United States: Criminal Liability For The Wrongful Use Of Health Information: HIPAA And More

By now, the term "HIPAA" is a household term—but few people have a strong grasp of the possible sanctions one might face for intentionally violating the HIPAA regulations. Recent cases illustrate that individuals and employers whom have wrongfully accessed protected health information face not only possible criminal sanctions under HIPAA, but also prosecution under several other federal criminal laws.

A recent case prosecuted by the U.S. Attorney's office in the Eastern District of Arkansas may indicate an increased level of enforcement by the government of the criminal sanctions contained in the federal medical privacy law. These sanctions are contained in the administrative simplification provisions of the Health Insurance Portability and Accountability Act, ("HIPAA") . In December of 2008, an Arkansas woman was sentenced to probation and community service for her role in disclosing protected health information.

Andrea Smith and her husband were indicted for violations of the HIPAA administrative simplification act, as well as conspiracy to wrongfully use and disclose protected health information. According to the indictment, at the time of offense, Smith was a licensed practical nurse working in a medical clinic located in Jonesboro, Arkansas. She accessed the protected health information of a patient of the clinic, and then shared that information with her husband. Her husband then informed the patient that he was planning to use the information in an upcoming legal proceeding against the patient.

Smith pled guilty to the charge of wrongfully disclosing protected health information for malicious harm or personal gain. In exchange, the government dismissed the conspiracy count against both of them, and also dismissed a remaining count against her husband. Smith faced a maximum penalty of ten years of imprisonment, a fine of no more than $250,000, or both, and a term of supervised release of no more than three years.

This is appears to be the fifth criminal case brought under HIPAA since the privacy rules went into effect in 20031. What makes the case especially interesting is that the government charged the employee of the health care clinic, but not the clinic itself (which terminated Smith upon learning of the charges).

The charges did not include any additional charges for fraud and identity theft. As the prosecuting U.S. Attorney Jane W. Duke explained, criminal prosecution of HIPAA violations is a "fairly new concept," but warned that the federal government intends to pursue HIPAA violations through "vigorous enforcement."2

While HIPAA was enacted in 1996, criminal enforcement of the statute is a relatively recent development. Two federal agencies are charged with enforcing the privacy provisions of HIPAA: the United States Department of Health and Human Services (HHS), the federal agency charged with the civil enforcement of HIPAA, and the U.S. Department of Justice, the federal agency charged with criminal prosecution of HIPAA violations. The two agencies have taken different approaches to enforcing the statute. As a result of this, employees and businesses not originally thought to be covered by HIPAA are now at risk for prosecution. This raises a host of compliance issues for businesses and individuals who have access to protected health information.3

HHS takes the position that only so called "covered entities" are subject to civil penalties under HIPAA. "Covered entities" are health plans, health care providers, sponsors of Medicare drug discount cards, and health care clearinghouses. HHS has made clear that persons or entities who otherwise may have lawful access to protected health information, but who are not covered entities, do not fall within the definition of a "covered entity" are not subject to civil penalties. This would include employees, vendors and third-party administrators. This includes "business associates" of covered entities, as that term is used in the privacy rule.4

However, for the purposes of criminal enforcement, the Department of Justice has traditionally taken a different position. It has demonstrated its position through a handful of criminal prosecutions as well as a memorandum outlining the basis for such prosecutions.

The HIPAA criminal statute, 42 U.S.C.A. § 1320d-6, reads in pertinent part:

"A person who knowingly and in violation of this part—

  1. uses or causes to be used a unique health identifier;
  2. obtains individually identifiable health information relating to an individual; or
  3. discloses individual identifiable health information to another person, shall be punished as provided in subsection (b) of this section."

"This part" refers to the administrative simplification provisions of HIPAA, under which the HIPAA rules were promulgated. In order to "obtain or disclose" protected health information "in violation of this part," one has to be subject to the HIPAA rules. The rules apply only to "covered entities." There are four kinds of covered entities: health care providers that engage in electronic standard transactions, sponsors of Medicare drug discount cards, and health care data clearinghouses.5

Logically, this suggests that only covered entities are subject to criminal prosecution.6 However, in June of 2005, the Office of Legal Counsel ("OLC") of the Department of Justice provided guidance on this exact issue in the form of an opinion discussing prosecution of HIPAA privacy violations.7

The OLC opinion confirmed that covered entities (health plans, health care clearinghouses, certain health care providers, and Medicare prescription drug card sponsors) may be prosecuted for criminal liability under Section 1320d-6. Id. The opinion then went on to suggest that "depending on the facts of a given case, certain directors, officers and employees of these entities may also be liable directly under section 1320d-6, in accordance with principles of corporate criminal liability. Other persons may not be liable directly under this provision." In this sense, the OLC opinion provides a narrow set of persons whom may be prosecuted directly under the statute.

