What Employers That Maintain Group Health Plans Need to Know About the HIPAA Omnibus Regulations

by Snell & Wilmer
Contact

On January 25, 2013, the Department of Health and Human Services (HHS) published final regulations that modify the Privacy, Security, Enforcement and Breach Notification Rules issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations, referred to as “Omnibus Rules,” implement many of the changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was part of the American Recovery and Reinvestment Act of 2009.

The Omnibus Rules are effective on March 26, 2013, and covered entities (i.e., health plans, health care providers and health care clearinghouses) and business associates generally have 180 days from then (i.e., September 23, 2013) to comply with the new requirements. Transition rules apply to business associate agreements in existence prior to January 25, 2013, providing covered entities and business associates an additional year to bring such agreements into compliance unless the agreement is renewed or modified prior to September 23, 2013.

Summary of Action Items for Employers That Sponsor Group Health Plans

Employers that sponsor group health plans that are subject to HIPAA’s Privacy and Security Rules have a short period of time to familiarize themselves with the changes made by the Omnibus Rules and make sure that they comply with the new requirements. Plan sponsors should consider taking the following steps:

  • Review and revise the group health plan’s HIPAA policies and procedures to comply with all of the changes required under the Omnibus Rules.
  • Review and revise the plan’s privacy notice to incorporate the new disclosure requirements and redistribute the notice in accordance with the new guidelines.
  • Revise forms utilized by individuals to exercise their privacy rights to address changes made by the Omnibus Rules.
  • Review whether the plan engages in any marketing practices that will be subject to prior authorization requirements.
  • Review whether the plan needs to enter into business associate agreements with service providers who provide data transmission of electronic protected health information (PHI) or store PHI, or vendors who allow the group health plan to offer personal health records.
  • Amend business associate agreements to comply with the changes under the Omnibus Rules.

The Omnibus Rules make a number of changes, some of the more significant changes that may impact group health plans are addressed below.

Changes to the Breach Notification Standard

The HITECH Act imposed new breach notification requirements on covered entities. Covered entities are now required to notify affected individuals, HHS and the media in certain circumstances if there is an unauthorized acquisition, access, use or disclosure of unsecured PHI, subject to certain limited exceptions.  PHI is considered unsecured unless it is encrypted or destroyed through the use of methodologies and technologies specifically approved in guidance previously issued by HHS.

A “breach” is defined as the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule, which compromises the security or privacy of the individual.  The prior guidance allowed covered entities to determine whether PHI was compromised using a subjective harm standard that examined whether there was a significant risk of financial, reputational or other harm to the individual. 

The Omnibus Rules significantly change the standard in two ways.  First, the Omnibus Rules add a presumption that an impermissible acquisition, access, use or disclosure is a breach unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised.  Second, the Rules eliminate the subjective harm standard and modify the risk assessment to focus more objectively on whether PHI has been compromised by considering the following four factors:  (1) the nature and extent of PHI involved, including the types of identifiers and likelihood that an individual can be identified; (2) who impermissibly used the PHI or to whom the PHI was impermissibly disclosed; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.

The Omnibus Rules also eliminate the exception from the breach notification requirements for limited data sets that do not contain any dates of birth and zip codes.  As a result, if a limited data set is impermissibly used or disclosed, the covered entity or business associate must perform a risk assessment to determine if there has been a breach.

HHS encourages covered entities to encrypt PHI pursuant to its guidance because any impermissible use or disclosure of such encrypted information would not constitute a breach of PHI.  Covered entities may want to consider the feasibility of this approach to lessen the risk that PHI will be breached.

[back to previous]

Business Associate Changes

Expanded Definition of Business Associates - The Omnibus Rules expand the definition of “business associate” to include the following:  

  • Organizations that provide data transmission of PHI to a covered entity or its business associate and that require access on a routine basis to PHI, including Health Information Organizations and e-prescribing Gateways.

