On the Coronavirus Front Line: Legal Issues for Healthcare Providers

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP

As all employers confront the COVID-191 (coronavirus) pandemic, they must balance providing a safe and healthy work environment for their employees with a need to avoid potential liability when taking decisive, well-meaning protective action. This pressure is particularly acute for employers in the healthcare industry.

Concerns of healthcare providers are unique compared to other employers and will require tailored guidance specific to the provider’s position within the healthcare industry, and will also require analysis of governmental regulatory and reporting obligations. Accordingly, this alert discusses special employment- and labor-related concerns, confidentiality of health information, regulatory standards and practices, and potential legal pitfalls healthcare employers may face when confronting a potential pandemic.

As with any serious disease or viral outbreak, issues related to COVID-19 are rapidly evolving. Healthcare employers should stay abreast of developments from authorities such as the U.S. Centers for Disease Control (CDC),2 the Centers for Medicare & Medicaid Services (CMS), the Equal Employment Opportunity Commission (EEOC), the World Health Organization (WHO), and state and local public health agencies, and seek advice from experienced legal counsel with an understanding of the healthcare industry regarding specific legal concerns.

Employment Law Considerations for Healthcare Providers

Keeping Employees Safe

Employers have an obligation under Section 5(a) of the Occupational Safety and Health Act (OSHA) and state health and safety laws to provide a workplace “free from recognized hazards that are causing or are likely to cause death or serious physical harm.” 29 U.S.C. § 654(a). State laws may impose more specific health and safety requirements, such as Cal/OSHA’s Aerosol Transmissible Diseases (ATD) for healthcare employers.

Employees with acute respiratory illness symptoms (e.g., cough, shortness of breath) should be separated from other workers and sent home immediately after reporting to occupational health. If an employer learns that an employee has tested positive for COVID-19, the employer may have obligations to notify co-workers who may have been exposed while protecting the confidentiality of the employee who is ill.

Employers should:

  • Refer to their existing written infection control or aerosol transmissible disease plans as a starting point.
  • Follow all guidelines provided by health authorities such as the CDC, CMS, and state and local health authorities. Among other instructions, these guidelines provide recommendations for group gatherings and social distancing. For example, CDC recently issued special guidance for New Rochelle, NY, Santa Clara, CA, and Seattle, WA.
  • Keep in mind that employees who express a reasonable fear of health and safety risks may be protected from disciplinary action under OSHA’s anti-retaliation provision.

Monitoring for Symptoms

The CDC has issued Interim Guidance for Risk Assessment and Public Health Management of Healthcare Personnel, available here. In addition, CMS published Guidance for Infection Control and Prevention, available here, and continues to issue memoranda applicable to various types of health facilities, available here. This guidance is expected to continue to evolve as the virus progresses, so healthcare employers should check back frequently.

With respect to screenings and similar monitoring actions, the ADA and state antidiscrimination laws generally prohibit employers from conducting medical examinations of employees unless they are “job-related and consistent with business necessity.” This means that any examination must be tailored to assess the employee’s ability to perform essential job functions or whether the employee poses a “direct threat” to self or others.

Further, the scope of any medical examination or inquiry should be tailored to the business necessity and no broader than necessary. Although this is a high standard, under EEOC guidance, employers should have greater flexibility to monitor for symptoms now that the WHO has declared COVID-19 to be a pandemic. Further, in light of healthcare providers’ role in caring for vulnerable patients, the CDC interim guidance makes clear that healthcare employers have wider latitude still to monitor employees for symptoms of COVID-19, particularly where employees have the potential for direct or indirect exposure to patients or infectious materials. Healthcare providers are encouraged to seek guidance from local public health authorities and to use their own clinical judgment in assessing risk.

The CDC contemplates that healthcare providers may measure employees’ temperatures and ask about symptoms prior to starting work. Employers should pay nonexempt employees for the time spent undergoing these checks. As an alternative, employers may ask employees to report their temperature and confirm absence of symptoms to occupational health before each shift.

Employees should be instructed to monitor themselves at all times for fever and signs of respiratory illness and to stay home if symptoms develop. Employers should train their employees on how to report possible exposures to COVID-19, as well as to report COVID-19 symptoms.

