Health Update - June 2017

Manatt, Phelps & Phillips, LLP

In This Issue:

  • HIPAA and Emerging Technologies
  • Protecting Privacy in the Digital Age: Key Questions Answered
  • Suit Over Hospitals’ Alleged Anticompetitive Marketing Sent to Trial
  • Few Medicare Part D Plans Offer Vaccines Without Cost-Sharing

HIPAA and Emerging Technologies

By Jill DeGraff, Partner, Manatt Health | Helen Pfister, Partner, Manatt Health | Randi Seigel, Counsel, Manatt Health

Editor’s Note: According to a HIMSS Mobile Technology Survey of healthcare provider employees, about 90% say they are using mobile devices to engage patients in their healthcare—and 36% believe app-enabled patient portals are the most effective patient engagement tool. A Spyglass Consulting Report reveals that an astounding 96% of physicians use text messaging for patient care coordination—and 30% say they’ve received protected health information (PHI) via text.

Clearly new technologies are transforming healthcare. In a recent webinar, Manatt Health examined how to benefit from these powerful new tools while analyzing the risks under the Health Insurance Portability and Accountability Act (HIPAA). In the first of a two-part series, Manatt summarizes below key insights shared on the enforcement landscape, HIPAA rules and best practices around six technologies—portals, email, bring your own device (BYOD), texting, mobile apps and the Internet of Things (IoT). Click here to view the full webinar free on demand—and here to download a free copy of the presentation.

_____________________________________________

The Enforcement Landscape and the Trump Administration

Cybersecurity is a high priority across the Trump administration. In April, the Department of Health and Human Services (HHS) announced that it will establish a cyberthreat nerve center, modeled after Homeland Security’s National Cybersecurity and Communications Integration Center, to assess cyberthreats and share best practices. This move reflects the acknowledgment that healthcare is a critical part of our infrastructure with national security implications.

The new director for the HHS Office of Civil Rights (OCR), Roger Severino, has declared that his office’s enforcement actions will adapt to new data security threats, including those raised by ransomware, interoperability and mobile apps. The OCR audits—which began Phase 1 in 2011—position OCR for stricter enforcement. Phase 1 uncovered a number of weaknesses threatening HIPAA compliance across key areas, including risk analysis and management, content and timeliness of breach notifications, notices of privacy practices, individual access, privacy standards, device/media controls, training and transition security.

The OCR now has begun Phase 2 audits. Added focus areas include an inventory of devices and other information system (IS) assets; evidence of IS audit logs, access reports and security incidence tracking; and an inventory of business associates.

Civil Penalties

The OCR’s enforcement tools include civil monetary penalties and the requirement to establish a corrective action plan. Penalties can range from a minimum of $100 (when there is no knowledge of the violation) up to a maximum of $50,000 per violation, capped at $1.5 million annually for each identical violation.

The OCR can use statistical sampling to establish a prima facie case for the number of violations. It also can consider several aggravating or mitigating factors in its calculations, including the number of people affected, the length of time during which the violation occurred, the nature of the harm, the history of prior compliance, and the size of the covered entity or business associate.

Why Is Health the Target of Cyberattacks?

The nature of PHI makes health a prime target for cyberattacks. PHI contains immutable identifiers—such as birth dates and Social Security numbers. Consequently, PHI has higher value on the black market than, for example, credit card information.

To compound the problem, the healthcare industry has invested less in cybersecurity than other sectors have, making it a prime target. In 2015, records of about 100,000 patients were compromised by cyberattacks against healthcare organizations. In May 2017, a ransomware attack infected tens of thousands of computers in 100 countries. The threat to patient safety makes providers particularly vulnerable to ransomware attacks.

Defining the Terms

In discussing HIPAA compliance in relation to new technologies, it’s important to understand the terms:

  • PHI is defined under HIPAA as any individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity. PHI includes limited data sets (a set of information that includes certain identifiers). It does not include de-identified information (information from which identifying information has been removed and which cannot be re-identified).
  • Covered entities include healthcare providers, health plans and healthcare clearinghouses.
  • Business associates are individuals or entities that create, receive, maintain or transmit PHI on behalf of a covered entity for functions under the HIPAA Rule or that provide certain types of services to a covered entity.

Tech vendors generally are considered business associates. There is, however, an exception for tech vendors that serve solely as conduits for PHI and only have transient access to the protected information, such as broadband providers or cellular carriers.

Whether mobile app developers are business associates depends on the services they provide. If they are creating, receiving, maintaining or transmitting PHI, they would be considered business associates. If there is uncertainty, it’s better to err on the side of caution and assume a mobile app developer that touches PHI is a business associate.

Understanding the Security Rule

The HIPAA Privacy Rule contains requirements regarding paper and electronic PHI (ePHI), while the Security Rule addresses only ePHI. The Security Rule requires covered entities to establish three types of safeguards to protect ePHI:

  1. Administrative safeguards are administrative actions, policies and procedures that are designed to manage a covered entity’s implementation of security measures. For example, one standard under the administrative safeguard category requires covered entities to establish security management processes to prevent, detect and correct security violations.
  2. Physical safeguards are physical measures to protect covered entities’ ePHI, such as restricting workstation access to authorized individuals and controlling the introduction or removal of hardware and software to ensure there are no breaches.
  3. Technical safeguards address the technology processes that covered entities must implement to protect ePHI. Technical safeguards include access control, such as establishing a unique ID for each user. They also cover integrity provisions that are designed to ensure that ePHI is protected from improper alteration or destruction.

