Health Update - July 2016

Manatt, Phelps & Phillips, LLP

In This Issue:

  • Wearables, Devices and Cybersecurity: New Regulations and Potential Liability
  • The FCA: Escobar Means More Than You Think
  • The FTC and Patient Privacy: Challenges of the Digital Age
  • Scalia's Death Has Limited Impact on Major Healthcare Cases
  • Key Takeaways From the Academic Nursing Leadership Summit
  • California Supreme Court Clarifies Constitutional Limits on Punitive Damages
  • Steering and Its Broad Implications for Payer-Hospital Negotiations

Wearables, Devices and Cybersecurity: New Regulations and Potential Liability

By Kimo Peluso, Partner, Litigation | Helen Pfister, Partner, Manatt Health

Editor's Note: In a recent two-part webinar for Bloomberg BNA, Manatt examined the most significant legal developments that life sciences companies need to watch in the year ahead. In an ongoing series of articles, we'll be sharing some of the key issues explored during the program—and guidance on navigating safely through an increasingly complex healthcare landscape. Below we summarize the presentation on wearables, devices and cybersecurity. If you'd like to view the webinar free on demand, click here to access Part 1 and here to access Part 2. If you would like a copy of the presentations for your continued reference, click here to download a free PDF.

__________________________________________________

The Vulnerability of Healthcare Information

According to a report the Brookings Institute issued in May 2016, 23% of all data breaches occur in the healthcare industry. Nearly 90% of healthcare organizations had some sort of data breach between 2013 and 2015, costing the industry $6.2 billion.

Why is healthcare data so vulnerable? Because it is so valuable. It contains a wide range of identifying information, including social security numbers, birthdates and home addresses. Unlike credit card information, much of this information is constant and can't be changed. In addition, it's information that's kept across a number of years and increasingly shared across different entities.

Legal Mandates to Address Security Issues

There are a number of legal mandates in place to address the security issues around healthcare information. The first and probably best known is the Health Insurance Portability and Accountability Act (HIPAA), which established national standards for protecting electronic health information. In addition, we have the Health Information Technology Certification Program, administered by the Office of the National Coordinator for Health Information Technology (ONC), that allows health IT projects to be certified based on standards adopted via regulation by the Department of Health and Human Services (HHS). Finally, there is the Food and Drug Administration's (FDA) premarket review and approval process for medical devices, which focuses on medical device cybersecurity.

It's important to recognize that the existing mandatory guidance is limited. Supplementing the mandatory guidance is a fair amount of nonmandatory guidance relating specifically to wearables, mobile apps and connected medical devices. For example, in October 2015, the Office of Civil Rights (OCR)—which is the office that oversees HIPAA—released an in-house mHealth Developer Portal, a community-based portal that lets developers post HIPAA-related questions. In February 2016, the OCR published informal guidance clarifying when mobile apps are subject to HIPAA. In addition, in April 2016, the Federal Trade Commission (FTC) released a set of Web-based interactive tools to help mobile app developers navigate current laws and regulations.

Despite the legal framework the existing guidance has established, there are still many questions around the legal requirements that apply to wearables and mobile devices. For example, when and how does HIPAA apply to mobile apps? Is an app that lets patients communicate with their healthcare providers covered by HIPAA, if the provider didn't recommend the app? The answers aren't always clear. This is an evolving area, with a lot more guidance likely to come going forward.

Cybersecurity Risks of Connected Medical Devices

Connected medical devices are devices that transmit information to and from the Internet, hospital IT systems or each other. For example, a heart monitor that connects to an electronic health record or an infusion pump with remote dosage controls would be classified as a connected medical device.

Connected medical devices face a number of cybersecurity pitfalls. While electronic health records are certified, other types of medical software products tend not to be, leaving them vulnerable to hacking. While there have been no reports of injury or death resulting from hacking into connected medical devices, the threat is definitely real.

Connected medical devices also can pose HIPAA challenges. HIPAA applies to protected health information (PHI) regardless of where it's stored. Therefore, when a medical device is disposed of, it needs to be wiped or destroyed to eliminate the possibility of disclosing PHI. While healthcare providers are very focused on ensuring that they wipe PHI from computers, they are not always as vigilant about PHI stored on medical devices.

Exacerbating the security risk is the fact that medical devices purchased by hospitals don't have updates intended to protect security. As we grow increasingly more interconnected, healthcare organizations need to start thinking about including requirements on securability for the lifetime of a device in their procurement specifications to mitigate some of the security risks.

Connected Medical Devices and Recent Regulatory Actions

Over the last few years, we've witnessed an explosion of attention around the cybersecurity risks that connected medical devices can pose and the resulting threat to patient safety. There have been increasing research, regulatory guidance, warnings and speculation about the ability of hackers to take control of medical systems to hurt or kill patients. While there have been no actual cases of injuries or deaths caused by hacking, it looms as a frightening possibility.

A 2012 episode of the television program Homeland featured a character hacking into the pacemaker of the fictional vice president. When interviewed about the episode, former vice president Dick Cheney revealed that toward the end of his administration's second term, the Secret Service recommended that his doctors disable the wireless capabilities in his own pacemaker because of the potential threat to his safety.

The private sector has started to pay attention to the possible serious risks of medical device hackers. In 2013, the Mayo Clinic engaged some of the most high-profile, sought-after "white hat" hackers to conduct a study of medical devices. "White hat" hackers are hackers hired by private companies to attempt to hack into their own devices, so that the companies can identify their cybersecurity vulnerabilities.

The "white hat" hackers worked on about 40 different medical devices, including cardiac monitors, infusion pumps and even hospital beds, which sometimes connect to hospital networks and electronic networks. The final report showed that, in a significant number of cases, the hackers could crush the security on the devices and gain control in some form. The most alarming finding was that one of the hackers was able to gain control of a particular brand of infusion pump and remotely cause it to deliver a potentially lethal dose of medication. Again, that is not something that's been reported to have ever actually happened, but having discovered that he could do it, the hacker reported his result to Homeland Security.

In 2014, the press revealed that Homeland Security was engaged in its own study of various medical device vulnerabilities through its Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT. In July 2015, Homeland Security, working in collaboration with the FDA, became concerned about the particular infusion pump that the hacker had identified. After a series of warnings and communications with the manufacturer and, in turn, with hospitals and providers, the FDA eventually recommended a recall and stopped usage of that particular infusion pump. Again, nothing actually happened—but the threat was real enough for the FDA to stop the use of that brand of device.

