for an interoperability element or EHI access, exchange or use, to the extent the information blocking prohibition applies, the entity must design the fee to meet an exception to the information blocking prohibition and any applicable conditions of certification for certified health IT, such as the restrictions on fees for certified APIs. Accordingly, the entity should consider the following questions:

  • Covered Actor. Is the entity seeking to charge the license fees or other charges for use of APIs and other technology to access, exchange or use EHI an actor subject to the final rule (i.e., a health care provider, certified health IT developer, or an HIN or HIE)?
  • EHI. Does the proposed fee or other charge relate to EHI, as opposed to HIPAA de-identified health information or other information outside the definition of EHI, such as (for the 24 months after the publication of the final rule in the Federal Register), information that is not included in the USCDI data set?
  • Interoperability Element or Access, Exchange or Use. Is the proposed fee or other charge for (1) a license or other right to use an interoperability element or (2) providing access, exchange or use of EHI? For example, is the fee in exchange for a license for an API that enables access to EHI stored in an EHR system? Is the fee for a license to elements of EHR software or other health IT that only stores EHI rather than providing access, exchange or use of EHI? Alternatively, is the fee for participation in an HIN or HIE?
  • Information Blocking Exception. Does the proposed fee or other charge meet the Content and Manner Exception, Fees Exception or Licensing Exception? The Content and Manner Exception provides the greatest flexibility for actors relative to pricing and terms and may, therefore, be the most advantageous exception for actors to consider first. Between the Licensing Exception and the Fees Exception, the Licensing Exception is typically more attractive if the applicable costs are low, so it may be advantageous to consider that exception before the Fees Exception.
  • Additional Requirements for Certified API Technology. If the proposed fee or other charge relates to a certified API, does the proposed pricing practice meet the additional requirements of the condition of certification for APIs?

What are the key next steps for a certified health IT developer to ensure fees and other charges comply with the final rule’s information blocking prohibition and condition of certification for certified APIs?

A certified health IT developer should consider at least the following key steps to implement compliance.

  • Step 1: Identify all executed and template contracts and other arrangements under which the developer provides technology that includes any capability or service that enables access, exchange or use of EHI to third parties rather than merely storing EHI.
  • Step 2: Develop a business strategy and process for amending non-compliant arrangements with current customers and other counter-parties within the six-month period before the final rule’s compliance date for its information blocking provisions and for negotiating market terms with prospective counter-parties under the arrangements identified in Step 1 in accordance with the Content and Manner Exception.
  • Step 3: Revise any template pricing terms that do not meet the restrictions of the Fees Exception or Licensing Exception in order to be prepared for the failure of negotiations of market terms in accordance with the Content and Manner Exception.
  • Step 4: Develop a business process for responding to third-party requests to license an interoperability element, including its deadlines for beginning license negotiations and completing negotiations of a license agreement.
  • Step 5: Ensure that any template license or other agreement with a new customer for an EHR system specifies any fees to export or convert data from the EHR system in order to avoid the prohibition on export and conversion fees that are not agreed to in writing at the time the EHR system is acquired.
  • Step 6: Determine how to reasonably allocate certified API supply and support costs among similarly situated API information sources, including determining reasonably likely costs and forecasting the number of API information sources deploying the certified API.
  • Step 7: Determine whether existing accounting practices maintain detailed records of fees charged with respect to the certified API and other technology, the methodologies used to calculate the fees and the specific costs to which such fees are attributed. If existing practices do not maintain detailed records of these items, establish a practical business process to attribute fees to costs and a record keeping system to track required information.

What are the key next steps for a health care provider (that is not a certified health IT developer) to ensure that its contracts and other arrangements comply with the fee restrictions in the final rule’s exceptions to the information blocking prohibition?

A hospital, physician practice or other health care provider actor should consider the following steps to implement compliance with the information blocking prohibition:

  • Step 1: Identify all contracts and other arrangements under which the health care provider licenses or otherwise obtains an interoperability element or service from a certified health IT developer or other actor that enables access, exchange or use of EHI rather than merely storing EHI.
  • Step 2: Evaluate the arrangements identified under Step 1 to determine whether any fees may fail to meet the limitations imposed under the applicable final rule exception, and if so, consider requesting modified pricing terms for non-compliant arrangements.
  • Step 3: Develop a business strategy and process for responding to requests from physician practices and other health care provider requestors that have common patients with the health care provider receiving the request, for access, exchange or use of EHI maintained by the receiving health care provider. For example, a community physician practice may request that a hospital with common patients establish a custom interface to enable seamless access to EHI about common patients maintained by the hospital.