    The preamble to the Omnibus Rules provides guidance on what it means to have “access on a routine basis” to PHI versus being a mere conduit, emphasizing that the determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to PHI. HHS cautions that the conduit exception only applies to entities providing transmission and not storage services. A telecommunications company providing mere transmission services may not be considered a business associate.  However, if the telecommunications company also provides digital storage services, it would be considered a business associate.
  • Vendors that contract with a covered entity to offer personal health records to individuals on behalf of the covered entity.
  • Subcontractors of business associates.  The business associate, not the covered entity, is required to enter into business associate agreements with its subcontractors, which must be at least as stringent as the agreement between the covered entity and the business associate.

Expanded Liability for the Acts of Agents Under current regulations, a covered entity is not liable for the acts of its agents when: (1) the agent is a business associate; (2) the covered entity and business associate have entered into a business associate agreement; (3) the covered entity did not know of a pattern or practice of the business associate that violated the contract; and (4) the covered entity did not fail to act as required by the Privacy or Security Rules with respect to the violations. 

The Omnibus Rules now make covered entities and business associates directly liable for the acts of their business associate agents in accordance with federal common law of agency.  The preamble notes that whether or not a business associate is an agent will be fact specific and will take into account both the terms of the business associate agreement and the totality of the circumstances involved in the ongoing relationship.  According to HHS, the essential factor is the right or authority to control the business associate’s conduct in the course of performing a service on behalf of the covered entity (or on behalf of the business associate when the agent is a business associate subcontractor). 

Business Associate Liability - Before the HITECH Act, the Privacy and Security Rules did not directly apply to business associates of covered entities.  The HITECH Act and the Omnibus Rules make the following changes:

  • Security Rule Requirements: The Omnibus Rules provide direct liability for business associates that fail to comply with the following requirements under the Security Rule: (1) implement administrative, physical and technical safeguards; (2) adopt security policies and procedures requirements; and (3) comply with documentation requirements.
  • Privacy Rule Requirements: The Omnibus Rules provide direct liability for business associates that fail to comply with the following requirements under the Privacy Rule:  (1) use and disclosure requirements in the Privacy Rule and the business associate agreement; (2) minimum necessary restrictions; (3) breach notification requirements; (4) enter into business associate agreements with their subcontractors; (5) disclose PHI when required by HHS; (6) disclose electronic PHI in response to an individual’s request for an electronic copy of PHI; and (7) provide an accounting of required disclosures.  Business associates remain contractually liable for all other Privacy Rule obligations that are included in their contracts with covered entities.
  • Eliminate Reporting Requirement to HHS:  The Omnibus Rules eliminate the requirement that covered entities (or business associates) report patterns or practices that constitute a material breach or violation under a business associate agreement when termination of a business associate agreement is not feasible.

[back to previous]

Changes to Marketing and Fundraising and Prohibition on the Sale of PHI

Marketing Restrictions - Prior to the HITECH Act, a covered entity was required to obtain an authorization for any use or disclosure of PHI for marketing purposes and to inform the individual if the covered entity will receive direct or indirect remuneration.  Marketing was defined as a communication about a product or service that encouraged recipients of the communication to purchase or use the product or service, but excluded certain types of communications, including communications about treatment or certain health care operations. 

The Omnibus Rules now require that covered entities treat communications about treatment or certain health care operations as marketing if the covered entity or its business associate receives financial remuneration (i.e., direct or indirect payment) from a third party whose product or service is the subject of the communication in exchange for making such communication.  The covered entity must obtain an authorization that discloses that the covered entity is receiving financial remuneration before sending the communication.  Direct or indirect payment does not include non-financial benefits, such as in-kind benefits. 

Plan sponsors of group health plans may initially think that this change to the definition of marketing does not affect them. However, to the extent that the plan or its business associate receives payment from a third party in exchange for the following types of communications, the plan may be engaged in marketing and would need to obtain authorizations from plan participants prior to sending the communication:

  • Communications that describe a health-related product or service included in the group health plan, including communications about entities participating in the provider network, replacement of or enhancements to the health plan, and health-related products or services available only to a health plan participant that adds value to but are not part of the plan; and
  • Communications involving case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.