The increasing concerns around cybersecurity have resulted in largely nonbinding guidance and recommendations. For example, the FDA now reviews cybersecurity issues for medical devices as part of the premarket submissions it receives—whether for premarket approval applications or, more commonly, 510K applications for new versions of devices that are currently on the market.

Although the guidance the FDA has issued is nonbinding, it provides instructions to device manufacturers on what sort of information they need to include with their general free market submissions regarding their cybersecurity measures. The FDA is asking manufacturers to ensure their submissions identify any potential threats, quantify those threats and define what mitigation steps they're planning to implement.

In January 2016, the FDA issued more interesting and more ambitious postmarket guidance. The guidance asks medical device manufacturers to identify cybersecurity threats in the same way that they identify the efficacy and risk issues of their devices in the postmarket setting. The FDA is requesting that manufacturers ensure the quality audits that current regulations require include cybersecurity issues and reporting of problems and complaints to the FDA.

Although this is nonbinding guidance, it includes a promise by the FDA that it will not enforce certain reporting requirements for device manufacturers that participate in an information exchange through the National Health Information Sharing & Analysis Center, or the NH-ISAC. The NH-ISAC is an information exchange portal that allows device manufacturers and others to share information in a forum that is actually privileged by statute to a certain degree. The FDA has stated in its guidance that it strongly recommends that companies participate in information exchange portals.

Congressional Prospects

There have been some congressional actions to address mounting concerns around cybersecurity risks. California Senator Barbara Boxer sent a letter to leading medical device manufacturers expressing her concerns about cybersecurity vulnerabilities and asking them to describe the steps they're taking to address the threat of cybersecurity vulnerabilities.

There are also several pieces of legislation that are in front of Congress right now, including the TRUST IT Act, which would basically set up a star ratings program for federally certified electronic health record (EHRs). Other legislation includes:

  • The Cybersecurity Disclosure Act, which would direct the SEC to require public companies to disclose whether they have any cybersecurity experts on their boards.
  • The HHS Data Protection Act, with bipartisan support, that creates a separate office for the HHS Chief Information Security Officer (CISO).

Conclusion

In the end, the question remains as to whether more enforcement is the right approach. The Brookings Institute released a report saying that helping healthcare organizations prevent cyberattacks, instead of punishing those affected by them, would be a much more effective approach. The bottom line is that this is a rapidly evolving area that's changing very quickly, so it will be critical to stay tuned.

The FCA: Escobar Means More Than You Think

By Arun Bhoumik, Partner, Corporate Investigations and White Collar Defense | Kimo Peluso, Partner, Litigation

Editor's Note: On June 6, 2016, the Supreme Court issued a unanimous decision in the Medicaid case of Universal Health Services, Inc. v. United States ex rel. Escobar, adopting a form of the "implied certification" theory of knowingly fraudulent representations under the False Claims Act (FCA). The Court's opinion, authored by Judge Clarence Thomas, confirmed that the implied certification theory "can be a basis for liability"—but did it really fully resolve the circuit split around this issue? In a recent webinar, Manatt examined the implications of the Escobar decision on implied false certification, materiality and FCA cases moving forward. Click here to view the webinar free and here to download a free copy of the webinar presentation.

__________________________________________________

What Is the FCA?

Enforced by the Department of Justice (DOJ), the FCA is a federal statute that creates liability for any person who submits claims to the government for payment. In the healthcare space, for example, this includes healthcare providers who make claims for payment to Medicare or Medicaid. The FCA prohibits a person or entity from knowingly making a claim for payment that is false or fraudulent or that includes a false statement that is material to the claim.

The FCA has several severe financial consequences, including the potential for double or treble damages. There also are attorneys' fees provisions, as well as mandatory civil penalty provisions, which can go up to $11,000 per claim. In addition to the massive financial repercussions, companies found guilty of violating the FCA could face debarment from federal programs.

The FCA also includes whistleblower provisions, which allow private parties to bring what are called qui tam actions on behalf of the government. The government can decide to intervene in that action or decline to intervene. If the government declines, the whistleblower and the whistleblower's counsel control the case going forward.

What Is the Theory of Implied False Certification?

The Escobar decision was supposed to answer the longstanding circuit split about a particular doctrine within FCA jurisprudence known as the implied false certification doctrine. The FCA is an antifraud statute, but a species of FCA liability has emerged in which government contractors and others who get reimbursements from the government are found liable without any express statement that is deemed false or fraudulent. Rather, the theory of implied false certification means that the mere submission of a claim for payment to the government implicitly certifies that the requesting person is in compliance with material government regulations or material provisions of the relevant contract. In other words, just by submitting a request for payment or reimbursement, the requestor is implicitly representing to the government that it hasn't done anything illegal or outside of the regulatory program under which the claim is being submitted.

There's been a circuit split among the courts on how to deal with these kinds of claims. Basically, the courts have divided into two camps. There is one group, starting with the Second Circuit, that has held that it is only going to hold defendants liable under this theory where the regulation or contractual provision that they have been alleged to have violated without disclosing is itself expressly a condition of payment. In other words, there must be something in the regulation itself that says compliance with the regulation is a condition of payment. Therefore, the act of requesting payment implicitly certifies that the requestor is in compliance with the regulation. Other circuits have rejected that type of test and instead take a more expansive and fact-intensive view as to what sorts of regulations and what sorts of violations would qualify for liability under this theory.

What Happened in Escobar?

Escobar involved a healthcare provider in Massachusetts that provided mental health services to a young girl who ended up dying in its care. It turned out that a number of the mental health professionals treating the girl were not licensed and were not qualified to provide the treatment. In addition, medications were being prescribed by people who were not authorized to write prescriptions. In fact, the person who diagnosed the patient was not licensed to make the diagnosis.

In spite of these facts, the provider submitted numerous claims to MassHealth, Massachusetts' combined Medicaid and Children's Health Insurance Program (CHIP), for payment. After the patient passed away, the plaintiffs brought an action alleging under the FCA that the claims for payment were false and fraudulent because implicit in those claims was a certification that the persons providing the treatment were qualified to do so.

