The DMA Ethical Guidelines on Collection, Use and Transfer of Health-Related Data
Board Approved, October, 1999
Direct marketers understand the sensitivity of collecting and using health-related data. Health-related data constitute information related to consumers:
- their illnesses or conditions;
- treatments for those illnesses or conditions, such as prescription drugs, medical procedures, devices or supplies; or
- treatments received from doctors (or other health care providers), at hospitals, at clinics or at other medical treatment facilities.
These fair information practices and principles apply to any individual or entity that collects, maintains, uses and/or transfers health-related data for marketing purposes, whether or not marketing is a primary purpose. These principles are applicable to non-profit as well as for-profit entities.
#1 Personally identifiable health-related data gained in the context of a relationship between consumers and health or medical care providers or medical treatment facilities should not be transferred for marketing purposes without the specific prior consent of those consumers. Health or medical care providers include licensed health care practitioners, such as doctors, nurses, psychologists, pharmacists and counselors, and those who support health care providers and therefore have access to personally identifiable information, such as insurance companies, pharmacy benefits managers or other business partners, and businesses that sell prescription drugs.
#2 Personally identifiable health-related data, including the occurrence of childbirth, gained in the context of a relationship between consumers and health or medical care providers or medical treatment facilities (as defined in #1) should not be used to contact those consumers for marketing purposes without giving consumers a clear notice of the marketer's intended uses of the data and the opportunity to request not to be so contacted.
#3 Personally identifiable health-related data volunteered by consumers, and gathered outside of the relationship between consumers and health care providers, should also be considered sensitive and personal in nature. Such data should not be collected, maintained, used and/or transferred for marketing purposes unless those consumers receive, at the time the data are collected, a clear notice of the marketer's intended uses of the data, whether the marketer will transfer the data to third parties for further use, the name of the collecting organization, and the opportunity to opt out of transfer of the data. Such data include, but are not limited to, data volunteered by consumers when responding to surveys and questionnaires. Clear notice should be easy to find, read and understand.
#4 Personally identifiable health-related data inferred about consumers, and gathered outside of the relationship between consumers and health care providers, should also be considered sensitive and personal in nature. These are data based on consumers' purchasing behavior. Such data include, but are not limited to, data captured by inquiries, donations, purchases, frequent shopper programs, advertised toll-free telephone numbers, or other consumer response devices. Any entity, including a seller of over-the-counter drugs, which uses inferred health-related data should, per The DMA's Privacy Promise, promptly provide notice and the opportunity to opt out of any transfer of the data for marketing purposes.
#5 Marketers using personally-identifiable health-related data should provide both the source and the nature of the information they have about that consumer, upon request of that consumer and receipt of that consumer's proper identification.
#6 Consumers should not be required to release personally-identifiable health-related information about themselves to be used for marketing purposes as a condition of receiving insurance coverage, treatment or information, or otherwise completing their health care-related transaction.
#7 The text, appearance and nature of solicitations directed to consumers on the basis of health-related data should take into account the sensitive nature of such data.
#8 Marketers should ensure that safeguards are built into their systems to protect personally identifiable health-related data from unauthorized access, alteration, abuse, theft or misappropriation. Employees who have access to personally identifiable health-related data should agree in advance to use those data only in an authorized manner.
If personally identifiable health-related data are transferred from one direct marketer to another for a marketing purpose, the transferor should arrange strict security measures to assure that unauthorized access to the data is not likely during the transfer process. Transfers of personally identifiable health-related data should not be permitted for any marketing uses that are in violation of any of The DMA's Guidelines for Ethical Business Practice.
Nothing in these guidelines is meant to prohibit research, marketing or other uses of health-related data which are not personally-identifiable, and which are used in the aggregate.
back to top