Implementation specifications can be required or addressable. A covered entity must implement required specifications. In contrast, the covered entity can determine what is reasonable in the context of its operations to implement an addressable standard. If a covered entity determines not to implement an addressable specification, it must document the reasons for its decision and, if appropriate, implement an equivalent alternative measure.

In addition to requiring the three categories of safeguards, the Security Rule also imposes certain organizational requirements. Covered entities must (1) have reasonable and appropriate policies and procedures in place to comply with the Security Rule; (2) maintain a written record of any actions, activities or assessments required by the Security Rule; (3) have business associate agreements in place; and (4) retain all documentation for at least six years.

HIPAA’s Breach Notification Rule

A breach is defined as the acquisition, access, use or disclosure of PHI in a way that is not permitted by the Privacy Rule and that compromises the PHI’s privacy or security. The OCR, which oversees HIPAA, presumes that any loss of unencrypted data is a reportable breach. Therefore, all covered entities must have breach identification policies in place that require reporting any breach within a reasonable time frame—certainly within 60 days of discovery. A breach is deemed to be “discovered” on the first day that it is known to the covered entity or would have been known by exercising reasonable diligence.

Any unauthorized use or disclosure of PHI is presumed to be a breach. The burden is on the covered entity to evaluate a potential breach and determine whether or not an actual breach has occurred.

Communication Technology Trade-offs

There are trade-offs between making it easy for providers and patients to use familiar channels to communicate, such as email and texting, and protecting ePHI from improper disclosure. Below are the advantages, disadvantages and risks six technologies present, with tips on how organizations can protect themselves.

Patient Portals

Patient portals generally present the fewest HIPAA security concerns because most were built to comply with HIPAA and meaningful use requirements. They meet patient and physician demands, because they provide 24/7 access—although that access can be clunky. Through portals, providers can control the content that is shared with patients, as well as determine what is accessed and by whom in order to create full audit and access logs.

Portals also offer clear terms of service and privacy notices, as well as transparency around how providers will use the data. In addition, patients have to affirmatively consent to sign up and use the portal. Finally, portals factor in strong HIPAA safeguards through user authentication, including unique usernames and passwords.

Portals also have some disadvantages, however. Due to the authentication process requiring remembering another login and password, patients have been slow to adopt portals. In addition, portals can be costly and complex to implement, discouraging innovation. To ensure optimal use, it’s important to have clear policies in place around use of the portal.

Email

Email offers major advantages. It is easy to adopt, can be uploaded to electronic health records (EHRs) and can be encrypted. Patients also can consent to receive unencrypted information. On the OCR’s “frequently asked questions” page for HIPAA, it clearly indicates that the Privacy Rule allows covered entities to communicate electronically, such as through email, with their patients provided they apply reasonable safeguards.

Email also presents some disadvantages and risks. It’s impossible to authenticate the user through a unique name or password or to verify that the email’s recipient is the person for whom it was intended. In addition, there are issues around transmission security. If encrypted email is utilized to address transmission security, then patients need to install a program to view encrypted emails, presenting a barrier to communication. Other risks include integrity control, given that email content (including the sender information) can be easily changed; servers residing outside the United States, where there may be limited information about HIPAA and other controls; and the potential for PHI-sensitive emails to appear on the Internet.

There are many steps organizations can take to protect themselves when using email to communicate with patients, including:

  • Obtaining patient consent to communicate with them via email
  • Developing a “light warning” disclosure of possible security risks as part of the patient consent
  • Creating protocols and practices for communicating PHI via email
  • Restricting the use of personal email by the care team
  • Removing the patient’s name, initials or medical record number from the subject line
  • Ensuring highly sensitive information, such as Social Security numbers, are never included in any part of an email

Bring Your Own Device (BYOD)

Employees are increasingly using their own devices at work. There are many advantages to this approach, including a high adoption rate, as people always have their phones with them; cost and time savings, since there is no need to educate people on how to use their own devices; and native technologies already on the phones that can be used for patient and provider communications.

There are several disadvantages, as well. Obviously, the less secure personal devices are, the greater an organization’s risk for PHI breaches. In addition, unless a mobile device management tool is installed on each phone, there is limited ability to enforce passwords or authentication; protect the devices; wipe the devices; or disable phones, if they are lost.

In considering implementing a BYOD approach, the first step is to evaluate and document the risks and benefits. Even if an organization decides to implement a BYOD policy, it may not make sense for all employees to participate. For example, organizations may want to require individuals with access to particularly sensitive and/or highly regulated information to use company-controlled devices for professional and patient communications. Other best practices include creating a detailed policy; incorporating the employer’s right to access, monitor and audit devices; ensuring staff is trained on the policy and documenting their signed agreement to comply with its terms; enforcing the use of strong passwords; installing mobile device management tools; and creating an off-boarding process to ensure the removal of any ePHI.