The district court dismissed the claim on the theory that the alleged falsities were conditions of participation and not conditions of payment. The First Circuit reversed and rejected that distinction between conditions of participation and conditions of payment. Instead, the First Circuit adopted a position that whether or not a regulatory noncompliance renders a claim for payment false or fraudulent requires a fact-specific inquiry. The reversal teed up the case for a decision by the Supreme Court as to whether or not the fact that the provider making the claims for services was not qualified to provide those services rendered the underlying claims false or fraudulent.

What Was the Supreme Court's Decision?

The Supreme Court issued a unanimous decision, written by Justice Thomas, vacating the First Circuit decision and describing the First Circuit jurisprudence as too expansive in this area. It did not adopt, however, the distinction between condition of payment and condition of participation that some of the other circuits had adopted. Instead, the Supreme Court found that FCA liability could be sufficiently pled where there was an express statement that itself was misleading due to undisclosed noncompliance. The Court further found that such a claim would have to be supported by a showing or an allegation that the undisclosed noncompliance was material to the government's decision to pay and that the defendant had knowledge not only of the undisclosed violation but also of the fact that it was material to the government's decision.

Based on that finding, the Supreme Court vacated the First Circuit decision, because the First Circuit had applied such a different standard than any other circuit had applied. The Court didn't say, however, that the First Circuit necessarily got it wrong. It vacated the decision for the First Circuit to apply that standard to the facts of that case. Perhaps predictably, both sides declared victory in the press—and the rest of us are left wrestling with what this decision really means.

What Are the Implications of the Decision?

One of the key points that comes across from the decision is that the Supreme Court upheld the possibility of an FCA violation, because there was an express statement that was essentially a half-truth, rendering it misleading. The Court expressly declined to resolve whether an implied false certification theory was viable based on the mere submission of a claim itself. That may be the unresolved circuit split that we're going to see with these cases moving forward. By relying on this sort of implied statement or half-truth, the Court was really drawing on common law roots of what can constitute a fraudulent omission, and perhaps we'll leave it to the courts or scholars to argue about other common law exceptions that might give rise to these kinds of claims.

The most interesting part of the decision relates to its materiality holding. The language isn't on point in describing what the materiality standard is, in terms of giving us a sentence we can use. It does include some language from the common law doctrine from which it draws, suggesting that the Court is very concerned with whether a particular noncompliance or a particular regulatory violation is likely to influence the government's decision to pay.

The issue of materiality is where the Escobar decision is likely to have interesting implications going forward. The Court says that materiality refers to information that is material to the decision by the government to pay the claim. Very critically, although there has been confusion in the press around this issue, the Court is explicit in stating that the defendant must have knowledge of the materiality—so would need to know that the information would be material to the government's decision to pay the claim.

The opinion goes out of its way to state that the materiality standard is demanding. The Court then goes on to define explicitly what's not material. The Court states that, in fact, "a misrepresentation cannot be deemed material merely because the government designates compliance with a particular statutory, regulatory or contractual requirement as a condition of payment." Slip Op. 15.

What the Court is saying is that the fact the government has explicitly stated that it's not going to pay isn't necessarily enough to prove materiality. "Nor is it sufficient for a finding of materiality that the government would have the option to decline to pay if it knew of the defendant's noncompliance." Slip Op. 15-16. This captures where the Court was troubled by the First Circuit's decision and how broadly the First Circuit had ruled on the definition of materiality.

Why Is a Track Record Important?

For government agencies, this decision removes the ability to "opt into" the FCA. Agencies can no longer make regulations or any particular regulation a predicate for FCA liability. The Court is saying the agency really has to act on the regulation. When Justice Thomas talks about the evidence of materiality, he really is referring to the track record. In what situations did the government actually decline payment? And in what situations did the government permit payment, even when it was aware of a violation?

There are cases in which the government knows about a regulatory violation but continues to pay. Then a relator purporting to represent the government's interest attempts to sue under the FCA. The unanimous decision makes it clear that it's very hard to believe a particular violation is material to the government's decision to pay, if the government has, in fact, kept paying, even after it was aware of the violation.

What Is the Potential Impact of the Materiality Requirement?

The interesting thing about the materiality requirement is that it's not limited to the implied false certification context. Escobar was supposed to be the decision that determined whether implied false certification was a viable theory, but the Court punted on the question. It did, however, make a very important ruling on the issue of materiality—and that issue of materiality is not limited to implied false certification claims. The fairly significant statements that the Court made on materiality—in some ways limiting materiality and in other ways expanding materiality—can be equally applicable to all sorts of FCA cases.

That comes across in a number of aspects of the decision where the Court is insisting on not deciding issues. It's a little bit tough to swallow how the logic of the decision holds up, if the Court truly is not deciding what the standard for materiality is for the FCA.

There is almost a defensiveness in footnote 6 of the decision:

"We reject Universal Health's assertion that materiality is too fact intensive for courts to dismiss False Claims Act cases on a motion to dismiss or at summary judgment. The standard for materiality that we have outlined is a familiar and rigorous one. And False Claims Act plaintiffs must also plead their claims with plausibility and particularity under the Federal Rules of Civil Procedures 8 and 9 (b) by, for instance, pleading facts to support allegations of materiality."

Footnote 6 has been the beacon of hope for defense attorneys that they're still going to be able to win their cases on motions to dismiss—and they probably will. Beyond the footnote, the decision is really framed in terms of track records for government agencies—whether they pay or don't pay—and that is not necessarily the kind of information that defense attorneys are going to have readily available to argue from the pleadings on a motion to dismiss.

On the other hand, relators and the DOJ also are not going to have information handy on whether an agency chose to pay or not to pay when faced with similar noncompliance issues. In addition, relaters are going to have to come up with allegations that satisfy the standard of materiality that the Court has issued in Escobar—and they're going to have to do it in a way that satisfies Rule 9(b) and heightened pleading standards. Beyond that, they're going to have to allege plausibly that not only was information material to the government's decision to pay or not to pay, but that the defendant knew it was material.

As a result, it's likely that we are still going to see motions to dismiss and those motions being granted. But they're not going to look like the motions that got filed under courts that followed the Second Circuit approach. Instead, we are going to see motions to dismiss that look more like motions seen in commercial litigation cases where defendants have to catalogue the allegations and explain to the court why they are not enough.

What's Next?

