Use of PHI for Non-Patient Purposes
By Kim Stanger
In an era of decreasing reimbursement and rapidly expanding opportunities associated with “big data”, healthcare entities may be looking for ways to monetize protected health information (“PHI”)1 for their own, non-patient purposes. With limited exceptions, however, HIPAA restricts the use of PHI for non-treatment purposes without the patient’s consent. Failure to comply may subject HIPAA covered entities, business associates, and third parties to significant civil, administrative, and criminal penalties. (See, e.g., 42 U.S.C. § 1320d-6; 45 C.F.R. § 160.404).
I. Covered Entity’s Use of PHI.
HIPAA is based on the general rule that “[a] covered entity or business associate may not use2 or disclose3 PHI, except as permitted or required by [the HIPAA Privacy Rule].” (45 C.F.R. § 164.502(a)). The Privacy Rule lists the specific, permitted uses; other uses generally require the patient’s or personal representative’s written HIPAA-compliant authorization. (Id. at § 164.502). Most of the non-authorized permissible uses relate to the patient’s treatment, payment for treatment, or specified public safety or government functions (see, e.g., 45 C.F.R. §§ 164.502-.512). The following uses warrant discussion:
-
- Health care operations. “A covered entity may use or disclose [PHI] for its own … health care operations” without the patient’s authorization. (45 C.F.R. § 164.506(c); see also id. at § 164.502(a)(1)(ii)). This is potentially the most relevant exception when attempting to use PHI for the covered entity’s own advantage, but the scope of the exception is limited.
Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:
(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities …; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
(3) Except as prohibited under § 164.502(a)(5)(i), underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable;
(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
(6) Business management and general administrative activities of the entity, including, but not limited to:
(i) Management activities relating to implementation of and compliance with the requirements of this subchapter;
(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.
(iii) Resolution of internal grievances;
(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and
(v) Consistent with the applicable requirements of §164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.
(45 C.F.R. § 164.501, emphasis added). Note the two significant limitations:
First, only the activities specified in the definition are permitted, not any and all uses desired by the covered entity even though such uses may relate to, arise out of, or further the covered entity’s operations. (See OCR, Uses and Disclosures for Treatment, Payment, and Health Care Operations, available here).
Second, the permitted uses must be “related to covered functions.”
Covered functions means those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse.
(45 C.F.R. § 164.103). As explained by HHS,
Covered functions, therefore, are the activities that any such entity engages in that are directly related to operating as a health plan, health care provider, or health care clearinghouse; that is, they are the functions that make it a health plan, health care provider, or health care clearinghouse.
(64 F.R. 82489). Thus, “health care operations includes general administrative and business functions necessary for the covered entity to remain a viable business.” (65 F.R. 82490, emphasis added). They are and include only those
certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities … are limited to the activities listed in the definition of “health care operations” at 45 C.F.R. 164.501…”
(OCR, Uses and Disclosures for Treatment, Payment, and Health Care Operations, available here). In contrast,
The preamble [to the HIPAA final rule] listed certain activities that would not be considered health care operations because they were sufficiently unrelated to treatment and payment to warrant requiring an individual to authorize such use or disclosure. Those activities included: marketing of health and non-health items and services; disclosure of PHI for sale, rent or barter; use of PHI by a non-health related division of an entity; disclosure of PHI for eligibility, enrollment, underwriting, or risk rating determinations prior to an individuals’ enrollment in a health plan; disclosure to an employer for employment determinations; and fundraising.
(65 F.R. 82490). In short, the “health care operations” exception may not extend to many uses of PHI that may be unrelated to the covered entity’s primary function of rendering treatment to or obtaining payment for such treatment, including the monetization of PHI through big data projects or otherwise.
-
- Sale of PHI. If there was ever any doubt, the HIPAA Omnibus confirmed that “a covered entity or business associate may not sell [PHI]” without the patient’s written HIPAA-compliant authorization. (45 C.F.R. § 164.502(a)(5)(ii)(A)). “Sale of PHI” generally means
a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.
