Healthcare Litigation - April 2018

by Manatt, Phelps & Phillips, LLP

Manatt, Phelps & Phillips, LLP

In This Issue:
  • Mental Health and Minors: Proceed With Caution!
  • The Risk Corridors Program: Should the Government Pay?
  • How Can All-Payer Claims Databases Support Insurance Regulation?

Mental Health and Minors: Proceed With Caution!

By Carri Becker Maas, Partner, Healthcare Litigation | John M. LeBlanc, Partner, Healthcare Litigation

Imagine representing a party in a lawsuit concerning coverage for mental health services. The lawsuit was brought by the parents of a minor child. The client received a request for production of medical records concerning the child’s mental health treatment. Can the client produce the records?

In short: it depends.

The path to the correct answer is exceedingly complex. It requires an analysis of federal privacy rules, state privacy and minor consent laws, and applicable regulations. This article provides an overview of the type of analyses a lawyer should undertake to determine whether a minor’s medical records relating to mental health treatment may be produced.

HIPAA Privacy Rules

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes federally protected rights that permit individuals to control certain uses and disclosures of their protected health information, including their medical records.

Under HIPAA Privacy Rules, with certain exceptions, mental health records are generally treated the same as medical records. In the context of litigation, medical records can typically be disclosed by a covered entity (defined as providers, health plans and other entities specified under 45 C.F.R. 160.103) in any one of the following situations:

a) The patient provides written permission for the disclosure;
b) The covered entity is a party to the litigation and uses or discloses the records for purposes of the litigation, so long as the entity makes reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose;
c) The covered entity receives a court order; or
d) The covered entity receives a subpoena for the information, if the covered entity either:

i. Notifies the subject of the information about the request, so the person has a chance to object to the disclosure; or
ii. Seeks a qualified protective order from the court.

See 45 C.F.R. § 164.512(e).

Yet HIPAA Privacy Rules alone do not answer the question as to when and under what circumstances a minor’s mental health records may be disclosed. State privacy laws and state laws concerning consent and minors must also be considered.

State Privacy Laws

Many states have enacted privacy laws that are more stringent than HIPAA and place further protections on disclosure of medical records generally and mental health records specifically.

In California, mental health records may be subject to one of two state laws: (1) the Lanterman-Petris-Short Act, California Welfare and Institutions Code, Section 5328 et seq. (LPS Act); or (2) the California Confidentiality of Medical Information Act, California Civil Code Section 56 et seq. (CMIA). To determine whether mental health records may be disclosed under California law, the first inquiry to make is whether the records are subject to the LPS Act or CMIA.

The LPS Act concerns involuntary civil commitment to a mental health institution in the state of California, and it strictly prohibits the disclosure of medical records concerning involuntary commitments absent a court order. Cal. Welf. & Inst. Code § 5328(f). In contrast, the CMIA generally prohibits a healthcare provider, healthcare service plan or contractor from disclosing medical information regarding a patient without first obtaining a written authorization from the patient, with certain exceptions. Cal. Civ. Code § 56.10. Disclosures can be made without written authorization in certain circumstances, including but not limited to where compelled by:

  1. Court order;
  2. An administrative agency under its lawful authority; or
  3. A party to a legal proceeding before a court or administrative agency by subpoena or other authorized discovery mechanism.

Cal. Civ. Code § 56.10.

Even if applicable state laws authorize disclosure of mental health records, that is unlikely to be the end of the inquiry where a minor’s medical records are involved.

Consent and Minors

When consent to release a minor’s records is required under federal or state law, who is authorized to provide that consent?

Under the HIPAA Privacy Rule, “personal representatives” are those persons who have authority, under applicable law, to make healthcare decisions for a patient. Typically, a parent, guardian or other person acting in loco parentis (collectively, Parent) is considered a personal representative of his or her minor child. As such, he or she has the authority to make healthcare decisions for the minor and may exercise the minor’s rights with respect to protected health information.

But there are several important exceptions to this rule. A Parent is not considered the “personal representative” of his or her minor child when:

  1. A minor has consented to the healthcare services and the consent of the Parent is not required by federal or state law;
  2. Someone other than a Parent is authorized under federal or state law to provide consent for the medical services to a minor and provides such consent (e.g., court-ordered healthcare services); or
  3. A Parent consents to a confidential relationship between the minor and a healthcare provider with respect to the healthcare service.