The HITECH Act and the Omnibus Rules provide an exception to marketing for refill reminders or other communications about a drug or biologic that is currently being prescribed for the individual, provided that any financial remuneration received by the covered entity or its business associate in exchange for making the communication is reasonably related to the covered entity’s labor, supplies and postage costs.  Other costs cannot be reimbursed, nor can the covered entity make a profit. The preamble further clarifies that communications about generic equivalents, encouraging individuals to take their prescribed medications, or regarding all aspects of a drug delivery system (e.g., insulin pump), fall within the scope of the exception.

Other exceptions to marketing for face-to-face communications and promotional gifts of nominal value remain unchanged.

Fundraising Restrictions – Prior to the HITECH Act, covered entities were permitted to use or disclose to a business associate or an institutionally related foundation demographic information and dates of health care provided to an individual for the covered entity’s fundraising.  The Omnibus Rules expand the type of information that can be used or disclosed for fundraising purposes to include the department of service, treating physician, outcome information and health insurance status.

Previously, covered entities that intended to use PHI for fundraising were required: (1) to include a statement in their privacy notices that they may contact individuals for fundraising purposes; (2) to describe in any fundraising materials how to opt out of receiving future fundraising communications; and (3) to make reasonable efforts to ensure that individuals who opted out of receiving fundraising communications were not sent future fundraising communications.

The Omnibus Rules strengthen the opt-out requirement by requiring that covered entities: (1) add to their privacy notices a statement that individuals have the right to opt out of receiving fundraising communications; (2) include in each fundraising communication a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications; (3) utilize an opt-out method that does not unduly burden the individual or cost more than a nominal amount; (4) ensure (and not just make reasonable efforts to ensure) that fundraising communications are not sent to an individual who has opted out of receiving such materials; and (5) not condition treatment or payment on an individual’s choice with respect to receiving fundraising communications. 

Covered entities may allow individuals to opt back in to receiving fundraising communications.  However, a donation to a covered entity should not be considered an election to opt back in to receiving fundraising communications.

Although the restrictions on fundraising apply to all covered entities, they will unlikely impact plan sponsors of group health plans.

Prohibition on the Sale of PHI – Consistent with the HITECH Act, the Omnibus Rules prohibit a covered entity or business associate from receiving direct or indirect remuneration (including nonfinancial benefits) in exchange for any PHI of an individual, unless the covered entity obtains a valid authorization from the affected individual. The authorization must state that the covered entity is receiving direct or indirect remuneration in exchange for PHI. 

The prohibition does not apply to exchanges where the purpose is for:

  • Public health activities;
  • Research purposes, provided that the covered entity or business associate receives only a reasonable, cost-based fee to cover the cost to prepare and transmit the information for research purposes;
  • Treatment and payment purposes;
  • Health care operations involving the sale, transfer, merger or consolidation of all or part of a covered entity and for related due diligence;
  • Payment that is provided by a covered entity to a business associate (or by a business associate to a subcontractor) for activities involving the exchange of PHI that the business associate undertakes on behalf of the covered entity (or the subcontractor undertakes on behalf of a business associate) and the only remuneration provided is for the performance of such activities;
  • Providing an individual with a copy of his/her PHI or an accounting of disclosures;
  • Disclosures required by law;
  • Disclosures of PHI for any other purpose permitted by and in accordance with the Privacy Rule, as long as the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or is a fee otherwise expressly permitted by other law; or
  • Any other exceptions allowed by HHS.

[back to previous]

Changes to Individual Privacy Rights

Access to Electronic PHI Maintained in a Designated Record Set - The Privacy Rule currently provides that, subject to certain exceptions, an individual has a right to inspect and obtain a copy of the individual’s PHI.  If an individual requests a copy of his/her PHI, the covered entity may charge a reasonable fee for the cost of supplies, labor and postage.