The implications for the case going forward remain a bit unclear. In some ways the Court has made life harder for FCA defendants, and in some ways it's made life harder for FCA plaintiffs and the government. For now, we can just continue to watch and see how things play out moving forward.

The FTC and Patient Privacy: Challenges of the Digital Age

By Richard Lawson, Partner, Consumer Protection | Randi Seigel, Counsel, Manatt Health

Companies operating in the healthcare arena, especially nontraditional ones, must take seriously the privacy concerns of patients—the good, the bad, and the warts (literally). That critical need to keep patient privacy top of mind is the key takeaway from a recent Federal Trade Commission (FTC) action against Practice Fusion, a cloud-based electronic health record (EHR) company, in which the FTC alleged that Practice Fusion collected patient comments about doctors without properly advising the patients that the comments would eventually be posted publicly in the patient review portion of a healthcare provider directory.

As might be expected, some of these comments contained information that a patient likely does not want shared publicly. For instance, one patient thanked the provider for removing a wart (which had been under a callus) and advising that another wart may be growing on the other foot. Additional examples include comments about facelifts, Xanax prescriptions, yeast infections, and the suicidal tendencies of a child.

According to the FTC, Practice Fusion sent out emails to patients asking for feedback on the treatment they received from their providers. The FTC states that Practice Fusion failed to disclose to the patients that the information they provided would be publicly shared in patient reviews for future patients to read, and rely on, in determining which healthcare providers they may want to visit. The heart of the FTC's case was that patients' comments about their health status were of such a private nature that the public disclosure of these statements necessarily required their knowledge and consent.

Companies across many different industries are seeking new and different ways to engage with consumers. While the digital age allows for new methods to be executed at blinding speeds, traditional rules about disclosure and consumer choice remain as prominent now as they were in the last century. Mix these concepts in with the sensitivity of patients' health information, and companies can quickly find themselves foundering on the rocks and shoals of the Health Insurance Portability and Accountability Act of 1995 (HIPAA) and state privacy laws, as well as the traditional consumer protection rules and regulations.

The Importance of Clear and Conspicuous Disclosures

The FTC asserted that the eventual publication of private health information was a material term, and that Practice Fusion should have clearly and conspicuously advised patients that their information would be used this way. Material disclosures should find the consumer, not the other way around. Adhering to this simple maxim can avoid the expense and loss of customers' goodwill that accompany FTC investigations.

Materiality always will be dependent on the circumstances. Costs and fees almost always count as "material," but money is not the only concern when it comes to materiality, as demonstrated in the Practice Fusion case. In Practice Fusion, the FTC asserted that health information was material, given that the heart of the matter involved accumulating personal data to be used in the comment section of a provider directory. But whatever is at issue, the cardinal rule with material disclosures is that they must be "clear and conspicuous."

The Four Ps That Define "Clear and Conspicuous"

"Clear and conspicuous" is a phrase that has been examined in countless actions by the FTC and state attorneys general. One helpful phrase used to flesh out the meaning of "clear and conspicuous" is the four Ps—prominence, presentation, placement, and proximity.

The "prominence" of a disclosure is often a function of the message's size and clarity. This can be a particular concern for disclosures made on mobile devices. Enforcing agencies can be very unforgiving of disclosures that can be viewed well on a desktop but are barely readable on a phone. Color contrast can be an issue that undermines a message's prominence, as well. Disclosures in a cream-colored text on a white background probably run afoul of the "prominence" standard.

"Presentation" relates to the ability of the disclosure to be understood by readers. The terms used in the language must be understandable to the average reader. Similarly, "placement" means that the disclosure needs to be in a location where the consumer could reasonably be expected to find the terms. Lastly, to meet the "proximity" standard, the disclosure must not only be in a place the consumer can be expected to find it, but in a place that is relevant to the material claim at issue.

The Special Considerations That HIPAA Adds

Beyond the traditional disclosure standards from the FTC, companies need to take into account the special considerations related to the healthcare industry, such as HIPAA. HIPAA, among other things, protects patient health information from unauthorized access, use and disclosure by healthcare providers. For example, if a company receives information from the medical practices with which it contracts, then use of that information is governed by HIPAA.

HIPAA permits healthcare providers and health plans (known as covered entities) to share health information with third-party vendors—known as business associates—such as electronic medical records companies. Business associates are required to comply with HIPAA regulations.

Using the patient information provided by healthcare providers (such as names and email addresses) in a manner unrelated to the services provided by the business associate to the provider would be a breach of HIPAA and the business associate agreement (BAA). Further, using this information in a manner that resulted in public disclosure of patient health information without the consumer's consent likely would trigger an investigation by the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), the agency responsible for overseeing and enforcing HIPAA. Business associates are subject to civil and, in some cases, criminal penalties for making uses and disclosures of patient health information in violation of HIPAA and their BAAs.

Practice Fusion: An Important Reminder

As alleged by the FTC, Practice Fusion, while trying to develop a new service to help consumers find a healthcare provider, found itself in the vortex of both healthcare and traditional consumer protection concerns. The case serves as a critical reminder that in this data-driven communication age, personal health data can be as important as financial data. Collecting sensitive health information requires careful consideration; publishing it requires the clear and knowing consent of the patient, whether covered by HIPAA or not.

There are fantastic opportunities for consumers, providers and patients to engage with businesses and each other in this digital age. As Practice Fusion demonstrates, however, the FTC expects companies to remember and apply time-tested laws and rules about privacy and disclosures.

Scalia's Death Has Limited Impact on Major Healthcare Cases

By Andrew Struve, Partner, Healthcare Litigation | John LeBlanc, Partner, Healthcare Litigation | Joanna Allen, Associate, Healthcare Litigation

Justice Antonin Scalia's death apparently impacted only one of the four major healthcare cases pending before the United States Supreme Court this term. Although initially it was feared that his absence would mean that some of these cases could result in a 4-4 split decision, a considerable possibility given the politically charged nature of healthcare, that did not happen.

Healthcare Cases Pending Before the Supreme Court This Term

The Supreme Court decided four important healthcare cases this term that are laden with implications for insurers, providers and state healthcare reform efforts.