However, the OLC opinion suggested that those who may not be prosecuted directly under Section 1320d-6 could still be prosecuted under "principles either of aiding and abetting liability and conspiracy liability." In particular, the OLC opinion referred to language in 18 U.S.C. § 2 (commonly referred to as the "aiding and abetting statute") which allows anyone who "willfully causes an act to be done which if directly performed by him or another would be an offense against the United States," to be punished as a principal.

In addition, the OLC opinion cited the conspiracy statute, 18 U.S.C. § 371, which allows for prosecution "if two or more persons conspire...to commit any offense against the United States...and one or more of such persons do any act to effect the object of the conspiracy." The OLC declined to provide insight into the use of these federal statute to criminally prosecute people under HIPAA, indicating that in the "absence of a specific factual context [it] would be unfruitful" to continue further discussion. Id.

The government typically uses the aiding and abetting statute, 18 U.S.C. § 2 to prosecute parties accountable for their conduct, even if they acted through the agency of others. The statute reads in pertinent part:

"Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal." 18 U.S.C. § 2(b).

Under the aiding and abetting statute then, a defendant may be held guilty for violation of a federal statute, even if he/she was not necessarily in the class of persons to whom a substantive statute is directed.8 For example, courts have applied 18 U.S.C. § 2(b) in various circumstances, including finding an employee of a firearms dealer guilty for causing the violation of 18 U.S.C. § 922, even though the statute applied only to firearms dealers on its face.9

When combining the aiding and abetting statute, Section 2(b), with the HIPAA criminal statue, Section 1320d-6, the result is that if an "employee of a covered entity (who is not himself a covered entity) intentionally causes a wrongful disclosure of a patient's confidential health information, this action, if directly performed by another—that is, by the covered entity—it would constitute an offense against the United States....So long as the underlying conduct would have constituted an offense if it had been committed directly by the covered entity, the employee of the covered entity who was responsible for the conduct is still subject to prosecution as a principal under Section 2(b)." 10

This extension of criminal liability to individuals was recently articulated in the American Recovery and Reinvestment Act ("the Act") signed by President Obama on Feb. 17, 2009. The Act included several important changes to the HIPAA privacy and security regulations. Among other things, the Act brought criminal enforcement in line with the OLC's opinion, by amending the criminal provisions of the HIPAA statute to clarify that a person who obtains or discloses protected health information from a covered entity without authorization commits a violation of the criminal provisions of HIPAA. In addition, the Act increased civil penalties for violations of HIPAA, and now includes penalties for violations due to "willful neglect" to observe the obligations of the statute.11

The OLC opinion also suggested that "depending on the specific facts and circumstances, such conduct may also be punishable under other federal laws." These laws include, for example, those statutes dealing with identity theft and fraudulent access of a computer. The computer fraud and abuse statute ("CFAA") states in pertinent part:

"Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5000 in any 1-year period; shall be punished as provided in subsection (c) of this section." 18 U.S.C. § 1030(a)(4). The maximum penalty for violations of 18 U.S.C. § 1030(a)(4) is five years imprisonment. 18 U.S.C. § 1030(c)(3).

It is easy to see how the computer fraud statute could be used in conjunction with the HIPAA criminal statute, since HIPAA violations often involve the unauthorized use of a computer system. For example, an individual can be held liable under the CFAA for "exceeding authorized access" if initial access to a computer is permitted, but access of certain information is not permitted.12 The statute sets forth a minimum damage requirement of $5,000, which can easily be satisfied by taking into account forensic and related costs.13

Likewise, the federal identity fraud statute is suited to prosecuting conduct that might also involve a HIPAA violation. The federal identity fraud statute makes it a crime to "knowingly transfer an identification document, authentication feature, or a false identification document knowing that such document or feature was stolen or produced without lawful authority."14 Thus, the transfer of protected health information in order to facilitate identity theft would implicate this statute, as well.