Summary Chart*

The following chart identifies all of the restrictions directly applicable to fees charged by an actor under the final rule. The first column of the chart identifies a restriction affecting fees. The second column indicates whether the fee restriction in the first column is an element of the Licensing Exception. The third column indicates whether the restriction in the first column is an element of the Fees Exception. The fourth column indicates whether the restriction applies to developers of certified APIs. For more information about elements of the exceptions that are not directly related to fees charged by an actor, please see McDermott’s prior Special Report comprehensively covering the information blocking provisions of the final rule.

*For more information about elements of the exceptions that are not directly related to fees charged by an actor, please see McDermott’s prior Special Report comprehensively covering the information blocking provisions of the final rule.

Restrictions on Fees for Technology or Services
Used to Provide Access, Exchange or Use of EHI
Licensing Exception Fee Exception API Condition of Certification
Cost-Based Fee Limitations.
  • Fees Exception Limit. Fee must be reasonably related to the actor’s costs of providing the type of access, exchange or use to, or at the request of, the person charged.
  • API Fee Limit. Fee imposed on API Information Source must be reasonably related to the Certified API Developer’s costs to supply certified API technology to, and if applicable, support the certified API technology for, the API Information Source.
   

X

Profit Margin. Any profit margin on a royalty or any other fee must be reasonable.

X

X

X

Reasonable Royalty. Any royalty for an Interoperability Element must be reasonable under the applicable facts-and-circumstances. (ONC provides a non-exclusive list of factors for determining reasonableness in the Final Rule preamble discussed above.)

X

   
Excluded Cost: The actor must not base fee on costs otherwise recovered for the same instance of service to a provider and third party.  

X

 
Excluded Cost: Non-Standard Costs. The actor must not charge a fee based on costs incurred because the health IT being designed or implemented in non-standard way, unless the requestor agreed to the fee associated with the non-standard design or implementation to access, exchange or use EHI.  

X

 
Excluded Cost: Limit on Intangible Asset Costs. The actor must not charge a fee based on costs associated with intangible assets, other than the actual development or acquisition costs of such assets.    

X

Excluded Cost: Opportunity Cost. The actor must not charge a fee based on opportunity costs unrelated to the access, exchange or use of EHI.  

X

X

Excluded Cost: Privacy Rule Access Fee Limit. The actor must not charge an access fee prohibited by § 164.524(c)(4) of the HIPAA Privacy Rule. The Privacy Rule provision permits recovery of only the costs of labor for copying Protected Health Information, supplies for creating the copy (e.g., flash drive or other electronic storage device), postage or preparation of an explanation or summary of the Protected Health Information. For further information on the Privacy Rule’s limits on access fees, see OCR’s interpretative guidance as amended by the Ciox v. Azar case.  

X

 
Excluded Cost: Access Fees to Patients. The actor must not base a fee in any part on the Electronic Access (as defined by the final rule) of an individual’s EHI by an individual or the individual’s personal representative or another person or entity designated by the individual.  

X

 
Excluded Cost: Export Fee. The actor must not charge a fee to perform an export of EHI via the capability of health IT certified to the ONC’s EHI export criterion (at 45 C.F.R. § 170.315(b)(10) for the purposes of switching health IT or providing a patient with the patient’s EHI.  

X

 
Excluded Cost: Export or Conversion Fee. The actor must not charge a fee to export or convert data from an EHR technology, unless such fee was agreed to in writing at the time the technology was acquired.  

X

 
Objective, Verifiable and Uniformly Applied Criteria. The Certified API Developer or other actor must base fees on objective and verifiable criteria that are uniformly applied to all similarly situated classes of persons or entities (including, as applicable, persons that are API Information Sources or API Users) or requests.

X

X

X

Reasonable Cost Allocation. The Certified API Developer or other actor must reasonably allocate the fees to supply and, if applicable, support the certified API technology or other technology or service upon which it bases a fee among all similarly situated persons or entities (e.g., all API Information Sources) to whom the API or other technology or service is supplied, or for whom the technology is supported.  

X

X

Independent Value. The royalty must be based solely on the independent value of the actor’s technology to the licensee’s products, not on any strategic value stemming from the actor’s control over essential means of accessing, exchanging or using EHI.