Whole Woman's Health v. Hellerstedt

On June 27, 2016, in a five-to-three decision, the Court upheld a challenge to a 2013 Texas law that plaintiffs alleged interfered with a woman's constitutional right to privacy as it affects her right to an abortion. The law imposed specific requirements on abortion clinics, including a mandate that doctors have admitting privileges at a hospital no more than 30 miles away from the clinic. It set clinic standards similar to those of surgical centers, including specific requirements on room and doorway sizes, staffing, and anesthesia, among other things. The Court held that the law, which according to the petitioners had already caused numerous abortion clinics throughout Texas to close, placed an "undue burden" on a woman's constitutional privacy rights. The Court had not heard a major abortion case since 2007.

Supporters of the Texas law claimed it was intended to protect women's health, as it allegedly brought health and safety standards for abortion clinics more in line with those of other medical facilities. Opponents argued the law was intended solely as a means to limit abortion. The lead plaintiff, an abortion provider called Whole Woman's Health, maintained that the law was not medically necessary, was demanding and expensive, and interfered with women's healthcare.

Before the decision was announced, commentators had expressed concern that, without Justice Scalia, a deadlocked decision was quite possible, which in turn would have automatically affirmed the Court of Appeals' ruling without giving reasons and without setting precedent. In this case, that outcome would have upheld the Texas law's restrictions, closing all but about 10 clinics in the state. It also likely would have given states within the Fifth Circuit (Louisiana, Texas and Mississippi) broad discretion to restrict abortion. Obviously, that didn't happen.

It is impossible to know with certainty that the presence of Justice Scalia's larger-than-life influence might not have impacted the outcome of Hellerstedt beyond the addition of a fourth dissenting vote. In all likelihood, however, had Justice Scalia lived, the result would have been the same but by a five-to-four margin in favor of striking the challenged law.

Zubik v. Burwell

On March 23, 2016, the Court heard oral argument on whether the contraception coverage requirement under the Affordable Care Act (ACA) applies to religious institutions, such as religious nonprofit hospitals, charities and colleges. Some of these religious institutions objected to the "accommodation" exception to the mandate, which permits them to opt out of the requirement on the grounds that the requirement makes them complicit in a process that is contrary to their religious views and therefore in violation of the Religious Freedom Restoration Act. That law states that the government may not substantially burden the exercise of religious beliefs and must regulate using the least restrictive means. The religious institutions here argued that the opt-out system is not the least restrictive method of accommodating their religious objections.

To date, every federal appeals court to consider the question—but one, the Eighth Circuit—had upheld the ACA's mandate that enables women to obtain health coverage for birth control even when their employer avoids paying for such coverage by opting out due to religious objections. In other words, those appeals courts found that even when women's employers object to providing contraception coverage based on religious beliefs, those women need not seek birth control coverage through a means other than their religious institution's sponsored health plan (e.g., health insurance exchange under the ACA or a separate government-sponsored plan).

Zubik v. Burwell is the only healthcare case this term in which Justice Scalia's absence almost certainly was determinative, given early indications suggesting that the Court was facing a 4-4 tie. On March 29, 2016, shortly after oral argument, the Court took the highly unusual step of issuing an order asking the parties to develop methods by which contraceptive coverage could be provided without any active involvement by the petitioners. In response to this directive, both the Obama administration and the religious nonprofits, colleges and schools challenging the accommodation confirmed that contraceptive coverage could be provided to the challengers' female employees, through the challengers' insurance companies, without any notice from the challengers. Accordingly, the decisions of the courts of appeals rejecting the challenge were vacated and remanded in an 8-0 vote.

The Court stated that given the gravity of the dispute and the "substantial clarification and refinement in the positions of the parties," the parties on remand should be afforded an opportunity to arrive at an approach going forward that accommodates the challengers' religious exercise while at the same time ensuring that women covered by the challengers' health plans receive full and equal health coverage, including contraceptive coverage. This appears to be the latest example of what some commentators call Chief Justice Roberts' penchant for pragmatic, commonsense outcomes that earlier Courts would not have considered.

Universal Health Services v. United States ex rel. Escobar

On June 16, 2016, the Court decided the issue of when a knowing failure to comply with the law constitutes fraud against the government. Specifically, the issue was whether a party can be held liable for violating the federal False Claims Act (FCA) where that party has made a request for payment despite its noncompliance with applicable statutes, regulations or contract provisions that are material preconditions to payment, without explicitly making any false statement of fact. This case arguably had the most dollars at stake among the healthcare cases pending before the Court, as it had the potential to reduce or increase the number of FCA suits brought against providers and other companies—cases that come with high-dollar penalties. In 2015 alone, the Department of Justice recovered $1.9 billion in settlements and judgments from companies and individuals in the healthcare industry under the FCA.

In this case, the relator's daughter received state mental health benefits from a medical center, Universal Health, where counselors were not licensed by the state to provide mental health therapy, as was required by state regulations. Although Universal Health's invoices sought payment for services actually provided, the relator complained that the invoices were fraudulently submitted under the FCA because the services were provided by unlicensed counselors, in violation of state law.

Although the federal circuits were split on this issue, the Court's decision was unanimous. Some circuits had found that any knowing and material breach of a contract, statute, or regulation that can be viewed as a prerequisite to payment can give rise to liability, while others had rejected liability based on implied certification of compliance with regulations that are conditions of federal government program participation. The split had created confusion and uncertainty as to the circumstances for which fraud liability attaches.

The Court's unanimous opinion took the middle ground. The opinion, authored by Justice Clarence Thomas, held that the implied false certification theory can be a basis for FCA liability if a claim for payment makes specific representations about the services provided but fails to disclose noncompliance with material statutory, regulatory or contractual requirements that would render the claim for payment misleading. In spite of ruling that there is an implied certification theory that can serve as the basis of an FCA case, the Court specifically disagreed with the First Circuit's "extraordinarily expansive" interpretation of materiality under the FCA, instead explaining that the materiality standard here is "demanding," such that if the government pays a particular claim in full despite its actual knowledge that certain requirements were violated, that is very strong evidence that those requirements are not material. (For a more detailed look at Escobar and its implications, see the second story in this issue, "The FCA: Escobar Means More Than You Think.")

Gobeille v. Liberty Mutual Insurance Co.