Texting

Texting is commonplace in many organizations—and drafting an official texting policy, permitting or not permitting it, is an essential part of a HIPAA compliance program. Texting offers many advantages, including increased patient engagement, easy adoption and faster response than email. It also provides greater access control, since people control access to their phones—and typically don’t text from any other devices. In addition, cyberthreats are difficult to execute with SMS texting.

As with all approaches, however, there are risks as well as benefits. Secure messaging apps require web-accessible devices or smartphones and may require usernames and passwords. There are also added HIPAA compliance responsibilities for tech vendors and downstream business associates. In addition, traditional SMS is not encrypted, and while cyberthreats are difficult to execute, when they do occur they’re hard to detect. Finally, full texts appear even on locked screens, opening up the potential for inadvertent disclosure.

When communicating through text, it is critical to obtain patient consent. In addition, it is important to document the information that was communicated via text in the patient’s medical record. Other best practices include evaluating the use of public messaging platforms; properly wiping mobile devices after they have been discontinued for work; and taking an inventory of all mobile devices used for texting PHI, whether provider or employee-owned.

Does the Office of the National Coordinator (ONC) for Health Information Technology say that organizations can use texting to communicate health information? The answer is that it depends. Text messages are generally not secure, and the sender does not know for certain that the intended recipient received the message. However, the ONC confirmed that organizations may approve texting after performing a risk analysis or implementing a third-party solution that incorporates measures to establish a secure communication platform.

Despite the risks, the ONC recognizes the value in texting. There’s a growing body of evidence that texting is an effective way to promote health, drive behavioral change, manage chronic diseases, encourage medication adherence, support prenatal care, and motivate weight loss and physical activity. Participants in text pilots report high user satisfaction and positive self-reported behavioral changes. Program managers find increased enrollment rates when participants are able to “opt in” immediately to a texting program.

In contrast, pilots show significantly lower rates of adoption when potential enrollees provided their contact information and consent in writing through a third party, who then entered the enrollment information and set up the texting capabilities. The time lag between setup and confirmation, the provision of incorrect or incomplete information by potential participants, and the lack of direct engagement in the enrollment process all led to the lower adoption rates.

When implementing texting, it is important to consider whether encrypted texting is reasonable for a given context and will increase patient engagement. If encryption won’t bring added benefits, unencrypted texting may be most appropriate.

Texting: Not Just a HIPAA Concern

There is overlapping jurisdiction with the Federal Communications Commission (FCC) when HIPAA-covered entities use SMS text messaging. A text message is treated like any other call made to a residential line or a cellular phone and brings an additional consumer protection into play—the Telephone Consumer Protection Act (TCPA). Even if a text’s content is permissible under HIPAA, the TCPA restricts the use of an automatic telephone dialing system to call a cellular phone number without the recipient’s prior express consent.

If a message is informational and noncommercial, individuals “who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instruction to the contrary.” According to Hudson v. Shape Healthcare (9th Circuit), the call need not be made “for the exact purpose for which the number was provided,” as long as the call bears some relation to the product or service for which the number was given. It is important to be cautious, however, because there are a wide range of court decisions and findings.

Developing a Policy for Texting

Organizations that permit SMS texting must develop policies and procedures, both for texting with patients and for texting among professionals. Policies should include workforce training on the appropriate use of work-related texting, at a minimum, as part of compliance training programs to ensure there are annual reminders to clinicians. In addition, organizations should maintain device and media controls for mobile devices of professionals who create, receive or maintain text messages. Policies also should delineate permitted use cases, detailing when texting is permitted and placing limits on the types of PHI that can be shared via text.

All policies and procedures should encourage more secure alternatives for communicating highly sensitive information. If organizations have patient advisory councils, they should be part of the discussions around risks and benefits and participate in the policymaking process.

When developing a policy specific to patients, it’s important to include procedures for verifying phone numbers and authenticating identity; decide on the scope and form of consent (i.e., opt-in requirements); and disclose to patients that they will be receiving unsecured messages, as well as inform them about opt-out procedures. When designing policies for texting between professionals, consider using a HIPAA-secured platform to support care team collaboration, secure devices to allow native features but prevent photo storage, implement device controls, prohibit texting medical orders, and reinforce the need to document texts in medical charts.

Mobile Apps

Mobile apps offer a wealth of advantages. They provide user-centric solutions and optimize the use of native device technologies, such as cameras. In addition, cloud-based platforms provide access to state-of-the-art security and robust computing power. They also bring cost efficiencies through flexibility that allows covered entities to start with small pilots and scale up, as needed.

Apps also come with some disadvantages. As more technologies are introduced, there is a multiplier effect in the challenges of compliance management that also can affect downstream business associates. In addition, there is no one-size-fits-all approach to implementing security safeguards.

There are best practices to protect organizations communicating through mobile apps. It is critical to evaluate the technology environment in which the app is providing a service and perform an appropriate risk analysis. It also is essential to develop app-specific policies and procedures within the context of the risk framework, as well as within an organization’s broader governance framework. This process includes actively engaging the stakeholders who will be using the app, both to gather input and to provide training.

