United States: The New HIPAA Omnibus Rule & Your Liability — A Detailed Review

As we have reported in this blog ( here, here, here, here, and here), the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released final regulations containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Omnibus Rule). Proposed regulations were previously released for public comment in the October 30, 2009 interim final enforcement rule detailing HITECH's then-new tiered penalty structure, and the August 24, 2009 interim final breach notification rule published pursuant to HITECH proposed privacy, security, and enforcement standards.

The proposed rules provided for major changes, such as direct liability for business associates and a tiered penalty structure for noncompliance. This advisory sets forth some of the most significant changes in the final rules, the impact of the final rules on group health plans, best practices for compliance with the rules, and how the final rules correspond with state privacy laws.   A complete analysis of the most important changes follows.

Some of the Biggest and Most Dramatic Changes

Liability    The final rules, effective on March 26, 2013, not only provide direct liability for business associates and their subcontractors, but also include increased liability for noncompliance. The final rules move HIPAA enforcement away from the previous voluntary compliance framework and toward a penalty-based system. The tiered penalty structure has penalties ranging from $100 to $50,000 per violation, depending on the level of culpability, with a $1.5 million cap per calendar year for multiple violations of identical provisions, and criminal penalties of up to 10 years' imprisonment. Willful neglect is at the top of the scale, and even where there is merely a possibility of a violation due to willful neglect, HHS can impose civil monetary penalties without exhausting informal resolution options.

Breach Notification   The Omnibus Rule also significantly changes the breach notification analysis, creating a presumption of reportable breach. This analysis is a significant change from the previous risk analysis and the proposed rules' "harm standard," which analyzed the risk of harm to an individual in determining whether a breach was reportable. In an attempt to obtain more consistency in breach reporting, the Omnibus Rule creates an objective, four-factor test to determine whether or not protected health information (PHI) has been compromised, requiring breach notification. This analysis focuses on: (1) the nature and extent of the PHI involved in the incident (e.g., whether the information is sensitive information like social security numbers or infectious disease test results); (2) the recipient of the PHI (e.g., whether another physician received the PHI); (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated following unauthorized disclosure (e.g., whether it was immediately sequestered and destroyed). For example, if PHI is faxed to the wrong physician and the receiving physician immediately contacts the covered entity to inform it of the error and confirms that the information was destroyed, there is a low probability that information was compromised, and disclosure would not be reportable to OCR, individuals, the media, or any other necessary parties. OCR commented that organizations' policies and procedures should reflect this new risk assessment approach.

Marketing and Subsidized Communications of PHI     Another significant change in the Omnibus Rule relates to marketing and subsidized communications of PHI. The Privacy Rule initially defined marketing as making "a communication about a product or service that encourages recipients of the communication to purchase or use the product or service." Such a communication required a prior authorization from the intended recipient of the communication. Certain exceptions permitted marketing communications without an authorization, such as "health care operations" communications, face-to-face communications, and gifts of nominal value. The final rule requires authorization for all treatment and health care operations communications where the covered entity receives financial remuneration from the third party whose products or services are being marketed. There are still exceptions; for example, subsidized face-to-face communications and subsidized communications regarding a drug or biologic currently being prescribed to an individual and refill reminders are permissible without authorization. OCR was clear that within the scope of this exception are communications about generic equivalents and adherence types of communications. Third-party payments for purposes other than communications to a patient, such as third-party funded disease management programs, do not require authorization, provided that the communication encourages participation in the program and not the use of the sponsor's particular product or service.

What is a "Conduit?"     Omnibus Rule commentary provides a useful discussion of OCR's "conduit" analysis. This analysis is relevant for determining whether or not a data transmission organization is a business associate, which carries much more weight now that business associates and their vendors have direct liability and new compliance obligations under the final rules. OCR's longstanding position has been that entities acting as mere conduits for PHI that do not access PHI other than on a random basis are not business associates. An example is the United States Postal Service, which is merely a conduit through which PHI flows. The Omnibus Rule clarifies that the conduit analysis is narrow and limited to transmission organizations. Storage of PHI, even without access to PHI, triggers business associate obligations. OCR has made it clear that cloud vendors are business associates, even if they do not access PHI. This analysis is important as cloud-based solutions become more widespread in the health care industry.