(Id. at § 164.502(a)(5)(ii)(B)).4 As explained by HHS, “a sale of [PHI] occurs when the covered entity primarily is being compensated to supply data it maintains in its role as a covered entity (or business associate).” (78 F.R. 5606; see also id. at 5608). In addition to the other elements required for a valid HIPAA authorization, an authorization for the sale of PHI “must state that the disclosure will result in remuneration to the covered entity.” (45 C.F.R. § 164.508(a)(4)).
-
- Marketing. With limited exceptions, “a covered entity must obtain an authorization for any use or disclosure of PHI for marketing” unless the marketing communication is in the form of a face-to-face communication or a promotional gift of nominal value provided by the covered entity. (45 C.F.R. § 164.508(a)(3)).
[M]arketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
(Id. at § 164.501). “Marketing” does not include certain treatment-related communications to the patient,5 nor does it include communications “[t]o describe a health-related product or service (or payment for such product or service) that is provided by … the covered entity making the communication” unless “the covered entity receives financial remuneration in exchange for making the communication.” (Id. at § 164.501). For purposes of this definition,
Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.
(Id.). “If the marketing involves financial remuneration … to the covered entity from a third party, the authorization must state that such remuneration is involved.” (Id. at § 164.508(a)(3)).
- Research. A covered entity may use PHI for research purposes without the patient’s authorization if certain conditions are satisfied. (45 C.F.R. § 164.512(i)). “Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” (Id. at § 164.501). To fit within the exception, the research program generally requires the involvement of an institutional review board (“IRB”) or privacy board that satisfies certain requirements. (Id. at § 164.512(i)). The researcher must comply with relatively strict limits on use of the PHI and documentation requirements. (Id.).
II. Business Associate’s Use of PHI.
The business associate’s authority to use or disclose PHI derives from the covered entity’s authority. As discussed above, the covered entity may only use the patient’s PHI for certain purposes without the patient’s authorization, e.g., for the covered entity’s own treatment, payment or health care operations. (45 C.F.R. § 164.502). HIPAA allows covered entities to share PHI with business associates to assist the covered entity in performing authorized activities for or on behalf of the covered entity, but with very limited exceptions, the same limits that apply to the covered entity also apply to the business associate, e.g., absent the patient’s written authorization, the business associate may only use the information for purposes of the covered entity’s treatment, payment, health care operations, or other permitted purposes. (Id.). The business associate agreement (“BAA”) between the covered entity and business associate must specify the permissible uses of PHI. The regulations state:
(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of [the HIPAA privacy rule] if done by the covered entity, except that:
(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and
(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.
(ii) Provide that the business associate will … [n]ot use or further disclose the information other than as permitted or required by the contract or as required by law;
…
(4) Implementation specifications: Other requirements for contracts and other arrangements. (i) The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary … [f]or the proper management and administration of the business associate; …
(45 C.F.R. § 164.502(e)). Thus, HIPAA includes only two exceptions in which the business associate may use PHI for its own purposes without the patient’s authorization: (1) to perform data aggregation services, and (2) for the business associate’s own management and administration. (65 F.R. 82505-06).
A. The Data Aggregation Exception.
Data aggregation means, with respect to protected health information created or received by a business associate in its capacity as the business associate of a covered entity, the combining of such protected health information by the business associate with the protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit data analyses that relate to the health care operations of the respective covered entities.