X

   
Standards-Essential Technologies. If the actor has licensed the Interoperability Element through a standards developing organization (SDO) in accordance with such SDO’s policies regarding the licensing of standards-essential technologies on terms consistent with the Licensing Exception, the actor may charge a royalty that is consistent with such policies.

X

   
Non-discriminatory. Any royalty charged by the actor must be non-discriminatory.

X

   
Pro-Competitive.
  • Blocking Exceptions’ Limit. The actor must not base a fee on whether the requestor or other person is an actual or potential competitor or will be using the EHI in a way that facilitates competition with the actor.
  • API Fee Limit. The Certified API Developer must not base fee on whether the API Information Source or API User is a competitor or potential competitor, or will be using the API technology in a way that facilitates competition with the Certified API Developer.

X

X

X

No Revenue Share. The actor must not base fee on the sales, profits, revenue or other value that the requestor or other persons derive or may derive from the access to, exchange of, or use of EHI, including, without limitation, EHI obtained via an Interoperability Element.

X

X

 
Coordination of Blocking Exceptions and AP-Specific Fee Limits.
  • Licensing Exception. An actor may not charge a royalty for intellectual property if the actor recovered any development costs pursuant to Fees Exception that led to the creation of the intellectual property.
  • Fees Exception: An actor may not charge a fee based on any costs that led to the creation of intellectual property, if the actor charged a royalty for that intellectual property pursuant to the Licensing Exception and that royalty included the development costs for the creation of the intellectual property.
  • API Fee Limit: An actor may not charge a fee for certified API technology cannot include any costs that led to the creation of intellectual property if the actor charged a royalty for that intellectual property pursuant to the Licensing Exception and the royalty included the development costs for the creation of the intellectual property.

X

X

X

API-SPECIFIC FEE RESTRICTIONS      
Record-Keeping Requirements. The Certified API Developer must keep for inspection detailed records of any fees charged with respect to the certified API technology, the methodologies used to calculate such fees, and the specific costs to which it attributes such fees.    

X

Fee Description Disclosure. The Certified API Developer must describe a fee in detailed, plain language and with all material information, including, without limitation: persons or classes of persons to which the fee applies; the circumstances in which the fee applies; and the amount of the fee, which for variable fees must include specific variables and methodologies that will be used to calculate the fee.    

X

Non-Discrimination. The Certified API Developer must provide certified API technology to API Information Sources on terms no less favorable than the Certified API Developer provides to itself and its own customers, suppliers, partners and other persons with whom it has a business relationship.    

X

Non-Discrimination. The Certified API Developer must not offer different fees, other terms or services based on whether a competitive relationship exists or would be created.    

X

Non-Discrimination. The Certified API Developer must not offer different fees, other terms or services based on the revenue or other value that another party may receive using the certified API technology.    

X

Openness. A Certified API Developer must not condition the receipt of the following rights on receiving a license fee, royalty, revenue- sharing arrangement or any other fee;
  • Access and use the Certified API Developer’s certified API technology in a production environment;
  • Develop products and services that are designed to interact with the Certified API Developer’s certified API technology; and
  • Market, offer, and distribute products and services associated with the Certified API Developer’s certified API technology.
   

X

Three Permitted Fee Categories. A Certified API Developer must meet the general requirements set forth above and also not impose any fee associated with certified API technology unless the fee fits into at least one of the three Permitted Fee categories below. The final rule prohibits all other fees associated with the certified API technology.    

X

1. Permitted Fee for API Development, Deployment and Upgrades. The Certified API Developer may charge a fee to an API Information Source to recover costs reasonably incurred by the Certified API Developer to develop, deploy and upgrade certified API technology.    

X

2. Permitted Fee for Recovering API Usage Costs: The Certified API Developer may charge a fee to an API Information Source related to the use of certified API technology, provided that the fees are limited to the recovery of incremental costs reasonably incurred by the Certified API Developer when it hosts certified API technology on behalf of the API Information Source.    

X

3. Permitted Fee for Value-Added Service. The Certified API Developer may charge a fee to an API User for value-added services related to certified API technology, so long as such services are not necessary to efficiently and effectively develop and deploy production-ready software that interacts with certified API technology.    

X

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McDermott Will & Emery | Attorney Advertising

Written by:

McDermott Will & Emery
Contact
more
less

McDermott Will & Emery on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.