In addition to these federal rules, many states have enacted more stringent privacy and informed-consent laws concerning minors. These laws generally fall into two categories: laws based on the status of the minor (e.g., minors who are emancipated) and laws based on the type of care sought (e.g., mental health or family planning).

For example, in California minors 12 years or older may consent to outpatient mental health treatment if, in the opinion of the treating provider, the minor is mature enough to participate intelligently in the mental health treatment. Cal. Health & Saf. Code § 124260. In such a case, a provider cannot share the minor’s medical records with his or her parents (or others) absent a signed authorization from the minor. Cal. Health & Saf. Code §§ 123110(a), 123115(a)(1); Cal. Civ. Code §§ 56.10, 56.11, 56.30.

Federal law also permits providers to refuse to produce medical records to a parent or person otherwise entitled to receive them if the provider believes that (a) the patient has been or may be subject to violence, abuse or neglect by that person; (b) the patient may be endangered if that person is treated as a personal representative; or (c) it is not in the best interests of the patient to treat the person as a personal representative. 45 C.F.R. § 164.502(g). California state laws similarly permit a provider to refuse to disclose records if the provider believes disclosure would negatively impact (a) the provider’s professional relationship with the minor or (b) the minor’s physical safety or psychological well-being. Cal. Health & Saf. Code § 123115(a)(2). 

Records Subject to Heightened Protections

Another critical inquiry is whether the specific type of records requested may be disclosed under any circumstances. Certain classes of medical records are subject to heightened protections; two examples are psychotherapy notes and medical records regarding substance use disorder (SUD) diagnoses and treatment.

1. Psychotherapy Notes

The HIPAA Privacy Rule distinguishes between mental health information that is contained within an individual’s medical record and psychotherapy notes. Psychotherapy notes are subject to heightened protections and, with limited exceptions, may be disclosed only if the patient signs an authorization permitting disclosure. See 45 C.F.R. § 164.508(a)(2). Similarly, a personal representative is precluded from obtaining psychotherapy notes regarding his or her minor child. Disclosure of psychotherapy notes is permitted only where certain federal exceptions apply, including where disclosure is required by law, such as mandatory reporting of abuse and duty to warn in cases of serious and imminent threats.

Even where disclosure is permitted under federal law, state laws should also be consulted. Where state laws conflict with federal laws, a pre-emption analysis will need to be undertaken to determine which law governs.

2. Substance Use Disorders

Another class of records afforded heightened protection relates to SUDs. The Confidentiality of Alcohol and Drug Abuse Patient Records regulation, 42 C.F.R. Part 2, applies to any individual or program that is federally assisted and holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment. This federal law restricts the disclosure and use of patient records that include information on substance use diagnoses or treatment information. 42 C.F.R.§ 2.11. Except in very limited circumstances, this law requires a patient’s written consent—with nine specified elements, including the precise recipient of the disclosed information and the purpose of the disclosure. 42 C.F.R. §§ 2.31(a), 2.51-2.53.

Where medical records contain SUD diagnoses or treatment information, disclosure should not be made absent specific written authorization from the patient—or the patient’s personal representative—unless an exception applies. See 42 C.F.R. §§ 2.51-2.53 (establishing exceptions for medical emergencies, research and audits).


Lawyers are well-advised to proceed with caution in the complex arena of mental health privacy laws, especially with regard to minors. While this article highlights some of the federal and state laws at play, a comprehensive review of all potentially applicable federal and state laws is strongly advised before disclosure in any case.

The Risk Corridors Program: Should the Government Pay?

By John M. LeBlanc, Partner, Healthcare Litigation | Samuel A. Canales, Associate, Litigation

The Patient Protection and Affordable Care Act (ACA) established health insurance exchanges where insurers can offer qualified health plans (QHPs) to individuals and certain employers. Because the exchanges made coverage available to people who previously were uninsured or underinsured, some QHP issuers may have lacked enough information to properly evaluate risk and anticipate costs. 