(45 C.F.R. § 164.501, emphasis added). Per the regulation, the business associate may only aggregate the PHI for the health care operations of the covered entity, not for the business associate’s own purposes. HHS commentary explains the purpose and scope of the exception:
we permit a covered entity to authorize the business associate to provide data aggregation services to the covered entity. As discussed above in § 164.501, data aggregation, with respect to protected health information received by a business associate in its capacity as the business associate of a covered entity, is the combining of such protected health information by the business associate with protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit the creation of data for analyses that relate to the health care operations of the respective covered entities. We added this service to the business associate definition to clarify the ability of covered entities to contract with business associates to undertake quality assurance and comparative analyses that involve the protected health information of more than one contracting covered entity. We except data aggregation from the general requirement that a business associate contract may not authorize a business associate to use or further disclose protected health information in a manner that would violate the requirements of this subpart if done by the covered entity in order to permit the combining or aggregation of protected health information received in its capacity as a business associate of different covered entities when it is performing this service. In many cases, the combining of this information for the respective health care operations of the covered entities is not something that the covered entities could do—a covered entity cannot generally disclose protected health information to another covered entity for the disclosing covered entity’s health care operations. However, we permit covered entities that enter into business associate contracts with a business associate for data aggregation to permit the business associate to combine or aggregate the protected health information they disclose to the business associate for their respective health care operations.
(65 F.R. 82505-06, emphasis added). Per the regulations and commentary, the “data aggregation” exception would not apply unless (1) the data aggregation is for the covered entity’s health care operations, not the business associate’s own purposes; and (2) the BAA expressly authorizes the business associate to perform the data aggregation services.
B. The Management and Administration Exception. HHS has not defined “management and administration,” nor has it clearly delineated the boundaries of the exception applicable to business associates. The Privacy Rule does allow covered entities to use PHI for their “health care operations”, which, as explained above, includes:
Business management and general administrative activities of the entity, including, but not limited to:
(i) Management activities relating to implementation of and compliance with the requirements of this subchapter;
(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.
(iii) Resolution of internal grievances;
(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and
(v) Consistent with the applicable requirements of §164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.
(45 C.F.R. § 164.501, definition of health care operations, emphasis added). HHS’s use of similar terms (i.e., the covered entity’s “business management and general administrative activities” compared to the business associate’s “management and administration”) arguably suggests that the business associate may use PHI for similar internal operations. However, the commentary we have suggests that “management and administration” should be construed relatively narrowly. For example, The OCR has explained:
Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.
(OCR Guidance here). In the health information organization (“HIO”) context, the OCR published the following FAQ:
What may a HIPAA covered entity’s business associate agreement authorize a health information organization (HIO) to do with electronic protected health information (PHI) it maintains or has access to in the network?
A business associate agreement may authorize a business associate to make uses and disclosures of PHI the covered entity itself is permitted by the HIPAA Privacy Rule to make. See 45 C.F.R. § 164.504(e). In addition, the Privacy Rule permits a business associate agreement to authorize a business associate (e.g., a HIO) to: (1) use and disclose PHI for the proper management and administration of the business associate, in accordance with 45 C.F.R. § 164.504(e)(4); and (2) to provide data aggregation services related to the health care operations of the covered entities for which it has agreements. In most cases, the permitted uses and disclosures established by a business associate agreement will vary based on the particular functions or services the business associate is to provide the covered entity. Similarly, a covered entity’s business associate agreement with a HIO will vary depending on a number of factors, such as the electronic health information exchange purpose which the HIO is to manage, the particular functions or services the HIO is to perform for the covered entity, and any other legal obligations a HIO may have with respect to the PHI. For example, the business associate agreements between covered entities and a HIO may authorize the HIO to:
- Manage authorized requests for, and disclosures of, PHI among participants in the network;
- Create and maintain a master patient index;
- Provide a record locater or patient matching service;
- Standardize data formats;
- Implement business rules to assist in the automation of data exchange;
- Facilitate the identification and correction of errors in health information records; and
- Aggregate data on behalf of multiple covered entities.
(https://www.hhs.gov/hipaa/for-professionals/faq/543/what-may-a-covered-entitys-business-associate-agreement-authorize/index.html). Note that the permitted uses relate closely to the services the business associate performs for the covered entities.