The Internet of Things (IoT)

The IoT offers significant benefits. Generally speaking, these are medical-grade devices subject to Food and Drug Administration (FDA) cybersecurity standards. They very often will be tied to making a clinically relevant decision, so it is crucial that they are secure and that there are appropriate policies and procedures in place. Organizations should be diligent in ensuring providers and vendors are adhering to all the safeguards in the Security Rule.

The IoT also presents undetected vulnerabilities and risks, particularly around device inventory and management, firmware patches and updates, and transmission security. In addition, there are challenges around the need to wipe ePHI between deployments.

As with all the new technologies, the best protection for an organization is to define clearly device management procedures. There should be satisfactory assurances that there is full compliance with the FDA’s Quality System Regulation.

Coming Next Month…

In next month’s “Health Update,” we will feature part 2 of our “HIPAA and Emerging Technologies” summary, focused on evaluating and contracting with vendors, as well as reviewing compliance strategies.

Protecting Privacy in the Digital Age: Key Questions Answered

By Jill DeGraff, Partner, Manatt Health | Helen Pfister, Partner, Manatt Health | Randi Seigel, Counsel, Manatt Health

Editor’s Note: During our recent webinar on “HIPAA and Emerging Technologies,” we received so many compelling questions from our more than 600 registrants that there was not enough time to cover them all. Below we respond to some of the most commonly asked questions that we didn’t get the chance to address during the program. (See the article above for part 1 in our series summarizing the webinar’s content.)

Click here to view the full webinar free on demand—and here to download a free copy of the presentation.

_____________________________________________

Question 1: What should a consent contain that authorizes a covered entity to communicate with a patient over email?

Answer 1: Neither the Health Insurance Portability and Accountability Act nor the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS)—the agency that interprets and enforces HIPAA—requires a patient to provide consent prior to a covered entity communicating with that patient via email. However, HIPAA does require the application of reasonable safeguards when communicating with patients via email to ensure they are aware of the risks involved. Therefore, as a best practice, covered entities should obtain affirmative consent from patients before initiating email communications.

On its HIPAA Frequently Asked Questions (FAQ) page, the OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”1

The FAQ provides clear guidance on the specific information that covered entities should include when obtaining patient consent:

  • The risks associated with using unencrypted email. (A third party may be able to access and read the information, since it is transmitted over the Internet.)
  • The risks of having treatment information included in emails. (Someone other than the intended recipient may be able to access the email account and read the message.)
  • The patient’s right to revoke consent.
  • The avoidance of using email to address urgent medical matters.

In the HIPAA FAQ, the OCR also states that if a patient specifically requests that a covered entity communicate with him or her via email, the covered entity should acquiesce:

“…an individual has the right under the Privacy Rule to request and have a covered healthcare provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a healthcare provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.”

In short, the OCR guides covered entities to follow the communication preferences of their patients. If the patient prefers email communication, the provider should accommodate that request, as long as it is reasonable. Conversely, if the patient is not comfortable with unencrypted email, the provider should offer a more secure alternative. As a practice tip, we recommend that very sensitive information, such as Social Security numbers, diagnosis information and substance abuse treatment information, not be communicated over email given the heightened risks associated with inadvertent disclosures of this information.

Question 2: What are the risks of maintaining PHI on servers outside of the United States (offshore)?

Answer 2: While HIPAA itself does not prohibit maintaining protected health information (PHI) outside of the United States, there are state laws or contractual requirements between covered entities and federal or state agencies that may impact a covered entity’s ability to do so.

Section 1902(a)(80) of the Social Security Act prohibits a state from providing any “payments for items or services provided under the State plan or under a waiver to any financial institution or entity located outside of the United States.” The Centers for Medicare and Medicaid Services (CMS), however, has issued guidance in accordance with the Affordable Care Act (ACA) stating that Medicaid agencies are permitted to provide payments to contractors operating offshore for tasks—including administrative functions—that support the administration of the Medicaid program.2

Despite the permissibility of offshoring under federal law, four states’ Medicaid agencies have executive orders and contract requirements in place that prohibit any of their contractors (such as Medicaid managed care plans) from using offshoring services.3 Some states, such as New York, do not prohibit offshoring in law or regulation but have banned it through contract requirements and internal policy. New York, for example, prohibits Medicaid managed care plans from offshoring any administrative or management functions of those plans. Other states, such as New Jersey and Missouri, do permit offshoring but only under limited circumstances.

In addition, CMS requires Medicare Advantage and Part D sponsors that contract with offshore vendors to perform Medicare-related work that uses beneficiary PHI to provide CMS with specific offshore subcontractor information and complete an attestation regarding protection of beneficiary PHI. Medicare Advantage and Part D sponsors must provide that information to CMS within 30 calendar days of signing an offshore contract.4 They also must advise CMS any time there are changes to the functions that the current offshore contractor provides.5

Question 3: Should sanctioned attempts by digital security specialists to break into protected systems and networks be part of HIPAA-compliant risk assessment and risk management programs?