To encourage QHP issuers to set modest premiums during the early years of the exchanges, the ACA established a three-year risk corridors program (Program) that would reimburse QHP issuers certain excess benefit costs. However, by the end of the Program, the federal government had yet to reimburse QHP issuers more than $12 billion. The government has since refused to appropriate sufficient funds to pay the outstanding amounts. The article below provides a brief overview of the Program, two important cases on appeal concerning the federal government’s obligation to make the payments, and the recently passed omnibus spending bill.

The Risk Corridors Program

The Program started in 2014 and required QHP issuers to spend a certain portion of premium funds (target amount) on healthcare and quality improvement (allowable costs) each benefit year. See 42 U.S.C. § 18062. QHP issuers that spent less than 97% of the target amount had to pay a portion of their gains into the Program (Collected Amounts). 42 U.S.C. § 18062(b)(2); 45 C.F.R. § 153.510(c). QHP issuers that spent more than 103% of the target amount would be reimbursed a portion of their excess losses (Risk Corridors Payment). 42 U.S.C. § 18062(b)(1); 45 C.F.R. § 153.510(b). 

Through annual appropriations riders, Congress limited funding for the Risk Corridors Payments to the Collected Amounts. Risk Corridors Payments exceeding the Collected Amounts were transferred to the following year. However, by the end of the Program in 2016, more than $12 billion remained outstanding due to QHP issuers experiencing more significant losses than significant gains, resulting in inadequate Collected Amounts. The government has since refused to appropriate additional funding to cover the outstanding Risk Corridors Payments, prompting many QHP issuers to file suit.

Legal Actions Concerning the Outstanding Risk Corridors Payments

Two important cases addressing the outstanding Risk Corridors Payments are Land of Lincoln Mutual Health Insurance Company v. United States and Moda Health Plan, Inc. v. United States.

In Land of Lincoln Mutual Health Insurance Company, Judge Charles Lettow of the Court of Federal Claims held that “HHS’s decision not to make full payments annually cannot be considered contrary to law.” Land of Lincoln Mut. Health Ins. Co. v. United States, 129 Fed. Cl. 81, 108 (2016). The court found that the ACA was “ambiguous in terms of the ‘payments in’ and ‘payments out’ arrangement for risk-corridors payments because it does not contain an express authorization for appropriations to make up any shortfall in the ‘payments in’ to cover all of the ‘payments out’ that may be due. And, it does not explicitly require ‘payments out’ to be made on an annual basis, whether in full or not.” Id. at 106. Because of these ambiguities, the court deferred to “HHS’s interpretation [of the ACA, which] was reflected in its final rule on May 27, 2014, [where] it stated that it intended to administer risk corridors in a budget neutral way over the three-year life of the program, rather than annually.” Id. (internal quotation marks omitted). The court also found there was no contract between Land of Lincoln Mutual Health and the government concerning the Program. Id. at 108-113.

In contrast, in Moda Health Plan, Inc., Judge Thomas Wheeler of the Court of Federal Claims held that “the Government . . . unlawfully withheld risk corridors payments from Moda, and is therefore liable. The Court [found] that the ACA requires annual payments to insurers and that Congress did not design the risk corridors program to be budget-neutral. The Government is therefore liable for Moda’s full risk corridors payments under the ACA. In the alternative, the Court [found] that the ACA constituted an offer for a unilateral contract, and Moda accepted this offer by offering qualified health plans on the Health Benefit Exchanges.” Moda Health Plan, Inc. v. United States, 130 Fed. Cl. 436, 441 (2017). The “Government made a promise in the risk corridors program that it has yet to fulfill. [T]he Court [directed] the Government to fulfill that promise. After all, to say to [Moda], ‘The joke is on you. You shouldn’t have trusted us,’ is hardly worthy of our great government.” Id. at 466 (quoting Brandt v. Hickel, 427 F.2d 53, 57 (1970)).

Both cases are on appeal in the Federal Circuit, which heard oral argument in January 2018.

