United States: Overview Of 2013 Amendments To HIPAA Privacy, Security, Breach Notification And Enforcement Rules

On January 17, 2013, the federal Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR"), issued the long-anticipated final omnibus amendments (the "2013 Amendments") to the Privacy, Security, Breach Notification and Enforcement Rules (the "HIPAA Rules") under the Health Insurance Portability and Accountability Act ("HIPAA"), as directed pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The 2013 Amendments are effective as of March 26, 2013, and compliance with applicable requirements generally must be made within 180 days, by September 23, 2013 (with important exceptions for existing business associate arrangements). Significant penalties apply for non-compliance.

The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information ("PHI"); a higher threshold for determining whether a breach has occurred for reporting purposes; and restrictions on "marketing" activities and the "sale" of PHI. Business associates are now directly subject to HIPAA with respect to the Security Rule. The 2013 Amendments also implement the Genetic Information Nondiscrimination Act of 2008 ("GINA") by including genetic information in the HIPAA definition of health information and by prohibiting health insurance issuers from using such information for underwriting purposes. Finally, covered entities must issue new notices of privacy practices to comply with the amended HIPAA Rules. Overall, these changes will have a profound effect on healthcare providers, plans, individuals, entrepreneurs, investors and advertisers, as well as many others that support the healthcare industry, such as entities that analyze, create, maintain or use healthcare data. HHS states that industry-wide costs for first-year compliance will range from $115 million to $225 million, but industry analysts anticipate real costs to be exponentially higher.

Below, we briefly address and summarize the key provisions and changes contained in the 2013 Amendments.

I. Expansion of Rule's Application: Definition of Business Associate

a. Inclusion of Subcontractors

The 2013 Amendments significantly expand the definition of a "business associate"—and thereby the application of HIPAA—to include subcontractors of business associates (and their subcontractors) that create, receive, maintain or transmit PHI in performing a function, activity or service delegated by the business associate to a subcontractor. A covered entity must obtain satisfactory assurances in the form of a written contract or other arrangement from each business associate, and each business associate in turn must do the same with regard to each subcontractor that handles PHI on its behalf, and so on—no matter how far "down the chain" the PHI flows.

Disclosures of PHI by a business associate and its business associate subcontractors for its own management and administration or legal responsibilities, however, do not create a business associate relationship with the recipient of the PHI because such disclosures are made outside of the entity's role as a business associate. Furthermore, covered entities are not required to enter into a contract or other arrangement directly with a HIPAA-covered subcontractor of a business associate. Notably, the 2013 Amendments also make some technical revisions to the HIPAA Rules to clarify that failing to enter into a business associate agreement or contract does not exempt a person from the definition of business associate and thereby HIPAA's requirements; rather, the applicable facts and circumstances control.

b. Inclusion of Health Information Organizations, Vendors of Personal Health Records and Others That Facilitate Data Transmission

Also included in the definition of a business associate are entities that create, receive, maintain or transmit PHI through electronic means, such as health information organizations ("HIOs"); vendors of personal health records; and others that facilitate data transmission. As HHS explains, the business associate definition now applies to an entity that "maintains" PHI (in addition to creating, receiving or transmitting it)—i.e., an entity that accesses PHI "on a routine basis." There is an exception for a "conduit" of PHI, i.e., an entity that provides mere courier or transmission services (in digital or hard form). Only an "opportunity to access" PHI is needed to implicate HIPAA, and the key is whether the opportunity is "transient" as opposed to "persistent." Specifically, HHS noted that entities which "manage" the exchange of PHI through a network, including oversight or governance functions for the electronic HIO, fall within the purview of HIPAA because they have more than random access to PHI. Whether or not they view PHI is not key. HHS stated that this area is evolving and that additional guidance will be provided in the future, as the areas of healthcare information technology and exchanges develop.

c. Compliance Deadlines for Business Associate Compliance

Covered entities and business associates (including their subcontractors) must ensure compliance, including by entering into written agreements, by September 26, 2013. There is an exception for covered entities and business associates (including their subcontractors) that had preexisting business associate agreements prior to January 25, 2013. In such cases, if the agreement is not renewed or modified prior to September 23, 2013, then the parties are deemed compliant until the earlier of the date that the agreement is renewed or modified, or September 24, 2014.