For employees who may have come into contact with someone with COVID-19, under current CDC guidance, healthcare employers should conduct a risk assessment of the employees’ potential for infection and take monitoring steps, including temperature checks and observation for symptoms, based on whether an employee is assessed to be low-, medium-, or high-risk. Depending on the risk level, self-monitoring under the supervision of the employer’s occupational health or infection control program, active monitoring by the public health authority (which may be delegated to the facility), or exclusion from the workplace for 14 days may be indicated.

Employees Who Have Traveled to High-Risk Locations

Many employers are requiring employees who have traveled recently to countries for which the CDC has issued a Travel Health Notice to remain away from work for a period (typically 14 days) after they return. Any questions about recent travel should be consistently asked of all employees.

Employers should use care not to single out employees based on ethnicity or national origin, and supervisors should be reminded to watch for and report any conduct that suggests that stereotyping could be occurring. In addition, for union employers there may be a duty to bargain prior to requiring employees to stay home, as discussed below.

Pay During Mandated Time Away From Work

Employers should consider whether employees will be paid for time when they are required to remain away from work due to a possible exposure or recent travel to high-risk areas.

In some cases, employees may be able to continue working remotely while away from the office. Where this is possible, employers should plan for the issues that typically arise with remote work, including ensuring that nonexempt employees are paid for all time worked, the necessary tools and equipment are provided, and safeguarding data security. In some cases, including in California, employers may be required to pay for employees’ necessary use of their personal devices to telework.

Healthcare providers that are covered by HIPAA should review and, if needed, update their risk analyses to address risks associated with employees working remotely.

Where work from home is not possible, employers should consider whether to pay employees for mandated time away, including where a union contract does not require this. Although pay may not be required for employees who are nonexempt from overtime and for full-week absences for exempt employees, some employers may choose to pay for the time away to promote positive employee relations, a step that some state governments, including Washington, are encouraging.

In some states, including Washington, employees may be eligible to receive workers’ compensation pay for periods when they are excluded from work. In California, employees who are unable to work due to confirmed exposure to COVID-19 may be eligible for State Disability Insurance payments. Where such benefits are available, some state governments, including Washington state, are encouraging employers to make up the difference between the amount of the benefit and the employee’s full pay.

Other employers may choose to grant additional sick leave to cover the time off. Employers also should check sick leave and vacation/PTO policies, as well as policies providing for time off due to exposure to infectious substances, to determine additional sources of pay during required time off. Employers who require asymptomatic employees to remain home, or who reduce employees’ work hours, may need to provide notices relating to disability insurance and/or unemployment insurance benefits and should consult counsel if they have questions.

Employees Who Become Ill

According to CMS guidance, if an employee develops signs of a respiratory infection while working, then the employee should stop working immediately, put on a face mask, and self-isolate at home. Employees also should inform the healthcare provider’s occupational health or infection control team, and the employer should contact the local health department.

Employees with symptoms of respiratory illness, even with no known exposure to COVID-19, should be required to stay home for a period after they are free of fever (100.0°F or greater using an oral thermometer or subjective fever ), signs of a fever, and any other symptoms, without the use of fever-reducing or other symptom-altering medicines such as aspirin or cough suppressants. The Washington State Department of Health recommends here that individuals should remain at home for 72 hours after symptoms clear.

In the event that a healthcare employee contracts COVID-19 at work, the illness may be covered by workers’ compensation. In addition, employees who become sick (at work or otherwise), are likely to have rights to protected time off under the federal Family and Medical Leave Act (FMLA) and state family and medical leave laws, as well as additional leave time as a reasonable accommodation.

Employees who have family members who become ill may have rights to use sick leave and/or to take leave under FMLA and state law to care for the family member. Such employees may need to self-isolate for the duration of the family member’s illness, plus an additional period to see if they develop symptoms.

Labor Relations for Healthcare Providers

Many healthcare systems have unionized workforces, meaning both the employer’s and the union’s response to COVID-19 must remain mindful of various limitations imposed by the National Labor Relations Act (NLRA).

Information Requests

Unions already have started demanding information about potential workplace exposures and are entitled to information relevant to their representation of bargaining unit employees, including information regarding any risk assessment, precautionary measures, and contingency plans. Unions also have a right to information that relates to the bargaining unit employees’ working conditions. In most cases the standard is very low, and the employer likely will be required to produce requested information.