Broader Fundraising Communications     The Omnibus Rule contains provisions that will permit broader fundraising communications. As originally implemented, the HIPAA Privacy Rule permitted only the use of demographic information and dates of care for fundraising purposes. The Omnibus Rule permits the use of demographic information, dates of service, department of service, treating physician, outcome information and health insurance status for fundraising purposes by fundraising entities and their business associates. There are still notice and opt-out requirements for fundraising communications, which must be included in the notice of privacy practices provided to an individual. Whether the opt-out provision is campaign-specific or allows for the individual to opt out of all fundraising communications is at the discretion of the covered entity.

Streamlined Authorization Requirements    Also included in the Omnibus Rule are streamlined authorization requirements for the use of individuals' PHI for research purposes. Previously, a clinical trial participant was only permitted to authorize the use of PHI for one clinical trial per authorization. Additionally, authorizations for future, unspecified research were prohibited. Consistent with federal human subject protection rules, the final rule permits compound authorizations, or authorizations for more than one clinical trial, and authorizations for future, unspecified research. This change permits a single document to include consent and authorization for a clinical trial and a future study, as long as the authorization contains a general description of the types of research that may be conducted. These changes will facilitate tissue and data banking and outcomes research, and will simplify the administration of clinical trials.

Omnibus Rule Effect on Group Health Plans and Their Business Associates

When the HIPAA Privacy and Security rules were first enacted, and in the early rulemaking that followed, employer-sponsored and other "group health plans" were an afterthought. The law and rules were structured principally for provider and health insurance issuers (i.e., state-licensed insurance carriers). Group health plans faced many ambiguities and questions, but two stood out:

  • Drawing on the ERISA civil scheme, HIPAA treats a group health plan as a legally distinct entity. This approach, while justified, is entirely at odds with the experience of most human resource managers and CFOs, who tend to view their company's group health plan as a product or service that is "outsourced" to a vendor. In the case of an insured plan, the vendor is the carrier; in the case of a self-funded plan, the vendor is the third-party administrator.
  • The regulators routinely refer to the security rules as "scalable" — i.e., small entities can comply by adopting approaches that are less complicated and costly. In practice, however, there is little truth to this claim. Base-line risk assessments and policies and procedures quickly get to a point below which they simply cannot be further simplified. Compliance with the security rules, therefore, will if done right prove costly, particularly to smaller entities.

The new administration and the enactment of the HITECH Act appear to have righted the balance vis-ŕ-vis HIPAA and group health plans. Or perhaps it was the passage of time, coupled with a greater emphasis on compliance. Either way, the Omnibus Rule provides a robust template for compliance along with a penalty scheme and enforcement profile that strongly encourage compliance. The Omnibus Rule provides severe penalties where an employer fails to comply out of "willful neglect." While willful neglect can take many forms, the most obvious is for an employee to simply do nothing. There is, as a result, a premium on making some, earnest effort to comply. Even if the effort falls short, it may be enough to avoid a bump up in penalties based on willful neglect.

Similar rules and considerations apply to business associates. Group health plans are "health plans" under HIPAA. They are therefore covered entities that are bound by the applicable HIPAA/HITECH requirements. A covered entity routinely relies on "business associates" to conduct covered functions. Business associates include entities that create, receive, maintain, or transmit PHI on behalf of a covered entity. (The Omnibus Rule added the word "maintains" to this definition, thereby encompassing entities that store PHI for the covered entity.) While providers (particularly large integrated health care delivery systems) may have a multitude of business associates, group health plans typically have only a few. These tend to be brokers and consultants and third-party administrators.

The Omnibus Rule added to the list of business associates "Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI," and persons that offer personal health records to one or more individuals on behalf of a covered entity. State-licensed health insurance carriers are generally not business associates; they are rather themselves covered entities. The Omnibus Rule makes clear, however, that carriers can be business associates when they undertake business associate functions. The most common example is where a carrier functions in the capacity of a third-party administrator for a self-funded group health plan. Small group health plans in a community-rated arrangement generally do not receive PHI from the insurance carrier, so employers in that subset of health plans will likely have few HIPAA compliance obligations. Large, fully insured health plans routinely receive information from the insurance carrier that rise to the level of PHI, implicating the Privacy and Security Rules. These plans routinely get help from carriers with the HIPAA compliance, although in too few cases is that help consciously integrated into a systematic compliance effort. Self-funded health plans are fully exposed to PHI and therefore have the responsibility to comply with all HIPAA requirements.