Answer 3: The HIPAA Security Rule does not specifically require covered entities and business associates to hire digital security specialists to test system vulnerabilities through sanctioned attempts to break into protected systems and networks. Instead, within the flexible framework of the Security Rule, a covered entity or business associate must determine whether implementing this security measure is reasonable and appropriate, based on the following factors:

  • The size, complexity and capabilities of the covered entity;
  • The covered entity’s technical infrastructure, hardware and software security capabilities;
  • The costs of security measures; and
  • The probability and criticality of potential risks to electronic PHI.

The best practice is to have a governance structure in place to support a formal process for addressing policy questions, such as the length of time between periodic reviews and thresholds that might trigger re-evaluation.

Question 4: How has the healthcare industry’s growing acceptance of commercial cloud services affected the regulatory standards for determining compliance with the HIPAA Security Rule?

Answer 4: HIPAA’s administrative safeguards include the requirement to reassess security measures in response to environmental and operational changes. One major change is the rising number of cyberattacks waged against healthcare organizations, as illustrated by The World Privacy Forum’s interactive map of reported medical data breaches in the United States. Another is the increased risk that malicious actors targeting smaller covered entities and business associates can gain access to the systems and networks of a broader clinical network.

Concurrent with the rise in cyberattacks is the healthcare industry’s growing acceptance of commercial cloud services. This rising acceptance of cloud services represents another environmental and operational change that warrants examination by covered entities and business associates.

The OCR’s release of guidance on HIPAA and cloud computing demonstrates the recognition of the increasing prominence of cloud services. Among other things, the guidance encourages covered entities and business associates to consult a resource offered by the National Institute of Standards and Technology (NIST)—the NIST Definition of Cloud Computing. The rise in cyberattacks, coupled with the availability of HIPAA-enabled cloud service platforms, may change the calculus for some covered entities in how they assess the factors that go into determining what are reasonable and appropriate measures to implement.

Another point well worth noting: In April 2017, the U.S. Department of Health and Human Services (HHS) announced that it is establishing a cybersecurity “nerve” center that is modeled after the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. The nerve center’s primary purpose will be to assess cyberthreats, such as the WannaCry ransomware attack, and quickly disseminate best practices for countering these measures. The new center is a positive step toward ensuring a greater coordinated response to cyberattacks. As the center becomes firmly established, more changes can be anticipated that will influence the determination of reasonable and appropriate security measures.

1https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html.
2ACA, P.L. No. 111-148, § 6505; although Medicaid agencies cannot pay for healthcare benefits or services to any entity located offshore or provided by offshore providers, payments for administrative functions are permitted. CMS, State Medicaid Directors Letter #10-026, December 2010.
3Department of Health and Human Services. Office of Inspector General, OEI-09-12-00530, Offshore Outsourcing of Administrative Functions by State Medicaid Agencies (2014) (OIG Report), available at http://oig.hhs.gov/oei/reports/oei-09-12-00530.pdf.
4See Nov. 9, 2015, 2016 Readiness Checklist for Medicare Advantage Organizations, Prescription Drug Plans, and Cost Plans, p. 8.
5See HPMS Memo Sept. 20, 2007.

Suit Over Hospitals’ Alleged Anticompetitive Marketing Sent to Trial

By Lisl J. Dunlop, Partner, Antitrust and Competition | Shoshana S. Speiser, Associate, Litigation

Conspiracies between competitors can be hard to prove, even when other parties to the alleged conspiracy have settled. On May 31, 2017, a federal judge denied summary judgment and ruled that the Department of Justice (DOJ) and Michigan Attorney General’s suit against W.A. Foote Memorial Hospital, d/b/a Allegiance Health (Allegiance), for anticompetitive marketing practices will proceed to trial. United States v. W.A. Foote Memorial Hospital, No. 5:15-cv-12311 (E.D. Mich. May 31, 2017).

Background

As we reported in a previous article, in June 2015, the DOJ and Michigan Attorney General sued four Michigan hospital systems—Hillsdale Community Health Center of Branch County (Hillsdale); Allegiance; Community Health Center of Branch County; and ProMedica Health System Inc.—for unlawfully agreeing to allocate territories for the marketing of competing healthcare services.

Since then, all of the defendants other than Allegiance have settled with the DOJ. The settlements prohibit the three health systems from entering into any future agreements to divide marketing territories and require them to institute compliance measures designed to prevent similar violations. The remaining issue is whether Allegiance agreed with Hillsdale that Allegiance would not market its competing services in Hillsdale’s territory.

According to the DOJ, the agreement between Allegiance and Hillsdale constitutes a per se violation of the antitrust laws and is illegal under an abbreviated or “quick look” rule of reason analysis. The “quick look” analysis is reserved for conduct that appears obviously anticompetitive. Further, the DOJ alleged that as a result of this agreement, patients, physicians and employers were deprived of information regarding healthcare choices and of free health screenings and educational materials.

Summary Judgment Motion

On Jan. 12, 2017, Allegiance filed a motion for partial summary, arguing that a full rule of reason analysis should be applied to the case because the alleged conduct (1) will not clearly result in adverse effects on competition and (2) has plausible procompetitive justification. Allegiance also argued that no agreement exists, and that its conduct was the result of a unilateral business decision to obtain referrals for services on which the hospitals do not compete.

A week later, the DOJ filed a motion for summary judgment arguing that there was an agreement for per se unlawful allocation of marketing territory, and that the agreement is illegal under a “quick look” rule of reason analysis.