Since the OLC opinion was published, the government has prosecuted a handful of employees of "covered entities" using exactly the mechanism suggested in the opinion---the aiding and abetting statute. In addition, in certain cases, the government has also alleged violations of computer and identity fraud criminal statues as additional ammunition in its fight against HIPAA privacy violations. The government has also cited conspiracy charges but, as is typical in criminal cases, these charges have been used as leverage against co-conspirators who are willing to testify against the target defendant.

For example, in January of 2007, the first criminal HIPAA jury verdict was entered in the case U.S. v. Ferrer. A Florida jury found the defendant, Mr. Fernando Ferrer, guilty of one count of wrongful disclosure of individually identifiable health information, five counts of aggravated identity theft, one count of computer fraud, and one count of conspiring to defraud the United States.15

Mr. Ferrer owned a healthcare administrative company at the time of the violations, and misappropriated the protected data of more than 1,400 patients of a satellite Cleveland Clinic operation. He worked with his cousin, who was an employee of Cleveland Clinic, in order to obtain the protected health information. Ferrer used the information to submit more than $7,000,000 in fraudulent Medicare claims. His cousin pled guilty to conspiracy and testified at trial against Ferrer. Ferrer was sentenced to 87 months in prison, 3 years of supervised release, and ordered to pay more than $2.5 in restitution.16

The other criminal HIPAA cases brought by the government against employees have resulted in guilty pleas. In a 2006 Texas case, an employee of a doctor's office pled guilty to selling the confidential medical information of an FBI agent to a person she believed was working for a drug trafficker. The employee accepted $500 for the information, which she was charged solely with a HIPAA criminal violation, and not a computer fraud violation, as well.17

And in what was the first criminal conviction under HIPAA, a Seattle man pled guilty to the wrongful disclosure of individually identifiable health information for economic gain. The defendant was an employee of the Seattle Cancer Care Alliance, and admitted that he obtained a cancer patient's name, date of birth and social security number. He used that information to obtain four credit cards in the patient's name, and purchased a variety of items on those cards, totaling more than $9000.18 Although this was a classic case of identity theft, the defendant was charged only a criminal HIPAA violation. Interestingly, he never actually disclosed the patient's medical information, but rather used the demographic information contained in medical records to commit identity theft.

In the latest "HIPAA twist," in at least one government investigation we are aware of, the government has alleged that reviewing patient files with a sales representative could potentially expose a company to criminal liability under HIPAA. At best, this is a tortured interpretation of HIPAA, but it may also reflect the government's increasing use of potential HIPAA violations as an "add on" to larger criminal cases.

Celebrities are often the victims of privacy violations. In April of this year a former administrative specialist at UCLA medical center was indicted by federal grand jury for allegedly selling private medical information about actress Farah Fawcett to a national media news outlet, in violation of 1320d-6 and 18 U.S.C. § 2(b). According to the indictment, Ms. Jackson received at least $4,600 from a national news publication through checks made out to her husband. Ms. Fawcett and her lawyers alleged that Ms. Jackson leaked protected health information about her fight with cancer to certain tabloids. The former employee faces up to 10 years in prison. It is not clear whether the government will prosecute the national media outlet (widely believed to be the National Enquirer), but the company could potentially face conspiracy charges for aiding and abetting Jackson.19

In the same month, 14 UCLA workers resigned, retired or were fired and nine physicians were suspended, after an internal audit found they had unlawfully accessed Britney Spears' health records. Apparently an internal audit conducted by the university health system revealed that hospital workers had improperly viewed health records of more than 60 patients, mostly celebrities and politicians.20

Part of the problem may have been shared records between the various hospitals within the UCLA health system, including the UCLA Medical Center. An audit conducted by the California Department of Public Health ("CDPH") revealed that within two days of Spears' admission for the birth of her first son at the Santa Monica facility, workers there and at the UCLA Medical Center (whom had access through a shared medical records system) accessed her records.21

As a result of these actions on the part of employees, the UCLA health system was cited by the CDPH for a number of deficiencies, including 1) failure to maintain the privacy and confidentiality of a patient's medical records; 2) failure to report a breach of confidentiality to CDPH; 3) failure to maintain a separate and distinct medical records information system; and 4) failure to safeguard medical records against use by unauthorized individuals.

