Sensitive Health Information: Protected and Not For Sale

Safe and meaningful data-driven marketing is the key to building businesses, creating jobs, and fueling donations to nonprofits. If consumer trust in marketing were to fall away, these benefits would cease to exist. It’s up to all of us to ensure that laws protecting consumer information work in tandem with meaningful industry self-regulation.

As marketers and fundraisers, it’s our duty to protect consumers’ private information; health information is chief among those. This has informed the Direct Marketing Association’s (DMA) ethics policy work to craft and shape meaningful self-regulation, which benefits both consumers and marketers. But based on recent stories in the press, some believe that health information is being “sold” and profited from without any controls at all. This is simply not true.

Sectoral laws like the Health Information Portability and Accountability Act (HIPAA), provide strong and important protections for the private information consumers share with organizations. These operate alongside DMA’s own Guidelines on Ethical Business Practice. Working with its member companies, DMA constantly develops, updates, and enforces its guidelines as part of the data-driven marketing community’s public trust with regulators and consumers. When organizations act in violation of these guidelines—and hence, in violation of consumer trust—DMA holds them accountable; this includes protecting health information.

HIPAA strongly regulates what companies can and cannot do with private health information. Some highlights: covered entities include health plans, servicers, and providers, as well as business associates (such as marketers) and their subcontractors; they must obtain written permission from individuals by the way of a signed authorization form before they use or share health-related information for marketing purposes. This statement must also include whether the entity will be paid in exchange for the marketing activity. In other words, protected health information, such as health conditions or treatments, shouldn’t be transferred to others (i.e. “sold”) without the written permission of the subject. Violations of these rules are enforced by the Department of Health and Human Services. For more information about HIPAA, visit HHS’ Office for Civil Rights.

DMA guidelines also work to secure health information. In addition to the same HIPAA requirements regarding written authorization, the guidelines state that volunteered health information gathered outside of a health provider relationship shouldn’t be used for marketing purposes or transferred without clear notice to the consumer. This notice must include the intended uses of the information, as well as an opt-out mechanism. Furthermore, organizations should ensure that consumers can identify the data’s source to fully opt-out of the process if they choose to.

Private health information, which is personal to each and every one of us, must be treated sensitively. This information shouldn’t be “sold” behind a veil of secrecy or posted publicly without any consideration of privacy protection for an individual. DMA believes that consumers should be provided with transparency and choices. In fact, the DMA has developed, which allows customers to opt-out of future direct mail offers specifically, to give consumers more options. Protecting health information by organizations and their third parties is a vital part of our ethical obligation to consumers.

Xenia “Senny” Boone, Esq. serves as DMA’s in-house counsel for a range of legal issues. She also leads the organization’s efforts in compliance and best practice applications for direct marketing and fundraising.

Related Posts