HEALTH INFORMATION PRIVACY & PROTECTION
Nothing in these guidelines is meant to prohibit research, marketing, or other uses of health-related data which are not personally identifiable, and which are used in the aggregate since there are no restrictions on the use of de-identified health information.
Health Information Data Protection:
Protected Health Information:
Protected health information is individually identifiable information held or transmitted by a covered entity (a health plan, or a health care clearinghouse, or a health care provider) or its business associate in any form or media, whether written or oral. This information includes demographic information collected from an individual that can reasonably be used to identify the individual. Identifiers can include the individual’s name, specific dates such as birth, admission, discharge, death, medical record number, photographs, city, zip code or geographic or other identifiers held as protected health data. Additionally, protected health information is information created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present or future physical or mental health condition of the individual.
These principles apply to any individual or entity that collects, maintains, uses, and/or transfers such protected health information for marketing purposes, whether or not marketing is a primary purpose.
This includes business associates (including the subcontractors of the business associate) who perform functions or services for covered entities that involve the use of protected health information.
Such business associates may only use the protected health information if they have a written agreement to use such protected information for the covered entity’s own marketing purposes.
- Protected health information gained in the context of a relationship between an individual and health or medical care providers or medical treatment facilities should not be transferred for marketing purposes without that individual’s specific prior consent through a written signed authorization form. All marketing communications (receipt of financial remuneration in exchange for the communication) must have such prior written authorization and must include a statement that the organization will be paid for the marketing activity if the marketing includes direct or indirect payment from a third party.
- Covered entities may provide offers for products and services in face-to-face encounters (this is to protect the doctor-patient relationship.)
- Health and wellness communications may be provided by the covered entity about its own products and services.
- General wellness and prevention communications may be provided.
- Individually identifiable health-related information gained in the context of a relationship between individuals and health care providers or medical treatment facilities (as defined above) or other covered entities should not be used to contact those individuals for marketing purposes without the required prior written authorization.
- Individually identifiable health-related information volunteered by individuals, and gathered outside of the relationship between individuals and covered entities, should be considered sensitive and personal in nature. Such information should not be collected, maintained, used, and/or transferred for marketing purposes unless those individuals receive, at the time the information is collected, a clear notice of the marketer’s intended uses of the information, whether the marketer will transfer the information to third parties for further use, the name of the collecting organization, and the opportunity to opt out of transfer of the information. Such information includes, but is not limited to, information volunteered by individuals when responding to surveys and questionnaires. The notice should be easy to find, read, and understand.
- Individually identifiable health-related information inferred about individuals, and gathered outside of the relationship between individuals and covered entities, should also be considered sensitive and personal in nature. This is information based on individual purchasing behavior. Such information includes, but is not limited to, data captured by inquiries, donations, purchases, frequent shopper programs, advertised toll-free telephone numbers, or other consumer response devices. Any entity, including a seller of over-the-counter drugs, which uses inferred health-related information should promptly provide the individual with notice and the opportunity to opt out of any transfer of the data for marketing purposes.
- Marketers using individually identifiable health-related information should provide both the source and the nature of the information they have about that individual upon the request of that individual and the receipt of that individual’s proper identification.
- Individuals should not be required to release individually identifiable health-related information about themselves or to provide written authorizations to allow their health information be used for marketing purposes as a condition of receiving insurance coverage, treatment, services or information, or otherwise completing their health care-related transaction.
- The text, appearance, and nature of solicitations directed to individuals on the basis of their health-related information should take into account the sensitive nature of such information.
- Marketers should ensure that safeguards are built into their systems to protect individually identifiable health-related information from unauthorized access, alteration, abuse, theft, or misappropriation. Employees who have access to individually identifiable health-related information should agree in advance to use such information only in an authorized manner.
- If individually identifiable health-related information is transferred from one direct marketer to another for a legitimate marketing purpose as established by written agreement, the transferor should arrange the most strict security measures to assure that unauthorized access to the information is not likely during the transfer process. Transfers of individually identifiable health-related information should not be permitted for any marketing uses that are in violation of any of DMA’s Guidelines for Ethical Business Practice, state or federal laws.
- Fundraising exception for limited protected health information: Entities are allowed to use or disclose to a business entity or institution or institutionally-related foundation limited protected health information (demographics and dates of care) about an individual for that entity’s fundraising without a prior written authorization. However, the fundraising entity must ensure its fundraising material includes an opt-out notice that is clear and conspicuous, and if it is over the phone, an opt-out disclosure must be made. If the individual does opt-out, no more fundraising communications across all marketing channels may be made.
For the opt-out notice:
- the opt-out notice must be included in each fundraising communication;
- the opt-out method must be free;
- the entity cannot condition the treatment or services on an individual’s choice to receive fundraising communication.