HHS has confirmed that the “management and administration” exception does not extend to data mining for the business associate’s own purposes:
Comment: A commenter recommended that the business partner contract specifically address the issue of data mining because of its increasing prevalence within and outside the health care industry.
Response: We agree that protected health information should only be used by business associates for the purposes identified in the business associate contract. We address the issue of data mining by requiring that the business associate contract explicitly identify the uses or disclosures that the business associate is permitted to make with the protected health information. Aside from disclosures for data aggregation and business associate management, the business associate contract cannot authorize any uses or disclosures that the covered entity itself cannot make. Therefore, data mining by the business associate for any purpose not specified in the contract is a violation of the contract and grounds for termination of the contract by the covered entity.
(65 F.R. 82644). Similarly, OCR FAQs confirm that a business associate may not use PHI for its own marketing purposes:
Can contractors (business associates) use protected health information for its own marketing purposes?
Answer: No. While covered entities may share protected health information with their contractors who meet the definition of “business associates” under the HIPAA Privacy Rule, that definition is limited to contractors that obtain protected health information to perform or assist in the performance of certain health care operations on behalf of covered entities. Thus, business associates, with limited exceptions, cannot use protected health information for their own purposes…. [T]he Privacy Rule expressly prohibits … covered health care providers from selling protected health information to third parties for the third party’s own marketing activities, without authorization. So, for example, a pharmacist cannot, without patient authorization, sell a list of patients to a pharmaceutical company, for the pharmaceutical company to market its own products to the individuals on the list.
We have found no HHS or OCR commentary authorizing a business associate to use PHI for its own product development or similar purposes under the “management and administration” function. Absent such commentary, a business associate’s use of PHI for its own product development or other such uses is risky unless such product development or other use is within the scope of the services performed by the business associate for the covered entity as specified in the BAA, and within a use permitted by the covered entity.
III. Agreements to Limit Disclosures.
Even in those situations in which HIPAA would allow the use of the PHI, a covered entity may intentionally or unintentionally limit its prerogative to use the PHI without the patient’s authorization by agreeing otherwise with the patient. Covered entities and/or business associates must check the scope of their agreements with patients as well as the covered entity’s notice of privacy practices to ensure that they do not prohibit a desired use.
A. Agreement to Restrict Use or Disclosures. Under HIPAA, individuals have the right to request additional restrictions on the use or disclosure of their PHI for purposes of treatment, payment or healthcare operations. (45 C.F.R. § 164.522(a)(1)). Significantly, a covered entity is not required to agree to such additional restrictions, but if it does, the covered entity must abide by the restriction until changed prospectively. (Id. at § 164.522(a)(1)(ii)). Health care providers may unwittingly agree to such restrictions by, e.g., including statements in their registration documents, websites, or elsewhere stating that they will not disclose information unless authorized, or otherwise promising to maintain the confidentiality of the information. Before using PHI for health care operations, covered entities and their business associates should ensure that such use is consistent with their representations to the patient.
B. Notice of Privacy Practices. Under HIPAA, “an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights and the covered entity’s legal duties with respect to protected health information.” (45 C.F.R. § 164.520(a)(1)). To that end, covered entities are generally required to publish a notice of privacy practices describing the uses or disclosures of PHI they are permitted to make or the purposes for such permitted uses or disclosures. (Id. at 164.520(b)). For each such purpose, “the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by [HIPAA] and other applicable law.” (Id. at § 164.520(b)(1)(iii)). The notice of privacy practices must include a “statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization…” (Id. at § 164.520(b)(1)(ii)(E)). “A covered entity that is required … to have a notice may not use or disclose PHI in a manner inconsistent with such notice.” (Id. at § 164.502(i)). Covered entities and their business associates must ensure that any use of PHI is consistent with—or at least not inconsistent with—the notice. Failure to comply with the representations in the notice or other assurances given individuals may subject the provider to HIPAA penalties and perhaps deceptive trade practices claims based on the FTC’s recent enforcement actions against entities that fail to comply with their published privacy policies. (See generally https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/privacy-security-enforcement).