Finally, one other major decision impacting healthcare was decided after Justice Scalia's death, in which the outcome also appears to have been unaffected by his absence. Gobeille v. Liberty Mutual Insurance Company raised the issue of whether a self-funded insurer should have to turn over certain information—such as on claims and member eligibility—to the State of Vermont for its all-payer database. The state argued that it needed the data to improve the cost and effectiveness of healthcare and that a ruling against it could limit reform efforts in other states with similar databases. The insurer argued that obligating all health insurers to provide such data violates the Employee Retirement Income Security Act (ERISA), which preempts any state law that may "relate to" an ERISA plan.

This case was heard on December 2, prior to Justice Scalia's death, but the opinion was not issued until March 1, shortly after his death. The Justices held that ERISA preempts the Vermont law in a 6-2 decision written by Justice Kennedy, meaning that, here as well, Justice Scalia's absence had no impact on the outcome of this case (and, given prior decisions, he almost certainly would have joined the majority). Justices Thomas and Breyer filed concurring opinions. Justice Ginsburg filed a dissenting opinion, in which Justice Sotomayor joined. The key point of Justice Kennedy's decision is that the regulations "could" create wasteful burdens (even though Vermont's regulation called for data in a standardized format that the insurer already uses).

The practical importance of this case, as a matter of healthcare regulation, is that, despite Justice Scalia's insistence to the contrary at oral argument, Justice Breyer's concurring opinion leaves the door ajar for the Department of Labor (DOL) to adopt regulations requiring the production of healthcare data to further the goals of the ACA. If the DOL were to follow this path, however, insurers would have a road map for challenging the regulation: the Court has held that ERISA preempts state regulation of those databases, and some Justices probably share Justice Scalia's view that its decision necessarily bars any such regulation.

Conclusion

In sum, Justice Scalia's death appears to have impacted the result in only a single major healthcare case this term: the Zubik v. Burwell matter. However, although President Obama has nominated a new Supreme Court candidate, the Republican Senate has proclaimed that it will not vote on a nominee until after the presidential election, meaning it is unlikely the ninth seat will be filled until after the 2016-2017 Supreme Court term is well under way. Therefore, there may be healthcare decisions in the future that will be impacted by Justice Scalia's death.

Key Takeaways From the Academic Nursing Leadership Summit

By Tom Enders, Senior Managing Director | Alex Morin, Manager | Brenda Pawlak, Managing Director

Editor's Note: In the March issue of "Health Update," Manatt Health introduced a new report prepared for the American Association of Colleges of Nursing (AACN) that examines the potential for an enhanced partnership between academic nursing and academic health centers around the imperative to advance integrated systems of healthcare, achieve improved health outcomes and foster new models for innovation. In the March article, we summarized key findings and recommendations from our research with a variety of stakeholders in academic health center (AHC) and non-AHC-affiliated institutions. We continue our series based on the white paper with a summary of the major takeaways from the Academic Nursing Leadership Summit, which provided important input into our final report. To download the full white paper, click here.

__________________________________________________

The Academic Nursing Leadership Summit, held August 2015, brought together deans from academic nursing and medicine; health system CEOs and CNOs; and leaders from AACN, Association of American Medical Colleges, universities, and the Veterans Health Administration nursing team. Participants engaged in a thorough discussion of the challenges of health reform, the imperative for health system transformation, and the opportunity for academic nursing leadership. Manatt Health facilitated the session, which yielded 10 major themes, each of which was developed and included in the final report:

  1. The traditional ways of doing business within AHCs must evolve, which will necessitate cultural change. Of particular importance will be enhanced communication, a focus on "we," and a commitment to mutual support among all the players. This will be a difficult cultural change, given that the schools of nursing, other professional schools and schools of medicine have become increasingly siloed.
  2. New organizational structures that more closely couple academic nursing with health systems will be important to facilitate the kind of successful integration that is a precursor to effective collaboration. The broad principle of alignment of interests along strategic, cultural, programmatic and governance dimensions should be pursued.
  3. The financial model of tuition driving academic nursing inhibits the strategic and aspirational role participants believe is possible. Nursing faculty typically focuses on teaching and is reluctant to take on positions of clinical responsibility, particularly without a financial support model. If academic nursing is to serve a transformative role, then the economic model must be put in place to provide resources—through clinical, research and educational support—to do so.
  4. Within academic nursing, there is a strong perception that physicians are overly dominant and that independence is necessary for nurses to achieve their full potential. Contemplating the pivotal role for nursing in the future, the issues of cultural and organizational bias that persist in our organizations must be addressed.
  5. Nursing needs to be at the table as AHCs develop their population health strategies and accountable care organizations. Leaders should be seeking new opportunities to connect their deans of nursing to other initiatives in their enterprise.
  6. Leadership development is a key long-term success factor for AHCs given trends in inter-professional, team-based clinical care and in multi-professional research programs that seek to translate discovery and innovation into practice. Approaches that identify and foster the development of future leaders—both through informal mentorship and formal educational programs—in the clinical, research and administrative realms are essential.
  7. Workforce planning efforts within AHCs through partnerships with the health system and its affiliated schools represent a major opportunity for collaboration:
    a. Significant opportunity exists within AHCs to link clinical enterprise workforce needs and planning to various academic programs to create a robust pipeline of clinicians prepared for the future of care delivery.
    b. There is a shortage of clinicians to support clinical trials and data integrity/analytic roles in AHCs, as well as a shortage of researchers in data science and implementation science.
  8. Research program capacity-building within academic nursing presents an important opportunity for alignment. Academic nursing should consider recruiting PhD investigators in emerging areas, including informatics, implementation science, health services research and patient safety/quality, which can increase the amount of grant dollars.
  9. The recommendations set forth are not without risk to those schools of nursing that operate in silos—strategically, programmatically and financially. With integration, shared leadership and shared governance comes shared accountability for success and failure.
  10. Policy issues at the federal and state levels, and possibly within professional societies that oversee the various stakeholder groups, are limiting. Specifically, we need to consider:
    a. Scope of practice,
    b. Reimbursement for advanced practice registered nurse (APRN) services, and
    c. National Institutes of Health (NIH) and other public programs to support nursing-focused and multi-professional research.

Building a Strong Partnership

The participants in this first summit agreed that an enhanced partnership between academic nursing and academic health centers will yield tremendous benefits across all three missions of academic health centers—clinical care delivery, research and teaching. AHCs are in the midst of a significant transformation in clinical care delivery and in the evolution and integration of research and education programs. Academic nursing can contribute materially to the success of this transformation. Similarly, academic nursing has unrealized potential to grow as a center for research and clinical innovation, contributing to the ultimate goal of advancing health.