Confidential information also might need to be produced, but employers can flag that data and request the union accommodate the need to maintain confidentiality. For bona fide confidential information, such as protected health information (PHI), employers may withhold that information unless and until the parties bargain an agreement as to how the confidential information will be used.

As to a union’s right to information about specific patients being treated by the healthcare provider who may be involved in a potential workplace exposure, HIPAA likely would permit a covered healthcare provider to disclose limited information about a patient, such as a permissible disclosure as a healthcare operation, but only the minimum amount of information necessary to address the union’s concerns. For example, generally there would be no need to provide the patient’s name, but there may be reason to state to which units the patient may have been admitted. Healthcare providers should verify the implications of more stringent requirements, such as under state law or 42 CFR Part 2, that protects the confidentiality of substance use disorder information.

Bargaining Obligations for Healthcare Providers

The NLRA places important restrictions on when a healthcare employer can make changes to the terms and conditions of work, even in response to a pandemic. This begins with an employer’s affirmative obligation to provide notice and bargain over changes to so-called “mandatory subjects of bargaining.”

Broadly speaking, these include wages, hours, and other terms and conditions of labor. For instance, screening employees for symptoms, requiring protective gear (i.e., facemasks and respirators), changing an employee’s schedule, and requiring vaccinations are all examples of mandatory bargaining subjects. Many CBAs also have provisions that govern time off (paid and unpaid) in the event of an illness, emergency, or other prohibition on reporting to a usual and customary place of work.

If an employer institutes a change touching on mandatory subjects of bargaining, absent one of the exceptions identified below, the employer must provide the union advance notice and bargain over the proposed change before implementation. If the employer and the union reach an impasse on a proposed change to a mandatory bargaining subject, then the employer may implement its change unilaterally. However, no hard and fast rule exists for determining whether an impasse has been reached, and the presence or absence of a legitimate impasse often is the subject of contentious litigation.

  • Unions may waive their statutory right to demand bargaining through established past practices or a clear and unambiguous management rights clause in a governing CBA. Any analysis of what an employer can and cannot do in response to a threat like COVID-19 should thus start with a careful examination of the CBA and the parties’ past practices to determine what terms and conditions apply and whether the union waived its statutory right to bargain the particular change under consideration.
  • Another exception to the general duty to bargain exists when a “compelling economic exigency” requires immediate, unilateral action. Although the economic exigency standard is high, an employer may be able to justify it in a pandemic situation. As with reaching an impasse, however, no hard and fast rule exists for determining the presence or absence of a “compelling economic exigency,” and every situation will be evaluated according to its own unique facts and circumstances.

However, it is important to bear in mind that even if the employer is free to implement a change affecting a mandatory subject of bargaining for one of the reasons discussed above, the employer still will be required to bargain the effects of its decision, although it does not have to exhaust bargaining prior to implementation.

Notice Requirements

If an employer is obligated to provide notice of a planned change, then the NLRA requires “adequate” notice to afford meaningful bargaining. When a healthcare employer can show that time is of the essence and a prompt change is required, then relatively short notice of a few days may be adequate under certain circumstances.

As the foregoing discussion illustrates, the labor implications of a comprehensive pandemic response are complex. It is a good idea for healthcare employers to coordinate with relevant unions as soon as possible to promote proper bargaining, particularly when implementing what could constitute a physical examination or other change to an entitlement covered by the CBA . Securing union leadership support early can go a long way toward a rapid response that keeps both employees and patients as safe as possible.

HIPAA Considerations

HIPAA continues to apply during the COVID-19 outbreak as well as in other emergency situations. The Department of Health and Human Services has published guidance concerning HIPAA and COVID-19, which can be found here.


With respect to patients, HIPAA prohibits uses and disclosures of PHI unless specifically permitted or required under HIPAA. These requirements apply to information about the provider’s patients, which may include employees who are treated by their healthcare employer .

Remember, the minimum necessary rule applies to most of these permissible uses and disclosures. Providers should be careful to verify that state law does not restrict these uses and disclosures that are permitted by HIPAA. For example, California law narrowly limits the ability of providers to disclose health information in response to an imminent threat.

