The uproar over protecting health and medical information has not gone unnoticed by the Direct Marketing Association (DMA). Its board of directors recently voted to adopt a series of guidelines to restrict marketing use of "personally identifiable health-related information."
The new marketing guidelines dictate that:
- Information collected in the context of a relationship between a healthcare provider and a consumer cannot be transferred to a third-party to be used for marketing without the individual's prior consent.
- Information collected in the context of a relationship between a healthcare provider and a consumer can be used by that healthcare provider only if individuals are notified and given the opportunity to opt out of having their data used for such purposes.
- Information volunteered by consumers, like surveys, and gathered outside of the relationship between a healthcare provider and a consumer would require that notice be given at the time the data were collected.
- Information inferred about consumers, like purchase or transaction data, and gathered outside the relationship between a healthcare provider and a consumer would require the usual Privacy Promise requirements of notice and the opportunity to opt out.
(DMA, http://www.the-dma.org)