Unlike other provisions of the Omnibus Rule, the rules governing group health plans, and in particular their relationship to their business associates, have changed only incrementally. It is now clear, for example, that business associates, including subcontractors such as brokers, consultants, and third-party administrators, are directly liable for compliance with portions of the privacy rule and the entire security rule. A "subcontractor" is defined for this purpose as a person (other than a business associate workforce member) to whom a business associate delegates a function, activity, or service, where the delegated function involves the creation, receipt, maintenance, or transmission of PHI.

The Privacy Rule imposes on covered entities a series of requirements designed to safeguard PHI. These include the following:

  • Privacy Policies and Procedures. A covered entity must adopt written privacy policies and procedures that are consistent with the privacy rule.
  • Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity's privacy practices.
  • Workforce Training and Management. Workforce members include employees, volunteers, and trainees, and may also include other persons whose conduct is under the direct control of the covered entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must also have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.
  • Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.
  • Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.
  • Complaints. A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice. Among other things, the covered entity must identify to whom individuals at the covered entity may submit complaints and advise that complaints also may be submitted to the Secretary of HHS.
  • Retaliation and Waiver. A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
  • Documentation and Record Retention. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.

The Omnibus Rule clarified that, while business associates are not subject to each and every requirement of the Privacy Rule listed above, they must:

  • Comply with the terms of a business associate agreement related to the use and disclosure of PHI;
  • Provide PHI to the Secretary upon demand;
  • Provide an electronic copy of PHI available to an individual (or covered entity) related to an individual's request for an electronic copy of PHI;
  • Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request; and
  • Enter into business associate agreements with subcontractors that create or receive PHI on their behalf.

The Security Rule requires covered entities to conduct a risk assessment. For group health plans, threats can come from two sources: internal (from the workforce) or external (communications on behalf of the health plan and brokers, consultants, and vendors). Accordingly, group health plans should be able to easily identify potential risks and solutions to those risks. While the Security Rule does not expressly require encryption, data encryption is now the de facto standard. Group health plans should request copies of privacy policies and procedures, risk assessments, and security policies and procedures from their business associates. (Although business associates are not required to have written policies and procedures, having policies and procedures is highly recommended and probably rises to the level of a "best practice.") Group health plans will also need to update their business associate agreements accordingly.

Each business associate and downstream entity also must have a business associate agreement in place. In instances where a valid business associate agreement in already in place, the parties must comply by the earlier of the date the existing agreement is renewed or modified, or September 22, 2014. Otherwise the relevant compliance date is September 23, 2013.

Best Practices for Covered Entities and Business Associates

Covered entities and business associates have until September 23, 2013 to comply with any applicable new rules. To avoid penalties for noncompliance, covered entities and business associates should have, at a minimum, evidence of a good-faith effort of compliance with the rules, including updated policies and procedures and a Security Rule risk assessment reflecting the new risk assessment approach.

Gap Analysis    Covered entities and business associates should conduct a gap analysis between their current policies and procedures and the new requirements in order to determine what changes are needed, and then they must implement those changes as soon as reasonably possible. Covered entities should identify and document their business associates under the new definition, and business associates should identify and document their subcontractors, to confirm business associate agreement obligations and exposure to liability for noncompliance.

Business Associates    Now that business associates are bound by the rules governing impermissible uses and disclosures, breach notification policies, providing PHI upon request, and responding to requests by HHS in connection with investigations, accountings, and the Security Rule provisions, business associates must create a separate set of policies and procedures to comply with these rules. While business associates are not required to have their own privacy policies and procedures or train their workforce on privacy rules, it is strongly recommended.

Breach Notification     Given the new presumption of reportable breach in the Omnibus Rule, organizations should revise their breach notification policies and procedures and breach response plans. If notification of a breach is required, the covered entity is required to notify all affected individuals within 60 calendar days of the discovery of the breach. However, 60 days is the outer limit, and covered entities are expected to make notifications as soon as possible. OCR has indicated that in some cases, waiting until the 60th day may be deemed an unreasonable delay and a violation of the rules, so covered entities should promptly make required notifications. Significantly, OCR treats a breach as "discovered" when the entity becomes aware of the breach or it should have gained knowledge of the breach through due diligence. OCR rejected comments that a breach should only be treated as "discovered" when management is notified of the breach. Instead, the "discovery" standard applies to employees and agents of the covered entities, including business associates. As should be detailed in business associate agreements, business associates that discover a breach must report it to the covered entity, and a subcontractor must report a breach to a business associate. Ultimately, the covered entity has the obligation to notify affected individuals of a breach, even if the breach occurred under the business associate, and even if the responsibility to notify has been delegated to the business associate.