II. Modified Breach Standard and Notification Rule

a. Breach

The 2013 Amendments make significant changes to the current Interim Final Breach Notification Rule that was published in August 2009 and to date has guided covered entities and business associates with respect to breaches. The most dramatic change concerns the definition of the term "breach." Under the current interim rule, a "breach" is defined as an inappropriate use or disclosure of PHI involving a significant risk of financial, reputational or other harm. The 2013 Amendments modify this definition by providing that an impermissible use or disclosure of PHI is presumed to be a breach, unless it can be demonstrated that there is a low probability that PHI has been compromised based upon a four-part risk assessment that considers: (1) the nature and extent of the PHI involved in the breach; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to PHI has been mitigated. If the risk assessment evaluation fails to demonstrate there is a low probability that any PHI has been compromised, breach notification is required. Certain exceptions to the definition of a breach continue to apply.

b. Notification

In the case of a breach, the 2013 Amendments require covered entities to notify each affected individual whose unsecured PHI has been compromised. Even if such breach is caused by a business associate, the covered entity is ultimately responsible for providing the notification (although the covered entity is free to delegate the breach response function to the business associate). Moreover, a business associate's, as well as the workforce member's, knowledge of a breach will be imputed onto a covered entity. If the breach involves more than 500 persons, OCR must be notified in accordance with instructions posted on its website. The HIPAA-covered entity bears the ultimate burden of proof to demonstrate that all notifications were given or that the impermissible use or disclosure of PHI did not constitute a breach and must maintain supporting documentation, including documentation pertaining to the risk assessment.

III. Marketing

The 2013 Amendments substantially modify the definition of marketing to require an authorization from an individual for the receipt of certain marketing materials for treatment or operations purposes. This modification will significantly impact third parties who wish to market their products or services through covered entities.

Marketing broadly applies to any communications about a product or service that encourages a recipient to purchase or use the product or service. Under the 2013 Amendments, exceptions to the definition of marketing communications include any communication that is made: (1) to provide refill reminders or information regarding a drug that is currently being prescribed, as long as any financial remuneration received by the covered entity is "reasonably related" to the cost related to the marketing; (2) regarding the product or service of a third party for certain treatment or operations purposes, exceptwhere financial remuneration is involved. The kinds of communications covered by this provision include those offered to an individual as part of treatment, or to a larger population as part of operations, regarding case management, care coordination or alternative treatment modalities; or to describe a health-related product or service—or payment for the product or service—that is provided by the covered entity or included in a plan of benefits, such as communications about network-participating providers or value-added products or services not offered by a plan (e.g., vision plan enhancements).

In other words, the definition of marketing now includes communications issued by a covered entity or business associate regarding a treatment- or operations-related product or service offered by a third party and the third party has compensated the covered entity or business associate for the communication. In these situations, an individual's authorization that covers subsidized communications is required. It is important to note there are key exceptions to the authorization requirement—i.e., when the covered entity makes the communication face-to-face or the communication consists of a promotional gift of nominal value.

IV. Security Rule

The HIPAA Security Rule applies to electronic PHI (ePHI) that is created, received, maintained or transmitted by a covered entity. Pursuant to HITECH, the 2013 Amendments expand the application of the Security Rule to business associates (that now are defined to include subcontractors of business associates that handle PHI for or on behalf of business associates). This means that business associates must comply with all of the Security Rule's applicable administrative safeguards (security management procedures, training, etc.); physical safeguards (workstation security, device and media controls, etc.); and technical safeguards (audit controls, transmission security, etc.). Business associates, including their subcontractors that handle PHI, must enter into agreements that require the business associates to comply with the Security Rule. Significantly, a downstream business associate (or a business associate subcontractor) must notify the upstream entity of any security incident or breach under the breach notification rules.

V. Amendments to the Authorization Requirements

a. Sale of PHI

The 2013 Amendments provide a general prohibition on any disclosure in exchange for remuneration (i.e., a sale) of any PHI by a covered entity or by a business associate without an authorization from the individual for such disclosure. Additionally, the authorization must state that such disclosure will result in remuneration. The 2013 Amendments define "sale of PHI" broadly to mean any disclosure where the covered entity or business associate receives, directly or indirectly, any remuneration in exchange for the PHI. OCR confirms the broad scope of this provision by clarifying that the term "remuneration" is not limited to financial payments (as the marketing provisions are, above); therefore, this prohibition applies to the receipt of financial as well as nonfinancial benefits. The 2013 Amendments provide a number of exceptions to this general authorization requirement, such as disclosures for public health, treatment and payment purposes, and sale and merger transactions, among others.