According to Judge Judith Levy, the DOJ provided a compelling argument that there was an agreement. The DOJ’s case relied heavily on emails and discussions between senior executives at Allegiance and Hillsdale that referred to the hospital systems’ relationship as a “gentlemen’s agreement.” In particular, the court highlighted an email from Allegiance’s CEO, Georgia Fojtasek, sent after she learned of a marketing mailing sent to Hillsdale County and in which she stated that she told Hillsdale’s CEO that Allegiance “specifically agreed to screen out Hillsdale zip codes” and that they “would find out what happened and be sure the appropriate apologies are send [sic].”

This evidence, however, was contradicted by other evidence, which included Fojtasek’s deposition testimony insisting that there was no agreement, and Allegiance’s actions reflected a unilateral business strategy. Judge Levy held that the inconsistencies between the parties’ arguments must be resolved by determining witness credibility, which can only be accomplished at trial. Because the court was unable to determine whether an agreement exists or how it was structured, the court was also unable to determine which method of analyzing the agreement, if it exists, should apply.

The case is scheduled for a bench trial in October.

Takeaways

This case reinforces that antitrust regulators closely scrutinize business agreements—both formal and informal—between competitors and vigorously prosecute those that they perceive as restricting competition. The courts, in turn, carefully consider the regulators’ accusations and will not dismiss them quickly or lightly, and also carefully consider the credibility of the reasons underlying potentially anticompetitive interactions with competitors. Participants in the healthcare market must proceed with caution when interacting with competitors and be mindful of not only their actions, but also the reasons underlying those actions and how they may be documented.

Few Medicare Part D Plans Offer Vaccines Without Cost-Sharing

By Annemarie V. Wouters, Senior Advisor, Manatt Health | Katie Manthe, Manager, Manatt Health | Devin A. Stone, Manager, Manatt Health

Vaccination coverage among U.S. adults is low and well below the Healthy People 2020 Targets, despite the widespread availability of safe and effective vaccines and the long-standing recommendations by the Centers for Disease Control (CDC) and the Advisory Committee on Immunization Practices (ACIP).1,2 The 2010 Affordable Care Act (ACA) eliminated some coverage and financial barriers to adult vaccinations offered by private health insurance and Medicaid, but did not substantially change vaccine coverage or cost-sharing for Medicare beneficiaries enrolled in Medicare Part D.3,4

Medicare Part D plans are required to cover all commercially available vaccines not covered under Medicare Part B that are reasonable and necessary to prevent illness, but cost-sharing is permitted.5,6 Despite Centers for Medicare and Medicaid Services’ (CMS's) encouragement to provide vaccines without cost-sharing, few Part D plans provided vaccines without out-of-pocket spending requirements in 2017.7

Medicare Part D plans include Part D prescription drug stand-alone plans (PDPs) for beneficiaries in Original Medicare and Medicare Advantage Part D (MA-PD) plans. A subset of MA-PD plans, starting in 2017, also are participating in the CMS Centers for Medicare and Medicaid Innovation value-based insurance design model initiative (MA-PD VBID), which targets value-based insurance design for seven conditions (diabetes, chronic obstructive pulmonary disease, congestive heart failure, patients with past stroke, hypertension, coronary artery disease, mood disorders).8

Manatt Health Study Reveals Whether Part D Plans Were Encouraging Vaccinations

In 2017, Part D enrollment across all types of Part D plans was approximately 44 million (including employer-sponsored plans) with about 40% in PDPs.9,10 This study focuses on 34.2 million Part D enrollees across MA-PD (including MA-PD VBID) and PD plans. It excludes enrollees from demonstrations, national programs for all-inclusive care for the elderly (PACE) plans, employer group waiver plans (EGWPs) and employer direct contract plans that are excluded from the Part D data file.11

Manatt Health analyzed whether, during calendar year 2017, Part D plans were encouraging beneficiary vaccinations by placing vaccines within one of several possible zero-dollar cost-sharing tier designs or formulary structures. Beginning in 2012, CMS permitted Part D plans to create a “Vaccine Tier” for zero-dollar cost-share to promote vaccine utilization.12 While the inclusion of a dedicated Vaccine Tier or, alternatively, a Select Care/Select Diabetes tier that contains vaccine products as part of a multiple-tier formulary structure is not a requirement, sponsors who choose to offer one of these formulary structures must set the cost-sharing at zero dollars.13 Plans may also offer other tiers with zero-dollar cost-share, such as preferred drug tiers.