The Health & Human Services 2019 Budget

In an interesting turn of events, the Health & Human Services (HHS) 2019 proposed budget released on February 12, 2018, included $11.5 billion to fund the outstanding Risk Corridors Payments. Land of Lincoln Mutual Health Insurance Company and Moda Health Plan, Inc. alerted the Federal Circuit to the budget, and argued that it showed the federal government’s intent to fund the Program. However, on February 19, 2018, HHS posted a revised budget once again limiting outlays for the Program to the Collected Amounts. On March 23, 2018, President Trump signed into law a $1.3 trillion omnibus spending bill that did not appropriate additional funds to cover the outstanding Risk Corridors Payments.


In light of the federal government’s steadfast refusal to fully fund the Program, the Federal Circuit’s decisions in Land of Lincoln Mutual Health Insurance Company and Moda Health Plan, Inc. will have significant financial consequences in these cases and the numerous others just like them. The Federal Circuit’s decisions are expected any day now.

How Can All-Payer Claims Databases Support Insurance Regulation?

By Joel S. Ario, Managing Director, Manatt Health | Kevin McAvey, Senior Manager, Manatt Health

Editor’s Note: On March 24, 2018, Joel Ario, managing director at Manatt Health, and Kathy Hempstead, a senior advisor to the Robert Wood Johnson Foundation, delivered a presentation on All-Payer Claims Databases (APCDs) to the National Association of Insurance Commissioners (NAIC) Regulatory Framework Task Force. The presentation, summarized below, provided a detailed look at APCDs, including use cases and caveats. Sharing preliminary considerations, the presentation was the product of extensive research and nearly a dozen interviews with state APCD and insurance leaders. Click here to download the full presentation free.

The final presentation and report will be delivered at the next national NAIC meeting in August.


What Are APCDs?

All-Payer Claims Databases (APCDs) are centralized state data repositories for health insurance membership and claims records. States with APCDs typically require insurers operating in their markets to regularly submit medical, pharmacy and dental claim files for all members residing in and/or contracted in their state. Mature APCDs allow for cross-payer, marketwide enrollment, utilization and payment trend analyses and are an increasingly leveraged data resource by regulators, policymakers and researchers.

Maine was the first state to establish an APCD in 2003, and since that time, more than a dozen other states have either followed suit or are in the process of doing so. (Note: As shown on the map below, additional states have established voluntary “multi-payer” or partial APCDs.) 

According to results of Manatt Health’s first APCD Capacity Survey—co-administered with the National Association of Health Data Organizations—on average, APCDs include data for three-fifths of their states’ populations, with robust coverage of the private fully insured, Medicaid and even Medicare Advantage populations. This breadth and depth of coverage make APCDs a particularly attractive data resource for insurance departments.

Source: Manatt Health APCD Catalogue (accessed March 1, 2018)

Four APCD Use Cases for Insurance Regulators

Mature APCDs have the potential to inform insurance department policy and program goals across four areas:

  1. Price Transparency: APCDs can provide a wealth of dynamic price data to inform the decisions of regulators, policymakers and even consumers. New Hampshire, Maine and Maryland, for example, have used data from their respective APCDs to populate consumer websites, where prospective patients can compare estimated costs for procedures and services across providers. Frequently complementing insurer-developed, plan-specific patient cost calculators, state consumer websites are often part of broader strategies to promote consumer empowerment and market competition. Other states have leveraged their APCDs to produce statewide cost-driver reporting and to identify, investigate, and respond to unexplained price variations between payers, providers and services.
  2. Rate Review: APCDs include data that insurance regulators can use to enhance their understanding of insurance markets for rate review purposes. Mature APCDs have the potential to generate useful trend reports on most claims categories of interest to insurance regulators, highlighting member experience differences by geography, demographic characteristics and time period. Mature APCDs also can allow for impact monitoring of delivery system reforms, quality initiatives and other ad hoc analyses (e.g., frequency and severity of claims for 1332 waiver reinsurance program proposals). The Maryland Insurance Administration uses its state’s APCD, the MD Medical Care Database, for example, to check payer submissions and run deeper analyses. Oregon’s Department of Consumer and Business Services uses its APCD (APAC) data in its review of premiums for individual and small group health plans, while Massachusetts’ Center for Health Information and Analysis has worked in partnership with its Division of Insurance to reduce the statewide payer reporting burden by directly sourcing several insurance reports from its APCD (supporting “administrative simplification”).
  3. Network Adequacy: APCDs have the potential to be a significant resource in helping insurance regulators set and monitor network adequacy standards. The New Hampshire Insurance Department, for example, views its APCD, the New Hampshire Comprehensive Healthcare Information System (CHIS), as a prime resource to help it monitor the impact of its new network adequacy regulation (IR 2701), which measures adequacy by service category rather than provider type. Mature APCDs have the potential to help insurance regulators answer critical questions about payers’ networks, including: Which providers deliver what services? Where are certain services scarce? And how much do prices differ between in- and out-of-network services by plan?1 APCDs may also be able to help inform specific policy questions, such as the prevalence of out-of-network charges at in-network facilities (i.e., surprise billing).
  4. Responding to the Opioid Crisis: APCDs have helped states to monitor and develop strategies for combating public health crises, including the opioid epidemic. APCDs can provide information on prescribing patterns at regional and physician levels, as well as the availability of treatment (e.g., medication-assisted treatment (MAT), naloxone or residential programs). APCDs also allow states to look at an issue in the broader context of how substance use disorders change over time as drug availability changes. Massachusetts’ APCD served as the data-backbone of the state’s new “Promote Prevent” plan to promote mental, emotional and behavioral health. The Massachusetts APCD was linked to more than a dozen other health and social service data sets to provide policymakers with a comprehensive depiction of the Commonwealth’s most vulnerable populations and potential root causes (e.g., access) for their behavioral health issues. Virginia’s APCD was similarly used to identify trends in opioid prescription volume, refills and dispensing habits, while Colorado’s APCD was used to identify prescription fill anomalies by matching drug users with reported clinical conditions.

APCD Cautions

While APCDs have the potential to substantively inform numerous insurance agency programs and priorities, most APCDs nationally are not yet mature enough and/or do not have the staff capacity that would allow for simple report request fulfillment. When approaching interagency collaboration, it is essential for insurance leadership to keep the following considerations in mind:

  • Long-Term Partnership: Work with APCD agencies should be viewed as part of a long-term partnership, ideally fueled by small, shorter-term goals (and, hopefully, “wins”). Insurance and APCD leadership should work together to develop realistic goals and milestones jointly. (Also, keep in mind, the more APCDs are used, the more valuable they become: Use is the best data quality check, and it establishes foundational agency functions, processes and knowledge that will better support efficiencies in future collaborative efforts.)
  • Communications: APCD and insurance department staff may not always speak the same language. For example, when referring to “membership,” one agency’s staff may intend to convey “a member months average for state residents”; another, however, may interpret “a point-in-time count by state situs.” Developing clear, shared business specifications is foundational to any successful project partnership. Business specifications are the road map by which technical specifications (i.e., programming logic and code) will be developed.
  • Completeness, Timeliness and Accuracy: Though APCDs are significant data assets, they are not always the best data assets to answer every question. Depending upon the state and use case, APCDs may not have data that is relevant (e.g., clinical records), timely enough (e.g., claims lag) or complete enough (e.g., payer data submission anomalies) for use. Further, depending upon the “hosting agency” for a given APCD, various APCD data fields may have been emphasized for integrity. For example, when APCDs are hosted within Medicaid or health departments, critical foundational fields for insurance use—such as Situs or License Type— may not be as thoroughly tested and vetted as others, such as diagnosis codes (also important). Regardless of whether there is an imminent opportunity for APCD agency collaboration, insurance departments should be active and engaged stakeholders in their continuing development.
  • Staffing (and Funding): APCD agencies are financially lean, with limited staff. Clearly delineating project roles, timelines and committed resource needs for any collaboration is an important step, as is identifying where external counsel would be critical (i.e., don’t reinvent the wheel). Joint agency collaborations may also be able to identify and leverage additional state and federal funding, especially where new funds may be available to address public priorities (e.g., opioids) or where long-term value propositions can be presented (e.g., administrative simplification).

APCDs can be—and are already, for some state insurance departments—tremendous and dynamic data assets. Their value will only continue to increase as use improves data quality and uncovers new use cases.

1Where in-network APCD flag is available and tested

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP

Manatt, Phelps & Phillips, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.