Workforce Training     Covered entities must also support more training and awareness communications to personnel about the new requirements. They should provide an awareness communication to personnel about the upcoming changes and plan a training session with all personnel sometime in the near future, preferably before the March 26, 2013 effective date of the Omnibus Rule. Covered entities have always been responsible for monitoring personnel, but they are now responsible for monitoring compliance by their business associates. Covered entities must establish a way to monitor compliance and risks on an ongoing basis, to enable covered entities to quickly identify and mitigate problems when they arise.

Review and Amend Business Associate Agreements   In addition to updating their policies and procedures, covered entities and business associates must review and possibly amend their existing business associate agreements to comply with the new requirements, as discussed above. OCR recently posted sample business associate agreement provisions on its website that can be used when revising contracts to comply with the rules. OCR indicated that while the sample business associate agreement provisions are written for use in a contract between a covered entity and its business associate, the language may also be adapted for a contract between a business associate and its subcontractor. The template provisions are a helpful starting point, but additional revisions are advisable, such as detail regarding mitigation in the event of a breach. Indemnification has also become a common business associate provision in light of increased monetary penalties.

New Notices of Privacy Practices     Covered entities must also revise and distribute new notices of privacy practices to individuals. The revised notices must inform recipients of the following:

  • the new prohibition against health plans using or disclosing genetic information for underwriting purposes;
  • the prohibition on the sale of protected health information without the express written authorization of the individual, and other uses and disclosures that expressly require the individual's authorization (such as marketing and disclosure of psychotherapy notes);
  • the duty of a covered entity to notify affected individuals of a breach;
  • the individual's right to opt out of receiving fundraising communications for entities that have stated their intent to fundraise in their notice of privacy practices; and
  • the individual's right to restrict disclosures of protected health information to a health plan where the individual paid out of pocket in full. Covered entities must ensure that their notices of privacy practices comply with these new requirements by September 23, 2013. Covered entities generally have 60 days to mail revised hard copy notices of privacy practices to members. Health plans that post their notice on their website must conspicuously post any material change or the revised notice on their website by September 23, 2013, and provide the new notice or information about the material changes and how to obtain the revised notice, in their next annual mailing. Therefore, the new notice of privacy practices should be posted or mailed as soon as reasonably possible.

Don't Forget State Requirements!

Beyond HIPAA there exists another universe of breach notification requirements in the 46 states that have data breach notification laws. Risk assessments and gap analyses must therefore include not only HIPAA requirements, but also the requirements of an organization's respective state laws. A state's breach notification assessment may differ from that required under HIPAA, and breach notification required under HIPAA may not trump state laws. The Omnibus Rule requires notification unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment. A number of states, including California and Texas, do not require the material risk of harm analysis that was set forth in the proposed rules. In such states, notice may be necessary even if there has been no access or a return of the information. Under most state breach notification laws, personal information is indubitably a subset of PHI. In the event of a breach involving PHI, an entity may not only have to notify OCR and other necessary parties as required by HIPAA, but it also may have to provide notification under applicable state laws. The entity must analyze the population of affected individuals to determine whether health information is included in the relevant states' breach notification laws. If so, additional breach notification will be necessary as required by state law. For example, California requires specific notice (within five days of the breach) to the state agency. Connecticut requires notice to the Insurance Commissioner if the breaching entity is licensed by the Department of Banking and Insurance. If the breached information contains more than PHI, such as financial account information, a Social Security number, credit card number, or any other state-defined "personal information," which can often include state Medicaid program ID or account numbers, a much larger breach analysis is necessary.

Conclusion

The Omnibus Rule contains many changes that will have a significant impact on HIPAA compliance and liability, particularly for business associates. It is crucial to conduct a thorough analysis of the new requirements and to tailor privacy and security policies and procedures accordingly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Alden J. Bianchi
Kimberly J. Gold
 
In association with
Related Video
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.