Generally, as a high-level overview, HIPAA would permit uses and disclosures of PHI for the following purposes:

  • Treatment Purposes - HIPAA permits a covered healthcare provider to use and disclose PHI for treatment purposes without the patient’s authorization. This would include treating the particular patient or another patient as well as coordination or management of healthcare, consultations, and referrals. The minimum necessary rule does not apply to uses and disclosures for treatment purposes.
  • Public Health Activities - HIPAA also permits – and states generally require – the healthcare provider to disclose PHI to a public health authority for public health activities. A provider generally must report a COVID-19 diagnosis. The public health authority may further disseminate the information as needed for public health purposes. The provider also may disclose PHI to a person at risk of contracting or spreading the disease as long as authorized under state law.
  • Prevention or Lessening of a Serious and Imminent Threat - Healthcare providers, using their professional judgment, may share PHI to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public. The disclosure may be to anyone who reasonably may assist in preventing or lessening the threat.
  • Disaster Relief Efforts - A healthcare provider may disclose PHI to disaster relief organization, such as the American Red Cross, to coordinate notification of family. The provider should follow its HIPAA guidance to “avail itself of the opportunity to agree or object” to protocols.
  • Family and Others Involved in the Individual's Care - After providing the individual with the opportunity to agree or object, the provider may share with a patient’s family members, friends, or others involved in the patient’s care PHI that is directly relevant to the patient’s care. The provider also may notify family and others responsible for the care of the patient of the patient’s location and general condition.
  • Facility Directory - Unless the patient has opted out of the facility directory, the provider may disclose to a person asking for the patient by name the patient’s location and general condition. If a patient is unable to agree to participate in the directory, then the provider may use its professional judgment in deciding what would be in the patient’s best interests.
  • Healthcare Operations - A healthcare provider may use and disclose PHI for its own healthcare operations such as planning, administration, and keeping the provider operating through the emergency situation.
  • Authorization - A healthcare provider may obtain a valid HIPAA authorization from on behalf of the patient, particularly if no other permissible purpose for disclosure exists. An authorization is recommended for the provider to announce to the media or the public at large specific identifying information about a particular patient. The provider should carefully vet any public announcements.


HIPAA generally would not apply to information about the healthcare employer’s employees that is maintained by the provider in its capacity as an employer. Beyond that, an employer must be cognizant of its obligations under the ADA not to share medical information about an employee and the employee’s right to privacy (by avoiding public disclosure of private facts).

One option is for the provider to ask the employee for permission to share the fact of the diagnosis with co-workers. Without consent, the employer should limit its statements, such as to simply inform employees that they may have been exposed to COVID-19 or that a person on a particular unit is being monitored for COVID-19.

Group Health Plan

Healthcare providers also usually sponsor group health plans for their employees and dependents. Most group health plans are covered entities under HIPAA. Any uses and disclosures of PHI from the group health plan must meet the requirements of HIPAA.

Healthcare employers should not use any health plan information for employment purposes, such as to review claims for clues as to whether an employee may have been exposed to COVID-19.

Regulatory Standards and Requirements

Federal, state, and local agencies with oversight over healthcare provider licensing and accreditation requirements and/or government healthcare benefit programs are taking action in response to COVID-19 on an ongoing, evolving basis. Many of these agencies now have areas on their public websites dedicated specifically to COVID-19-related matters and also provide links to other relevant sites, including the CDC.3

Agencies also are using their Twitter accounts to provide news and make announcements related to COVID-19 and arrange conference calls with impacted stakeholders. To date, healthcare regulatory agencies have emphasized to the providers over which they have jurisdiction to communicate with appropriate government authorities when they encounter patients with or suspected to have COVID-19, and to also strictly adhere to recommended infection control protocols when treating patients confirmed or suspected to have the virus.

CMS Calls on Healthcare Facilities to Ramp Up Infection Control Measures

CMS has been active among regulatory agencies in responding to the COVID-19 outbreak. On March 4, 2020, the agency issued a public “call to action” to healthcare providers across the United States to implement infection control procedures, which are required at all times as condition of participation in the Medicare program.