UCLA is now obligated to develop and maintain a corrective action plan, which includes a new training module focused solely on patient privacy that reinforces HIPAA requirements, a new process for handling high-profile patients' permanent aliases, and a new portal in the medical records system that give a HIPAA compliance warning and includes a "reason for access" question that asks the user why he or she is accessing the record. 22

Given the government's newfound enforcement mechanism to criminally prosecute employees who wrongfully disclose individually identifiable health information for economic gain, health care providers need to review their privacy and information security programs to ensure patients' privacy. As these cases reveal, small physician practices and clinics are just as likely to be targeted as larger hospitals and medical groups.

It is vitally important for health care entities to implement an effective and flexible information security compliance program. Any such program should seek to reduce the ability of employees to engage in criminal conduct. As such, a compliance program should include, at the minimum, a strong message that the employer will not tolerate privacy violations and distribution of materials regarding the criminal implication for intentional HIPAA violations and the misuse of computer systems.

Footnotes

1 See Amy Lynn Sorrel, American Medical Association, July 14, 2008, "Criminal HIPAA case targets employee, not clinic, for breach."

2 U.S. Department of Justice Press Release, April 15, 2008, "Nurse Pleads Guilty to HIPAA Violation."

3 John Aloysius Cogan, Jr., "Federal Agencies Diverge on the Application of HIPAA's Civil and Criminal Penalties," New England In-House, October 2004.

4 In a very recent and noteworthy civil investigation brought by HHS and the Federal Trade Commission ("FTC"), CVS Pharmacy settled allegations against for improper disposal of identifying patient information on pill bottle labels for $2.25 million, The company also signed a consent order which applies to all of its 6,000 pharmacies to implement a robust corrective action plan, including safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.

5 The privacy regulations also seek to protect the confidentiality of medical information that is disclosed to business associates—those companies that perform important functions for covered entities— by requiring a covered entity to enter in a written agreement guaranteeing the same level of confidentiality for medical information as the covered entity is required to provide. See 42 C.F.R. § 164.504(e)(2)(ii)(A)

6 This issue is discussed by Peter A. Winn, Assistant United State Attorney, "Who is Subject to Criminal Prosecution under HIPAA", available on http://www.abanet.org/health/01_interest_groups/01_ehealth.html .

7 See U.S. Department of Justice, "Memorandum for Alex M. Azar, II General Counsel, Department of Health and Human Services, from Timothy J. Coleman, Senior Counsel to the Deputy Attorney General, Re: Scope of Criminal Enforcement Under 42 U.S.C. § 1320d-6 (June 1, 2005).

8 United States v. Odem, 736 F. 2d 150 (5th Cir. 1984).

9 See U.S. v. Scannapieco, 611 F. 2d 619 (5th Cir. 1980).

10 Winn, infra note 5.

11 Previously, civil violations of HIPAA could only be enforced through the Secretary of Health and Human Services. Under the new Act, HIPAA violations are now enforceable in civil actions brought by state attorney generals, both to enjoin violations and to obtain damages.

12 Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962R (D.C. Ariz. 2008).

13 18 U.S.C. §1030(a)(4) is the only section of the computer fraud statute which has been used in HIPAA criminal convictions.

14 18 U.S.C. § 1028(a)(2).

15 United States Attorney's Office, Southern District of Florida, Press Release, May 3, 2007.

16 Id.

17 Department of Justice Press Release, "Alamo Women Convicted of Selling FBI Agent's Medical Records," March 7, 2006; see also Indictment for United States v. Liz Arlene Ramirez, Case No. M-05-708, United States Southern District of Texas.

18 Plea Agreement, United States v. Richard W. Gibson, case number CR04-0374 RSM, United States District Court, Western District of Washington.

19 Charles Ornstein, "Ex Worker Indicted in Celebrity Patient Leaks," Los Angeles Times, April 30, 2008.

20 Jennifer Steinhauer, "California Hospital Faces Sanctions After Workers Wrongly Looked at Patient Records," New York Times, April 8, 2008.

21 Atlantic Information Services Health Business Daily, "UCLA System Facilities are Cited by State for Patient Privacy Breaches," June 23, 2008.

22 Id.

www.nutter.com

This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Nutter McClennen & Fish LLP
 
In association with
Related Video
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Law Practice Management
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.