The following challenges must be met to achieve a new partnership:

  • Academic nursing faculty must have a deeper involvement in clinical practice and more opportunity to engage in the clinical innovation that evolving academic health systems need.
  • Research programs across academic nursing, health systems, academic medicine and other professional schools must be fostered, particularly around patient- and community-oriented research.

Overcoming these challenges will require a paradigm shift in how academic and clinical programs across health sciences schools and the clinical enterprise organize and align themselves. Academic nursing needs to reflect on its aspirations and reorient to these themes, and make a compelling business case for investment, both nationally and within each institution.

California Supreme Court Clarifies Constitutional Limits on Punitive Damages

By John LeBlanc, Partner, Healthcare Litigation | Andrew Struve, Partner, Healthcare Litigation | Michael Godino, Associate, Litigation

In Brandt v. Superior Court, the California Supreme Court held that when a plaintiff proves that an insurance company withheld policy benefits in bad faith, attorneys' fees reasonably incurred to compel payment of the benefits are recoverable as an element of damages. 37 Cal. 3d 813, 815 (1985). Such fees often are referred to as "Brandt fees." Recently, in Nickerson v. Stonebridge Life Insurance Company, 371 P.3d 242 (Cal. 2016), the court clarified the circumstances in which Brandt fees constitute compensatory damages for purposes of determining whether an accompanying award of punitive damages is unconstitutionally excessive. Specifically, the court considered whether Brandt fees are "properly included as compensatory damages where the fees are awarded by the jury, but excluded from compensatory damages when they are awarded by the trial court after the jury has rendered its verdict." Id. at 246.

Brandt Fees

The court in Brandt explained that when an insurer breaches the implied covenant of good faith and fair dealing by failing to pay a covered loss, "the insurer is liable for any damages which are the proximate result of that breach." 37 Cal. 3d at 817 (internal quotation marks omitted). Thus, "[w]hen an insurer's tortious conduct reasonably compels the insured to retain an attorney to obtain the benefits due under a policy, it follows that the insurer should be liable in a tort action for that expense. The attorney's fees are an economic loss—damages—proximately caused by the tort." Id.

Brandt further explained that because "the attorney's fees are recoverable as damages, the determination of the recoverable fees must be made by the trier of fact unless the parties stipulate otherwise." Id. at 819. It noted that "[a] stipulation for a postjudgment allocation and award by the trial court would normally be preferable since the determination then would be made after completion of the legal services [citation], and proof that otherwise would have been presented to the jury could be simplified because of the court's expertise in evaluating legal services." Id. at 819-20.

Constitutional Limits on Punitive Damages

The U.S. Supreme Court has explained that there are procedural and substantive constitutional limitations on punitive damages awards. State Farm Mut. Auto. Ins. Co. v. Campbell, 538 U.S. 408, 416 (2003). The Due Process Clause of the Fourteenth Amendment "prohibits the imposition of grossly excessive or arbitrary punishments on a tortfeasor." Id. To ensure that unconstitutional punishment is not imposed in the form of punitive damages, the Court has set forth three "guideposts" for courts to consider in reviewing punitive damages awards: "(1) the degree of reprehensibility of the defendant's misconduct; (2) the disparity between the actual or potential harm suffered by the plaintiff and the punitive damages award; and (3) the difference between the punitive damages awarded by the jury and the civil penalties authorized or imposed in comparable cases." The second guidepost was primarily at issue in Nickerson. Id. at 418 (citing BMW of N. Am., Inc. v. Gore, 517 U.S. 559, 575 (1996)).

Although the Court has declined to "impose a bright-line ratio which a punitive damages award cannot exceed," it has concluded that "in practice, few awards exceeding a single-digit ratio between punitive and compensatory damages, to a significant degree, will satisfy due process." State Farm, 538 U.S. at 425. Following the Court's guidance, the Supreme Court of California has explained that "ratios between the punitive damages award and the plaintiff's actual or potential compensatory damages significantly greater than 9 or 10 to 1 are suspect and, absent special justification . . . , cannot survive appellate scrutiny under the due process clause." Simon v. San Paolo U.S. Holding Co., 35 Cal. 4th 1159, 1182 (2005).

Nickerson v. Stonebridge Life Insurance Company

The court in Nickerson applied the above well-settled legal principles to the following question: Are Brandt fees awarded by a trial court after the jury has rendered its verdict properly considered "compensatory damages" for purposes of calculating the "9 or 10 to 1" ratio? If so, that in turn increases the constitutionally permissible amount of punitive damages.

The plaintiff in Nickerson was insured under a hospital indemnity policy issued by defendant Stonebridge Life Insurance Company (Stonebridge). The plaintiff sued Stonebridge for bad faith withholding of policy benefits. The parties stipulated before trial that if plaintiff succeeded on his complaint, the trial court could determine the amount of attorneys' fees to which plaintiff was entitled under Brandt. At trial, neither party presented evidence to the jury regarding the claim for, or amount of, Brandt fees.

The jury found in favor of plaintiff on his bad faith cause of action and awarded him $35,000 in damages for emotional distress. The jury also found that Stonebridge had "engage[d] in the conduct with fraud" and awarded $19 million in punitive damages. The parties then stipulated that the amount of attorneys' fees to which plaintiff was entitled under Brandt was $12,500, and the court awarded that amount.

The trial court applied the case law discussed above and held that it was bound to reduce the punitive damages award so that the ratio of punitive to compensatory damages did not exceed 10 to 1. Critically, in calculating this ratio, the trial court excluded the Brandt fees and considered only the $35,000 awarded as compensatory damages for emotional distress. It thus found the maximum permissible punitive damages award to be $350,000. The Court of Appeal affirmed.

The California Supreme Court reversed the lower courts. It first noted that Stonebridge did not dispute that Brandt fees ordinarily qualify as compensatory damages for purposes of applying the second Gore guidepost—a conclusion that "follows from Brandt itself." Nickerson, 371 P.3d at 248. Instead, Stonebridge argued that the purpose of the three-factor analysis laid out by the U.S. Supreme Court is to permit courts to identify punitive damages awards that are tainted by irrational or arbitrary jury decision making, and only evidence presented to the jury properly has a role in that inquiry. According to Stonebridge's argument, Brandt fees determined by the trial court post-verdict must be excluded from the calculation.