Consistent with this directive, CMS also announced that it would temporarily modify certification and survey activity to focus solely on serious health and safety threats and infection control. Institutional healthcare providers like hospitals and skilled nursing facilities normally are subject to routine, periodic inspections by CMS, or state healthcare agencies working with CMS, to determine whether those providers are complying with Medicare’s conditions of participation.

Surveys also can be triggered by complaints an agency receives about a particular provider. In response to the COVID-19 situation, CMS is shifting its approach to surveys and suspending all non-emergency inspections. CMS outlined its now-active survey and certification protocols in a policy memorandum issued on March 4, 2020.

The CMS memorandum on survey and certification outlines exactly how the agency will prioritize conducting facility inspections and also discusses how such inspections will be conducted with COVID-19 precautions in mind. According to the memorandum, any Medicare participating facility that treats a person with an identified case of COVID-19 potentially is subject to inspection for purposes of verifying that the facility has implemented and is following appropriate infection control measures.

Therefore, it is imperative that facilities review infection control protocols that they already have in place and augment those practices, as necessary, to be consistent with CMS and CDC recommendations. In this regard, CMS offers on its website a “Hospital Infection Control Self-Assessment” tool intended to assist facilities to prepare for inspection by Medicare surveyors, as well as a “Universal Inspection Control Training Course” that gives detail instruction on CMS’s recommended infection control protocols.

The practices that CMS has emphasized in its recent policy announcements concerning controlling the spread of COVID-19 are as follows:

Know how to screen patients and visitors for COVID-19

Upon arrival at a healthcare facility, patients and visitors should be asked the questions below:

  • Do they have any fever or symptoms of a respiratory infection?
  • Have they traveled internationally within the last 14 days to any restricted countries (as identified by the CDC)?
  • Have they had any contact with someone known or suspected to have COVID-19?

CMS also recommends this same screening be performed with respect to all healthcare facility staff.

Follow Recommended Infection Prevention and Control Practices

Facilities may need to modify placement practices for COVID-19 patients, if possible, by isolating them in well-ventilated spaces in the facility and not allowing them to be in close proximity to other patients waiting for care.

Facilities should ensure that all professionals and employees are following careful hygiene and disinfecting practices and wearing appropriate personal protective equipment (PPE) whenever treating a confirmed or suspected COVID-19 patient. Facilities may want to restrict visitation policies while the COVID-19 threat is at a high alert level.

Additional information and recommendations from CMS regarding controlling the spread of COVID-19 can be found in another policy issuance released by the agency on March 4, 2020.

CMS Monitoring Coverage and Payment Policies in Connection With COVID-19

In addition to modifying survey and certification practices and calling on Medicare participating facilities to focus on good infection control practices, CMS also is actively reviewing coverage and payment polices in conjunction with the COVID-19 situation.

Among other things, the agency has announced that Medicare will cover an additional code for COVID-19 laboratory testing and also has provided information on billing for telehealth services to encourage providers to screen patients for COVID-19 without seeing them in person . Other Medicare coverage and payment policy changes could be in play as the medical community’s approach to identifying and treating COVID-19 evolves.

  • Healthcare professionals should actively monitor the CMS website and/or the agency’s Twitter feed for additional announcements.

To date, CMS has not announced any other payment policy changes being adopted specifically related to COVID-19. However, one of the agency’s recent memoranda concerning COVID-19 references already existing policies CMS has developed for a “Declared Public Health Emergency.”4

For hospitals, CMS guidance addresses questions like whether a facility can permissibly convert a bed in a unit with a special Medicare payment classification, such as an acute psychiatric unit, to general acute care use in response to a public health emergency. CMS’s answer to that particular question is no. In this regard, any hospital considering changes to how beds in a facility are used in response to the COVID-19 situation first should consult CMS’s public health emergency policies or consult legal counsel.

State Health Agency Responses to COVID-19 Vary and Are Continually Evolving

State healthcare agencies that license facilities and/or oversee state Medicaid programs are each responding to the COVID-19 emergency in distinct ways. Most of these agencies, like CMS, have called on the providers to follow screening procedures for COVID-19 cases and carefully comply with infection control protocols, but how agencies are handling the enforcement (or non-enforcement) of state-specific facility licensing requirements during the current state of emergency will vary from agency to agency.