IV. De-Identification.
Importantly, the foregoing restrictions do not apply if the PHI is properly de-identified consistent with the standards in 45 C.F.R. § 164.514. (45 C.F.R. § 164.502(d)(2)). HIPAA specifically authorizes covered entities “to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified info is to be used by the covered entity.” (Id. at § 164.502(d)). De-identification is considered part of a covered entity’s health care operations. (Id. at § 164.501). A covered entity may, through its BAA, authorize the business associate to de-identify PHI on behalf of the covered entity (see id. at § 164.502(d)), but neither the business associate nor its subcontractors may de-identify PHI unless so authorized in the covered entity’s business associate agreement:
if a business associate agreement between a covered entity and a contractor does not permit the contractor to de-identify protected health information, then the business associate agreement between the contractor and a subcontractor (and the agreement between the subcontractor and another subcontractor) cannot permit the de-identification of protected health information. Such a use may be permissible if done by the covered entity, but is not permitted by the contractor or any subcontractors if it is not permitted by the covered entity’s business associate agreement with the contractor.
(78 F.R. 5601).
Once de-identified, the information is no longer protected by HIPAA and, unless otherwise limited by the agreements between the parties or other law, the contractor, business associate, or subcontractor may use the de-identified information for its own purposes without violating HIPAA. The OCR published the following FAQ addressing this issue:
May a health information organization (HIO), acting as a business associate of a HIPAA covered entity, de-identify information and then use it for its own purposes?
A HIO, as a business associate, may only use or disclose protected health information (PHI) as authorized by its business associate agreement with the covered entity. See 45 C.F.R. § 164.504(e). The process of de-identifying PHI constitutes a use of PHI. Thus, a HIO may only de-identify PHI it has on behalf of a covered entity to the extent that the business associate agreement authorizes the HIO to do so. However, once PHI is de-identified in accordance with the HIPAA Privacy Rule, it is no longer PHI and, thus, may be used and disclosed by the covered entity or HIO for any purpose (subject to any other applicable laws).
V. Conclusion.
Although covered entities may believe that PHI in their possession “belongs” to them, HIPAA still limits their ability to use the information for their own purposes without the individual’s authorization except in limited circumstances. The same restrictions flow down to business associates and subcontractors: unless otherwise allowed by HIPAA and the business associate agreement, business associates may not use PHI for their own purposes. Because of the limits, parties may often find that proper de-identification is the best option for such uses.
1Protected health information is generally defined as
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) [t]hat identifies the individual; or (ii) [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual.
(45 C.F.R. § 160.103)
2“Use means, with respect to individually identifiable health info, the sharing, employment, application, utilization, examination, or analysis of such info within an entity that maintains such info.” (45 C.F.R. § 160.103).
3“Disclosure means the release, transfer, provision of access to, or divulging in any manner of info outside the entity holding the info.” (Id.).
4“Sale of PHI” does not include disclosures:
(ii) For research purposes pursuant to § 164.512(i) or § 164.514(e), where the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes;
(iii) For treatment and payment purposes pursuant to § 164.506(a);
(iv) For the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence as described in paragraph (6)(iv) of the definition of health care operations and pursuant to § 164.506(a);
(v) To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor, pursuant to §§ 164.502(e) and 164.504(e), and the only remuneration provided is by the covered entity to the business associate, or by the business associate to the subcontractor, if applicable, for the performance of such activities;
(vi) To an individual, when requested under § 164.524 or § 164.528;
(vii) Required by law as permitted under § 164.512(a); and
(viii) For any other purpose permitted by and in accordance with the applicable requirements of this subpart, where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.
(45 C.F.R. § 164.502(a)(5)(ii)(B)).
5Specifically, “marketing” does not include a communication made:
(i) To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication.
(ii) For the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:
(B) To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
(C) For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.
(45 C.F.R. § 164.501).
For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.