Manatt examined ten vaccines recommended by ACIP and the CDC for adults older than 65 years or for adults with certain risk factors. The vaccines are used to prevent various diseases such as tetanus, diphtheria, and pertussis, herpes zoster (shingles), hepatitis A and B, chicken pox, and meningococcal disease, including Boostrix®, Zostavax®, Varivax®, Menomune®, Havrix®, Vaqta®, Engerix-B®, Recombivax HB®, Twinrix® and Tenivac.14 Our findings show that:

  • In CY 2017, few Part D plans of any type (MA-PD, MA-PD VBID, PDP) designate a dedicated Vaccine Tier with zero-dollar cost-share. No MA-PD VBID or PDP plans have a dedicated Vaccine Tier. In MA-PD plans (including MA-PD VBID), only 6%–7% of enrollees have access to a zero-dollar cost-share dedicated Vaccine Tier. (See Figure 1.)
  • Slightly more but still few Part D plans of any type (MA-PD, MA-PD VBID, PDP) offer zero-dollar cost-sharing for vaccines regardless of tier label (e.g., Vaccine Tier, Select Care Tier, preferred brand tier). No MA-PD VBID or PDP plans offer zero-dollar cost-sharing regardless of tier label. In MA-PD plans (including MA-PD VBID), about 9%–10% of enrollees have access to zero-dollar cost-share regardless of the tier label. (See Figure 1.)
  • In the first year of implementation, MA-PDP VBID plans do not apply value-based insurance design to vaccines. No MA-PDP VBID plans place vaccines in a zero-dollar cost-share tier.
  • Copayments were the primary cost-sharing vehicle for those Part D plans (MA-PD, MA-PD VBID, PDP) that require cost-sharing for vaccines. Depending on the vaccine, 53%–80% of enrollees in either MA-PD or PD plans were responsible for vaccine copayments, while 20%–47% of enrollees were responsible for coinsurance. Enrollee coinsurance responsibility was more frequent for Zostavax® than for the other vaccines surveyed. (See Figure 2.)

Figure 1. MA-PD Plan Enrollment With a Dedicated Vaccine Tier or a Zero-Dollar Cost-Share Tier (CY 2017)

Figure-1-6-22-17-Health-Update.jpg

Sources: National Drug Classification (NDC) codes for adult vaccines taken from the Medi-Span database (September 2016); Medicare Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information quarterly public use files (PUFs) for CY 2017 (first quarter of 2017); 2017 Part D Plan Benefit Package (PBP) files. Medicare Advantage (MA)/Part D Contract and Enrollment Data files for January 2017. The Medi-Span database was used to identify all National Drug Classification (NDC) codes associated with the ACIP adult vaccines chosen for this study15 as of September 2016. Formulary coverage for vaccines is based on the Medicare Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information quarterly public use files (PUFs)16 for CY 2017 (first quarter of 2017), in addition to the 2017 Part D Plan Benefit Package (PBP)17 files.18 Enrollment for each plan was obtained from the Medicare Advantage (MA)/Part D Contract and Enrollment Data files for January 2017.19

Notes: Analysis of all MA-PD plan enrollees, including MA-PD VBID plans. No PDP plans had a Dedicated Vaccine Tier. Excludes enrollees from demonstrations, national programs for all-inclusive care for the elderly (PACE) plans, employer group waiver plans (EGWPs) and employer direct contract plans.

Figure 2. MA-PD and PDP Enrollment by Vaccine Cost-Sharing Type Among Plans Requiring Vaccine Cost-Sharing (CY 2017)

Figure-2-6-22-17-Health-Update.jpg

Sources: National Drug Classification (NDC) codes for adult vaccines taken from the Medi-Span database (September 2016); Medicare Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information quarterly public use files (PUFs)1 for CY 2017 (first quarter of 2017); 2017 Part D Plan Benefit Package (PBP)1 files. Medicare Advantage (MA) / Part D Contract and Enrollment Data files for January 2017. The Medi-Span database was used to identify all National Drug Classification (NDC) codes associated with the ACIP adult vaccines chosen for this study20 as of September 2016. Formulary coverage for vaccines is based on the Medicare Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information quarterly public use files (PUFs)21 for CY 2017 (first quarter of 2017), in addition to the 2017 Part D Plan Benefit Package (PBP)22 files.23 Enrollment for each plan was obtained from the Medicare Advantage (MA) / Part D Contract and Enrollment Data files for January 2017.24

Notes: Analysis of all MA-PDP, MA-PDP VBID and PDP enrollees that required cost-sharing. Excludes enrollees from demonstrations, national PACE plans, EGWPs and employer direct contract plans.

Most Part D Plans Continue to Require Out-of-Pocket Costs

Although CMS recommends that Part D plans encourage adult vaccination through zero-dollar cost-sharing, most Part D plans continue to require patients to pay out-of-pocket costs. Notably, plans currently participating in the CMS MA-PD VBID model initiative are also not applying zero-dollar vaccine cost-sharing as a value-based benefit design principle at this time. For more information about this or other Medicare Part D analyses, please contact Annemarie Wouters at awouters@manatt.com.