The Omnibus Rules provide individuals with the right to access all electronic PHI maintained in a designated record set in an electronic format and to direct covered entities to send the information directly to a third party.  The preamble to the final regulations provide the following additional guidance:

  • Covered entities must provide individuals with an electronic copy of electronic PHI maintained in a designated record set.  Covered entities are not required to provide individuals with direct access to their administrative systems. 
  • HHS expects covered entities to provide the individual with a machine readable copy (e.g., MS Word or Excel, text, HTML or text-based PDF) of the individual’s electronic PHI in a designated record set.  If the individual declines any of the electronic formats offered by the covered entity, the covered entity may satisfy its obligation by sending a hard copy.
  • Covered entities are permitted to send PHI to individuals in unencrypted emails if they have advised the individual of the risk and the individual still prefers the unencrypted email. 
  • HHS expects that some covered entities may need to make some investment to comply with the requirement if they utilize systems that are not capable of providing any form of electronic copy (e.g., legacy systems). 

If requested by the individual, the covered entity must transmit the copy of electronic PHI maintained in a designated record set directly to another person designated by the individual, provided that the individual’s request is in writing, signed by the individual, and clearly identifies the designated person and where to send the copy of PHI.  Covered entities must implement reasonable policies and procedures to verify the identity of the individual making the request, as well as reasonable safeguards to protect information that is disclosed.

Covered entities may impose a reasonable, cost-based fee, provided that the fee includes only the cost of labor, supplies, and postage, and for preparing an explanation or summary, if agreed to by the individual.  The preamble clarifies that labor costs could include skilled technical staff time spent to create and copy the electronic file, but not retrieval fees.

The Omnibus Rules shorten the timeframe for responding to individual requests to access PHI.  Covered entities are required to approve or deny a request to access PHI within 30 days of the request.  The 60-day timeframe for responding to a request for access when PHI is not maintained onsite has been eliminated.  In extenuating circumstances where access cannot be provided within 30 days, the covered entity may have a one-time, 30-day extension if the individual is notified of the need for the extension within the original timeframe.

Right to Request Restrictions on Disclosures - The Privacy Rule currently provides that an individual can request restrictions concerning how the individual’s PHI can be used or disclosed for treatment, payment, and health care operations or to certain persons involved with the individual’s care. Covered entities are not required to agree to the restrictions requested. 

The Omnibus Rules require that covered entities agree to an individual’s request not to disclose PHI to a health plan for payment or health care operations if the individual has paid for the service out of his/her pocket in full and the disclosure is not otherwise required by law. The preamble clarifies that the requirement applies only to covered health care providers and not health plans.   

[back to previous]

Privacy Notice Requirements

The Omnibus Rules require that covered entities update their privacy notices to include the following:

  • A description of the types of uses and disclosures that require an authorization (i.e., most uses and disclosures of psychotherapy notes if the covered entity records or maintains psychotherapy notes, uses and disclosures for marketing, and disclosures that constitute a sale of PHI).
  • If the privacy notice indicates that the covered entity may send fundraising communications, a statement that an individual has a right to opt out of fundraising communications.
  • If a health plan intends to use or disclose PHI for underwriting purposes, a statement that genetic information may not be used for underwriting purposes. 
  • A statement that the covered entity is required to notify affected individuals following a breach of unsecured PHI.
  • Covered providers must include a description of an individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out-of-pocket in full for the health care item or service.  Health plan privacy notices need not include this statement.

Privacy notices no longer need to indicate that a covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services.

Under the current rules, health plans have to redistribute their privacy notices within 60 days of a material revision.  The Omnibus Rules revise the distribution requirements as follows:

  • If a health plan posts its notice on a website, the plan must: (1) post the change or its revised notice on its website by the effective date of the material change (e.g., by September 23, 2013 for the Omnibus Rules’ changes); and (2) provide the revised notice or information about the material change and how to obtain the revised notice in its next annual mailing to individuals covered under the plan, such as at the beginning of the plan year or during the open enrollment period.
  • If a health plan does not post its notice on a website, the plan must provide the notice, or information about the change and how to obtain the revised notice, to covered individuals within 60 days of the material revisions to the notice.

[back to previous]

Modifications to the HIPAA Privacy Rule for GINA

The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits discrimination based on an individual’s genetic information in both the health coverage (Title I) and employment (Title II) contexts.  Title I generally prohibits group health plans and health insurance issuers from: (1) discriminating on the basis of genetic information (which includes family medical history) with respect to eligibility, premiums and contributions; (2) requesting or requiring an individual to take a genetic test, except under limited circumstances; and (3) requesting, requiring, or purchasing genetic information for underwriting purposes or prior to or in connection with enrollment.

