Author’s Note

I had originally intended today’s posting on consumer privacy issues to be the second of a three part series. But after last week’s discourse , response from the public was immediate and massive. “We can’t possibly wait two entire weeks to hear about HIPAA or the Final Word on RTCRM’s baseline approach to managing PHI!” they shrieked, frantically wagging their thin claw-like fingers at me. “Post both remaining chapters next week — or else,” they threatened.

“Or else what?” I asked, wishing quietly for the millionth time that I’d gone to librarian school.

“Just finish the post, pretty boy. Don’t make us hurt you,” they said.

“Okay, okay,” I acquiesced. “I’ll finish it up next week. Jeez, Mom.”

Thanks for reading.

ZR

Fair Information Practice Principles

Fair Information Practice Principles are a widely accepted set of guidelines for how companies should collect, store and use personal information collected from individuals. Though technology-agnostic, the ideas behind the principles are fundamental components of relationship marketing ethics, and are as applicable today as they were 30 years ago.

They are:

Notice/Awareness : Data collectors must disclose the intended use of collected data in a clear and forthright manner.

Choice/Consent : Consumers must be given options with respect to whether and how information collected from them may be used for purposes beyond those for which the information was provided.

Access/Participation : Consumers should be able to view and contest the accuracy and completeness of data collected about them.

Integrity/Security: Data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure.

Onward Transfer: Basically requires organizations to apply the Notice and Choice principles before sharing collected data with additional organizations.

Enforcement : A set of rules is only as good as the ability to enforce them. This principle therefore provides for two important stipulations. First, that entities processing personal data be subject to independent oversight. Second, that individuals have a right to legal redress should entities in possession of their data fail to adhere to the law with regard to its use.

Enforcement is where the gap is bridged between ethical principles and tangible law – where specific federal and state privacy statutes come to bear – most notably the Health Insurance Portability and Accountability Act, the federal statute better known as HIPAA.

What Is HIPAA?

Title II of the Health Insurance Portability and Accountability Act provides national standards to protect individuals’ medical records and other personal health information. Among other things, its objectives are to give patients more control over their health information and the ability to set boundaries on the use and release of their personal health records. More specifically, HIPAA requires covered entities to receive written authorization from an individual prior to using or disclosing their PHI to a third party for any reason other than those functions essential to providing quality health care.

Not surprisingly, marketing – defined broadly in the statute as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service” – is not considered essential to the provision of quality of health care. Covered entities are therefore prohibited from sharing or selling individual PHI to any organization for the purposes of selling a product or service without that individual’s written permission.

Who Is Covered?

Entities considered covered by HIPAA, and therefore subject to its privacy and data treatment guidelines, include health care providers, health plans and HMOs. Individuals themselves are free to share their own PHI with whomever they choose, including market research firms, CPG manufacturers, pharmaceutical companies and any number of other entities not covered under HIPAA. Assuming that their data collection and usage practices are in accordance with Fair Information Practice Principles , these entities are free to make full use of individual PHI even without the express, written consent of the individual. Once an individual voluntarily provides his/her PHI, the federal statute ceases to apply.

What Does HIPAA Mean to Marketers?

This is one of the most commonly misunderstood aspects of the law. For non-covered entities, HIPAA does not place specific restrictions on acceptable use of PHI assuming that the information was collected and obtained in a legally compliant manner. There are other important considerations, however, with regard to use of individual PHI:

1. When acquisition names are purchased from third-party sources (e.g., iCOM ), the owner of the data generally limits the number of times mailers may contact list members – excepting cases in which the targeted individual opts in to additional communications from the mailer. In other words, the limiting factor in how many times a consumer can be mailed to in these cases is not any government stipulation, but the data rental agreement between the mailer and list owner.

2. Marketers must consider the consumer experience . Ultimately, PHI is only available from covered entities (who are forbidden from sharing it) or the individual. A positive and mutually beneficial relationship with a consumer cannot exist if the consumer feels unfairly manipulated or, in the extreme, illegally violated. For this reason, it is always a good idea to gain a consumer’s trust and acceptance of a marketing relationship before setting forth without them.

3. Competitive advantage . When health care providers and HMOs partner with pharmaceutical companies, they can become subject to aspects of HIPAA governing the behavior of business associates. Penalties for the non-compliance of a business associate can be steep, therefore these covered entities are going to be much more amenable to partnership with organizations they know to be conservative in their treatment of PHI.

4. A fourth and often frustrating consideration is that HIPAA itself is only the minimum standard set by the federal government; it is the floor, not the ceiling. Individual states can and do impose additional restrictions that govern the way entities can leverage the PHI of their residents.

What Is the Impact of Individual State Laws?

It depends. A number of states, including California, Florida, Maine, Minnesota, South Carolina, Vermont, West Virginia and the District of Columbia have enacted laws affecting pharmaceutical marketing. They impact everything from allowable gifts to physicians to limitations on the mining of pharmacy data.

The Texas Medical Privacy Act expands upon HIPAA’s definition of a covered entity to include, among others, pharmaceutical companies. This prohibits companies from sharing or using individual PHI for any reason other than that given when the information was collected without first obtaining a consumer’s signature. This does not necessarily preclude marketers from using PHI to market a product to an individual as long as the Notice doctrine was appropriately applied.

The state of California requires pharmaceutical companies to comply with The Pharmaceutical Research and Manufacturers of America (PhRMA) guidelines when marketing to consumers. PhRMA is an organization comprised of the country’s leading drug researchers and manufacturers, so its point of view on the subject of DTC marketing is decidedly fair. It begins with an underlying belief that DTC marketing can benefit public health by educating patients and fostering collaboration with the medical community. A selection of PhRMA DTC principles are summarized here at a high level.

> DTC claims must be accurate and clear, supported by evidence, and compliant with FDA regulations.

> DTC advertising should foster communication between patients and health care providers. Providers should be educated about new treatments prior to launch of DTC advertising.

> DTC advertising should be clear about alternative treatments (e.g., diet, exercise) and risks of therapy.

> Companies should submit DTC television advertisements to the FDA prior to broadcast. The PhRMA guidelines here are actually more strongly worded than the FDA rule itself.

The Final Word

Ultimately, we are obligated to act in accordance with our client partners’ legal interpretations and applications of privacy law. Some clients may choose, for example, to always behave as a HIPAA-covered entity in certain states, while others may take a more liberal (and literal) stance. It is important that we not only understand and document our clients’ policies related to PHI; we must also ensure their policies are applied accurately and consistently across their business.

Apart from individual client directives, however, it is imperative to establish our own organizational baseline position on how we collect, store and use sensitive consumer data. It is a standard that must be universally applied across internal business units as well as to external partners and data providers. Our point of view in this area must be coherent, consistent and based on consumer marketing best practices.

Specifically, our agency’s policy is to consider Fair Information Practice Principles and PhRMA DTC advertising guidelines as the minimum required of new programs that incorporate the collection and use of sensitive consumer data – the starting points from which to build marketing strategies that benefit our clients and their customers while further establishing RTCRM as a leader in the business of Relationship Marketing.

Written by Zachary Rodman - Visit Website

This entry was posted on Tuesday, May 20th, 2008 at 1:02 pm and is filed under relationship marketing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.