b. PHI After Death

Prior to the 2013 Amendments, the HIPAA Privacy Rule applied the same protections to the PHI of non-living individuals as it did to the PHI of living individuals. By amending the definition of PHI to generally exclude any health information of a person who has been deceased for more than 50 years, the 2013 Amendments limit the HIPAA Privacy Rule's protections with regard to a deceased individual's PHI for a period of 50 years after the date of death. Additionally, the 2013 Amendments provide that covered entities may disclose deceased individuals' PHI to non-family members, as well as family members, who were involved in the care or payment for healthcare of the decedent prior to death; however, the disclosure must be limited to PHI relevant to such care or payment and cannot be inconsistent with any prior expressed preference of the deceased individual.

c. Disclosure to Schools of Student Immunizations

The 2013 Amendments permit a covered entity to disclose, without written authorization, immunization records to a school where state or other law requires, as opposed to merely permits, the school to have such information prior to admitting the student. While written authorization would no longer be required, the covered entity would nevertheless be required to obtain and document agreement to the disclosure that may be oral and over the phone from the parent or person acting in loco parentis for the individual, or from the individual himself or herself. A mere request by a school for the immunization records of a student would not be sufficient to permit disclosure without authorization.

VI. Notice of Privacy Practices

The 2013 Amendments reflect modifications from the interim final rule that provide significant changes to covered entities' Notice of Privacy Practices ("NPP") regarding uses and disclosures that require authorization. While the 2013 Amendments do not require the NPP to include all situations requiring authorization, the NPP must contain a statement indicating that most uses and disclosures of psychotherapy notes, marketing disclosures and sale of PHI do require prior authorization, as well as the right of the individual to be notified in case of a breach of unsecured PHI. OCR clarifies that distribution by covered entities of new NPPs to individuals is required because the changes to the NPP requirements are material.

VII. Individuals' Right to Restrict Disclosures; Right of Access

To implement the HITECH Act, the Privacy Rule is amended to require a covered entity to restrict the disclosure of PHI about the individual to a health plan, upon request, if the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law. The PHI must pertain solely to a healthcare item or service for which the individual has paid the covered entity in full. OCR clarifies that the adopted provisions do not require that covered healthcare providers create separate medical records or otherwise segregate PHI subject to a restrict healthcare item or service; rather, providers need to employ a method to flag or note restrictions of PHI to ensure that such PHI is not inadvertently sent or made accessible to a health plan.

The 2013 Amendments also adopt the proposal in the interim rule requiring a covered entity to provide a copy of PHI to any individual requesting it in electronic form. The electronic format must be provided to the individual if it is readily producible. OCR clarifies that covered entities must provide individuals only with an electronic copy of their PHI, not direct access to their electronic health record systems. The 2013 Amendments also provide the right to individuals to direct a covered entity to transmit an electronic copy of PHI to an entity or person designated by the individual. Furthermore, the amendments restrict the fees that covered entities may charge for handling and reproduction of PHI, which must be reasonable, cost-based and identify separately the labor for copying PHI (if any). Finally, the 2013 Amendments modify the timeliness requirement for right of access, from up to 90 days currently permitted to 30 days, with a one-time extension of 30 additional days.

VIII. Fundraising

The 2013 Amendments continue to permit a covered entity or business associate to use PHI for its fundraising without the individual's authorization, and even expand the fundraising rules by allowing covered entities to utilize demographic information, including the individual's health insurance status and certain treatment and outcome information. With respect to individuals' right to opt out of fundraising communications, covered entities are now free to decide which opt-out methods to provide to individuals, as long as the chosen methods do not impose an undue burden or more than a nominal cost for the individuals. For example, requiring a written letter would be an undue burden, but a pre-printed, prepaid postcard would be appropriate; use of a toll-free number or an e-mail address is encouraged.