GINA also required that HHS revise the Privacy Rule to clarify that genetic information is health information and to prohibit group health plans and issuers from using or disclosing genetic information for underwriting purposes.  Therefore, the Omnibus Rules: (1) prohibit all health plans covered by the Privacy Rule, except long-term care policies (which is broader than the types of plans directly subject to GINA) from using or disclosing PHI that is genetic information for underwriting purposes; (2) require that health plans revise their privacy notices to state that if they use or disclose PHI for underwriting purposes, they will not use or disclose genetic information for underwriting purposes; and (3) make a number of conforming changes to definitions under the Privacy Rule, which may necessitate changes to covered entities’ policies and procedures.

[back to previous]

New Enforcement Provisions

The HITECH Act significantly increased the civil penalties by establishing four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalty amounts.  The Omnibus Rules incorporate the increased and tiered civil money penalty structure originally published in an interim final rule.

Violation category
Each violation
All such violations of an identical provision in a calendar year
Did Not Know and by Exercising Reasonable Diligence, Would Not Have Known

$100–$50,000

$1,500,000

Reasonable Cause

$1,000–$50,000

$1,500,000

Willful Neglect, but Timely Corrected

$10,000–$50,000

$1,500,000

Willful Neglect, and Not Timely Corrected

$50,000 (no maximum)

$1,500,000

The Omnibus Rules also: (1) update the factors to be considered in determining the amount of a civil monetary penalty; (2) make corresponding changes to the affirmative defense and waiver provisions; and (3) clarify that HHS will formally investigate any complaint or conduct a compliance review when a preliminary review of the facts indicates a possible violation due to willful neglect.

Other Changes

The Omnibus Rules make a number of other changes including:

  • Limit the application of the Privacy and Security Rules to PHI of deceased individuals to a period of 50 years following the individual’s date of death.
  • Clarify that covered entities may disclose a decedent’s PHI to family members and others who were involved in the decedent’s care or payment for care, unless doing so is inconsistent with any prior expressed preference of the individual that is known by the covered entity.
  • Allow covered entities to disclose proof of immunization to a school where state or other law requires that the school have such information prior to admitting the student, provided that the covered entity obtains and documents that the individual, a parent, guardian or other person acting in loco parentis for the individual, agreed (even verbally) to the disclosure.
  • Allow combined authorizations for conditioned and unconditioned research components (except to the extent the research involves the use or disclosure of psychotherapy notes), provided that the authorization clearly differentiates between the conditioned and unconditioned research components and allows the individual the option to opt in to the unconditioned research activities.
  • Clarify in the preamble that an employer that operates an on-site clinic for the treatment of its employees may be a covered provider to the extent the clinic performs one or more covered transactions electronically, such as billing a health plan for the services provided.  It is important to also note that such clinics may also be considered group health plans, subject not only to HIPAA, but ERISA as well. 

More Changes Expected

Minimum Necessary Requirement - Subject to certain exceptions, a covered entity may only use or disclose PHI if it has made reasonable efforts to limit PHI to the minimum amount necessary to accomplish the intended purpose. The HITECH Act directs HHS to issue regulations regarding what is considered “minimum necessary.” The Omnibus Rules indicate that HHS intends to issue future guidance on the minimum necessary standard.  In the interim, covered entities should limit the use or disclosure of PHI to the limited data set, to the extent practicable. 

Right to an Accounting - The HITECH Act expanded an individual’s right to an accounting for disclosures of PHI involving treatment, payment and health care operations if electronic health records are used. HHS issued proposed regulations in 2011 that modified an individual’s right to an accounting and added a new right to an “access report” that provides certain information about every time the individual’s electronic PHI that is maintained in a designated record set is accessed.  The Omnibus Rules do not address the changes to an individual’s accounting rights.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Snell & Wilmer | Attorney Advertising

Written by:

Snell & Wilmer
Contact
more
less

Snell & Wilmer on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.