1U.S. Department of Health and Human Services. “Healthy People 2020.” Washington, D.C. 2011. https://www.healthypeople.gov/2020/topics-objectives/topic/immunization-and-infectious-diseases/objectives.
2U.S. Department of Health and Human Services. The National Vaccine Program Office. “National Adult Immunization Plan.” February 2016. https://www.hhs.gov/sites/default/files/nvpo/national-adult-immunization-plan/naip.pdf, accessed 5/23/2017.
3Affordable Care Act. Sections 2001 and 1302.
4CMS. Memo to State Medicaid Directors. November 20, 2012. “Essential Health Benefits in the Medicaid Program.” https://www.medicaid.gov/Federal-Policy-Guidance/Downloads/SMD-12-003.pdf, accessed 5/23/2017.
5CMS. Medicare Prescription Drug Benefit Manual. Chapter 6, Section 20.4 and 30.2.7. https://www.cms.gov/Medicare/Prescription-Drug-Coverage/PrescriptionDrugCovContra/Downloads/Part-D-Benefits-Manual-Chapter-6.pdf, accessed 5/23/2017.
6CMS. Medicare Prescription Drug Benefit Manual. Chapter 6, 30.2.7. https://www.cms.gov/Medicare/Prescription-Drug-Coverage/PrescriptionDrugCovContra/Downloads/Part-D-Benefits-Manual-Chapter-6.pdf, accessed 5/23/2017.
7CMS. “Announcement of Calendar Year (CY) 2016 Medicare Advantage Capitation Rates and Medicare Advantage and Part D Payment Policies and Final Call Letter.” April 2015. https://www.cms.gov/medicare/health-plans/medicareadvtgspecratestats/downloads/announcement2016.pdf, accessed 5/23/2017.
8CMS. “Fact Sheet: Medicare Advantage Value-Based Insurance Design Model.” October 3, 2016. https://www.cms.gov/Newsroom/MediaReleaseDatabase/Fact-sheets/2016-Fact-sheets-items/2016-10-03-2.html, accessed 5/23/2017.
9Medicare Advantage, Cost, PACE, Demo, and Prescription Drug Plan Contract Report - Monthly Summary Report (Data as of April 2017). https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/Monthly-Enrollment-by-Plan.html.
10Medicare Advantage, Cost, PACE, Demo, and Prescription Drug Plan Organizations - Monthly Report by Plan - April 2017. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/Monthly-Enrollment-by-Plan-Items/Monthly-Enrollment-by-Plan-2017-04.html?DLPage=1&DLEntries=10&DLSort=1&DLSortDir=descending.
11Part D Record Layout for 2016 and 2017 Quarterly File Update. https://www.cms.gov/Research-Statistics-Data-and-Systems/Files-for-Order/NonIdentifiableDataFiles/Downloads/PDPLayoutMonthly2016Update.pdf, last accessed 4/11/2017.
12CMS. “Announcement of Calendar Year (CY) 2016 Medicare Advantage Capitation Rates and Medicare Advantage and Part D Payment Policies and Final Call Letter.” April 2015. https://www.cms.gov/medicare/health-plans/medicareadvtgspecratestats/downloads/announcement2016.pdf, accessed 5/23/2017.
13CMS. “Announcement of Calendar Year (CY) 2017 Medicare Advantage Capitation Rates and Medicare Advantage and Part D Payment Policies and Final Call Letter.” April 4, 2016. p. 198. https://www.cms.gov/Medicare/Health-Plans/MedicareAdvtgSpecRateStats/Downloads/Announcement2017.pdf, accessed 5/23/2017.
14Centers for Disease Control and Advisory Committee on Immunization Practices (ACIP). “Recommended Immunization Schedules for Adults,” CY 2016. https://www.cdc.gov/vaccines/schedules/hcp/adult.html, last accessed 4/11/2017.
15Wolters Kluwer. MEDI SPAN ELECTRONIC DRUG FILE (MED-FILE) V2; published 09/2016, accessed March 2017.
16Centers for Medicare & Medicaid Services. Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information Files. https://www.cms.gov/research-statistics-data-and-systems/files-for-order/nonidentifiabledatafiles/prescriptiondrugplanformularypharmacynetworkandpricinginformationfiles.html.
17Centers for Medicare & Medicaid Services. Benefits Data for MA and Part D. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/Benefits-Data.html?DLSort=0&DLEntries=10&DLPage=2&DLSortDir=ascending [PBP CY 2016 and 2017 files accessed March 2017].
18CMS. “Medicare Advantage Value-Based Insurance Design Model.” https://innovation.cms.gov/initiatives/vbid/, accessed May 11, 2017.
19Centers for Medicare & Medicaid Services. Medicare Advantage / Part D Contract and Enrollment Data. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/index.html?redirect=/mcradvpartdenroldata/.
20Wolters Kluwer. MEDI SPAN ELECTRONIC DRUG FILE (MED-FILE) V2; published 09/2016, accessed March 2017.
21Centers for Medicare & Medicaid Services. Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information Files. https://www.cms.gov/research-statistics-data-and-systems/files-for-order/nonidentifiabledatafiles/prescriptiondrugplanformularypharmacynetworkandpricinginformationfiles.html.
22Centers for Medicare & Medicaid Services. Benefits Data for MA and Part D. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/Benefits-Data.html?DLSort=0&DLEntries=10&DLPage=2&DLSortDir=ascending [PBP CY 2016 and 2017 files accessed March 2017].
23CMS. “Medicare Advantage Value-Based Insurance Design Model.” https://innovation.cms.gov/initiatives/vbid/, accessed May 11, 2017.
24Centers for Medicare & Medicaid Services. Medicare Advantage / Part D Contract and Enrollment Data. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/index.html?redirect=/mcradvpartdenroldata/.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP
Contact
more
less

Manatt, Phelps & Phillips, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.