  • Again, healthcare providers should continue to monitor agency websites and Twitter feeds for new announcements concerning COVID-19.

Minimum staffing requirements are among the types of regulatory requirements for healthcare facilities that may be impacted by the COVID-19 outbreak. Whether due to shifting resources for treating COVID-19 cases or facility personnel not being available for reasons related to the viral outbreak, some facilities have expressed concern over being able to meet normally applicable staffing requirements while the COVID-19 emergency persists.

We are not aware of any states officially announcing that they have suspended enforcement of these rules, but that is something facilities should monitor for. That said, many states, including California and Oregon, have existing laws or regulations that address how facility staffing requirements may be impacted by an emergency outside of the facility’s control and afford some flexibility in such situations.

  • Should a facility anticipate having difficulty meeting any regulatory licensing requirements due to COVID-19, they should contact the agency responsible for enforcing the requirement or legal counsel for guidance on what the potential options and risks are under applicable laws.

Healthcare providers should continue to try to meet all applicable state licensing and Medicare/Medicaid requirements to which they are subject, with particular emphasis right now on infection control standards. To the extent providers believe they might not be able to meet certain requirements due to factors related to the COVID-19 emergency, steps to be considered include:

  • Contacting appropriate regulatory agency personnel or legal counsel to obtain guidance; and
  • Monitoring available public resources for updates and announcements on COVID-19 from healthcare regulatory agencies.

In particular, providers may want to designate an individual or team to check the CDC, CMS, and their relevant state public health agency websites on a daily basis while the emergency is in effect.


  • Continue to monitor information from the CDC, CMS, EEOC, WHO, and state and local public health agencies to stay up to date on new developments.
  • Review infection control plans and confirm employees are aware of infection control procedures, symptoms of COVID-19, self-monitoring procedures, and the proper channels to report possible symptoms.
  • Develop a consistent approach for whether recent travelers will be required to stay away from work and for pay for employees who are required to remain off work due to possible exposure.
  • Remind supervisors to watch for and report any conduct that suggests stereotyping based on race, ethnicity, or other characteristics protected by law.
  • Remind union leadership of existing policies and procedures currently in place to address pandemic readiness. These could include policies and practices covering employee screening, donning protective gear, and attendance.
  • Alert union leadership to any changes in such policies the healthcare employer believes are necessary to address the coronavirus crisis effectively and attempt to secure union support for such changes.
  • If the union demands decisional bargaining or if effects bargaining is required, begin the process as soon possible with the aim of reaching agreement or impasse. Assistance from other entities, like the Federal Mediation and Conciliation Service, may also be useful.
  • Remember: HIPAA continues to apply so apply the same standards to any uses and disclosures of health information.
  • When in doubt, ask.


DWT will continue to provide up-to-date insights and remote access events regarding COVID-19 concerns. For the most recent developments visit www.dwt.com/COVID-19.


1  Coronaviruses are a large family of viruses that include Severe Acute Respiratory Syndrome (SARS) and the Middle East Respiratory Syndrome (MERS).
See Interim U.S. Guidance for Risk Assessment and Public Health Management of Healthcare Personnel with Potential Exposure in a Healthcare Setting to Patients with Coronavirus Disease 2019 (COVID-19), Interim Infection Prevention and Control Recommendations for Patients with Confirmed Coronavirus Disease 2019 (COVID-19) or Persons Under Investigation for COVID-19 in Healthcare Settings; and Coronavirus Disease 2019 (COVID-19) Hospital Preparedness Assessment Tool.
3  See, e.g. Centers for Medicare and Medicaid Services - https://www.cms.gov/newsroom/press-releases/covid-19-response-news-alert-cms-issues-frequently-asked-questions-assist-medicare-providers; California Department of Public Health - https://www.cdph.ca.gov/Programs/CID/DCDC/Pages/Immunization/ncov2019.aspx; Washington State Department of Health - https://www.doh.wa.gov/Emergencies/NovelCoronavirusOutbreak2020/TestingforCOVID19.
4  https://www.cms.gov/files/document/qso-20-13-hospitalspdf.pdf-2;

[View source.]

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.