The court rejected Stonebridge's argument, stating that it "misconceive[d] the nature of the Gore inquiry." That inquiry does not regulate the jury's decision-making process in the way certain other limitations do,1 but is instead aimed at ensuring that "the state ultimately does not impose an award whose size exceeds constitutional limits" on the state's power to punish. If a reviewing court concludes that the jury's punitive damages award is excessive, the remedy is not to set the award aside, as would be the case if there were a defect in the way the jury reached its decision. Rather, the remedy would be to reduce the award to constitutional limits. Therefore, the court concluded that "there is no apparent reason why a court applying the second guidepost may not consider a postverdict compensatory damages award in its constitutional calculus." Id. at 248-49.

In so holding, the Nickerson court disapproved the Court of Appeal's decision in Amerigraphics, Inc. v. Mercury Casualty Co., 182 Cal. App. 4th 1538 (2010). While Amerigraphics held that the trial court had properly excluded Brandt fees awarded by the court after the jury verdict on punitive damages, id. at 1565, the court in Nickerson noted that the decision was made "without further elaboration or citation." 371 P.3d at 246.

Finally, the court rejected Stonebridge's argument that the jury's verdict was invalid because the jury was unaware of a substantial component of harm the plaintiff had suffered. Stonebridge gave this argument "little more than a passing nod, . . . presumably because Stonebridge itself invited this state of affairs when it stipulated to a postverdict determination of Brandt fees and raised no objection to the jury returning a punitive damages verdict in the absence of evidence about the fees." Having consented to, or at least acquiesced in, this procedure, Stonebridge had forfeited any argument that the procedure itself was legally impermissible. Id. at 248.

The court acknowledged Stonebridge's concern, but noted that the jury's ignorance about Brandt fees could cut both ways. On the one hand, if the jury heard evidence that the plaintiff suffered even more harm than it previously thought, it might have decided to award even greater punitive damages. On the other hand, the defendant could argue that the Brandt fees would have a deterrent effect on future misconduct, and that punitive damages should be reduced accordingly. Id. at 250.

Takeaways

The considerations in the preceding paragraph are ones both parties should take into account when determining whether to stipulate to trial court determination of Brandt fees if the plaintiff prevails on a bad faith claim. To the extent there was a possibility pre-Nickerson that reaching such a stipulation might reduce the constitutionally permissible amount of punitive damages, that possibility no longer exists. However, the court in Nickerson recited Brandt's preference for a stipulation, which (1) allows the determination to be made after legal services are completed, (2) simplifies the evidence presented to the jury, and (3) places the determination in the hands of the court, which has "expertise in evaluating legal services." Id. at 248.

1."For example, the jury must be adequately informed of the nature and purposes of punitive damages in order to reasonably accommodate the defendant's interest in rational decision making." Id. at 249 (internal quotations and alterations omitted).

Steering and Its Broad Implications for Payer-Hospital Negotiations

By Lisl J. Dunlop, Partner, Litigation | Shoshana Speiser, Associate, Litigation

Last month, the U.S. Department of Justice's Antitrust Division (DOJ) and the North Carolina Attorney General sued Carolinas HealthCare System (CHS) in North Carolina District Court alleging that CHS exercised its dominant market power to prevent insurers from steering patients to its lower-cost competitors. United States of America v. Charlotte-Mecklenburg Hosp. Authority, Case No. 3:16-cv-00311 (W.D.N.C. June 9, 2016). This is the DOJ's second challenge to anti-steering rules and the first in the healthcare sector. Regardless of the outcome, the case may have broad implications for payer-hospital negotiations.

CHS is a not-for-profit hospital corporation with ten general acute care hospitals in the greater Charlotte area. CHS's $8.7 billion revenue in 2014 was more than double that of its closest competitor which owns five general acute care hospitals.

According to the complaint, CHS exercised its market power to contractually impose anti-steering restrictions on insurers in order to protect its revenues. Steering in the healthcare context involves an insurer incentivizing a consumer to use or not use a particular facility or provider. Often, this takes the form of providing a financial incentive for the consumer to use a lower-cost provider or network. According to the complaint, steering induces price competition and threatens high prices and revenues. The challenged provisions include prohibitions of narrow insurance networks that exclude CHS or tiered networks that place competing hospitals into the same top tier as CHS.

The complaint alleges that CHS has market power in the Charlotte area because of its 50 percent market share, extensive range of healthcare services, and insurers' need to include access to CHS in at least some of their provider networks. As further proof of CHS's market power, the DOJ cited CHS's ability to demand higher reimbursement rates and impose restrictions on insurers. The DOJ also quoted a CHS internal document stating that CHS "has enjoyed years of annual reimbursement rate increases that are premium to the market, with those increases being applied to rates that are also premium to the market."

While CHS has not denied including anti-steering provisions in its contracts, it maintains that it has "neither violated any law nor deviated from accepted healthcare industry practices for contracting and negotiation."1 CHS also stated that it is committed to making healthcare more affordable, perhaps foreshadowing to an efficiencies argument on the importance of keeping patients within the system.

On its previous anti-steering challenge—the American Express case—the DOJ succeeded at the district court level, but the appeal is pending, and in December 2015, the Second Circuit temporarily stayed the district court's permanent injunction. In that case, American Express argued that its anti-steering rules were critical to its ability to compete with the bigger players in the credit card industry, Visa and MasterCard, and fund its rewards programs.

Conclusions

The CHS case will likely address whether anti-steering practices are common and whether they result in efficiencies or improve the quality of care. Critics are doubtful that such provisions are widely formalized in writing and question CHS's ability to construct a compelling justification. As discussed in our last article, however, the Federal Trade Commission's (FTC's) recent losses in the hospital merger arena may reflect courts' increased openness to consider efficiency justifications for decisions that seem anticompetitive to regulators. Regardless of the outcome, this case will have broad implications for payer-hospital negotiations and the degree to which either party controls where patients get treated.

1. Press Release, Carolinas HealthCare System Statement Regarding the U.S. Department of Justice Civil Action (June 9, 2016), available at http://www.carolinashealthcare.org/body.cfm?id=14&action=detail&ref=1060.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP
Contact
more
less

Manatt, Phelps & Phillips, LLP on:

Readers' Choice 2017
Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.