IX. Modifications to the HIPAA Privacy Rule Under GINA

The Genetic Information Nondiscrimination Act of 2008 ("GINA") prohibits discrimination based upon an individual's genetic information and, among other things, required OCR to revise the HIPAA Privacy Rule to include genetic information within the definition of health information. The 2013 Amendments amend the existing HIPAA Privacy Rule by adding the prohibition on the use of "genetic information" for "underwriting purposes," with the exception of the underwriting of long-term care policies. OCR was persuaded to exempt long-term care insurance by rulemaking comments that prohibiting use of genetic information for underwriting purposes would impair the viability of the long-term care insurance market. As with other terms used in this section of the 2013 Amendments, "genetic information" and "underwriting purposes" are defined terms. It is important to note that nothing in GINA should be construed to limit the ability of a health plan to adjust premiums or establish eligibility criteria on the basis of a manifestation of a disease or disorder of an enrollee. The terms "manifestation or manifested" are defined because they are used to distinguish permissible uses of genetic information by insurance companies from impermissible uses. The 2013 Amendments also require health plans that perform underwriting to include in their NPPs a statement that they are prohibited from using or disclosing genetic information for underwriting purposes. We will be reporting on a separate, detailed analysis of the provisions of the 2013 Amendments implementing GINA in the near future.

X. The Hybrid Entity, Its Healthcare Components and Business Associate Functions

Under the HIPAA Rules, a "hybrid entity" is one that performs HIPAA-covered and non-covered functions, such as a small manufacturing company and its health clinic that is a HIPAA-covered entity. In this example, the health clinic constitutes a "health care component" under HIPAA. The 2013 Amendments clarify that the business associate functions provided by the hybrid entity to its healthcare component, such as billing for the health clinic in the example above, are now considered part of the healthcare component and are subject to HIPAA.

XI. Compliance and Investigations; Liability

a. Investigations; Basis for Liability

Under the 2013 Amendments, as required by HITECH Act, any complaint or violation must be formally investigated if a preliminary review of the facts indicates a possible violation due to willful neglect. Thus, in such situations, informal means can no longer be used to resolve such violations. OCR also confirmed that preliminary review needs to indicate only "possible" as opposed to "probable" willful neglect. OCR emphasized that they retain discretion to decide whether to conduct a formal investigation where preliminary review of the facts indicates a degree of culpability less than willful neglect.

Significantly, the 2013 Amendments make covered entities and business associates liable for acts of their business associates that are deemed to be agents. A number of comments expressed concerns to this new rule in proposed form, but OCR justifies its interpretation under the federal common law of agency. Commenters argued that contractual provisions, not the federal common law of agency, should control, but all such arguments were dismissed by OCR.

b. Civil Monetary Liability

As required by the HITECH Act, the 2013 Amendments substantially increase the potential civil monetary fines for violations for covered entities and business associates, and establish tiers of escalating penalty amounts based on increasing degrees of culpability of violators and other responsible parties. The 2013 Amendments also reduce OCR's discretion in assessing these fines.

Violation Category – Section 1176(a)(1)

Each Violation

All Such Violations of an Identical Provision in a Calendar Year

(A) Did Not Know

$100 - $50,000

$1,500,000

(B) Reasonable Cause

$1,000 - $50,000

$1,500,000

(C)(i) Willful Neglect-Corrected

$10,000 - $50,000

$1,500,000

(C)(ii) Willful Neglect-Not Corrected

$50,000

$1,500,000

In circumstances where discretion is available, the Secretary, in determining the amount of penalty, is required to take into account the nature of the claims and the circumstances under which they were presented, the degree of culpability, history of prior offenses, financial condition of the person presenting the claims and other matters. OCR also intends to consider factors, such as the time period during which the violations occurred; reputational harm; and the number of individuals affected.

Therefore, every HIPAA-covered entity, its business associates and their subcontractor business associates are strongly encouraged to quickly review the 2013 Amendments, consider its implications and promptly begin working to achieve compliance with applicable provisions and mitigate statutory liability risks. Significant penalties apply for lack of compliance. It may be worthwhile to consider taking prompt action.

The above discussion provides a cursory discussion of the 2013 Amendments, which cannot and should not be relied upon for any purpose other than informational purposes. All situations and questions concerning PHI, the 2013 Amendments and other subjects discussed above present unique facts and issues, which along with applicable state laws should be considered on a case-by-case basis.

If you have any questions or would like further information, please contact David Loder, Lisa W. Clark, Harry Silver, Neville Bilimoria, Erin Duffy, Emmy Monahan, Dmitry Tuchinsky, any other member of the Health Law Practice Group, or the attorney in the firm with whom

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. The Duane Morris Institute provides training workshops for HR professionals, in-house counsel, benefits administrators and senior managers.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
David E. Loder
 
In association with
Related Video
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Law Practice Management
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.