Frequently Asked Questions (FAQs) DMA Health Data Marketing Guidelines

What guidelines do I need to follow for marketing health-related data derived directly from a patient/health care provider relationship?
What guidelines do I need to follow for marketing health-related data that is not obtained directly from a provider/patient relationship?
Do these guidelines apply to non-profit organizations?
How should I make my notice to consumers clear?
What kind of access to data do I need to provide consumers?
Can I condition health care-related services upon receiving personally identifiable health-related information?
What should I consider when marketing using health-related data?
What steps should I take to protect consumer's health-related data?
How does this affect my ability to market using aggregate information obtained from health-related data?
Where do I find more information about DMA guidelines on ethical business practices?
If I comply with DMA's Health Data Marketing Guidelines, then am I in compliance with HIPAA?

1. What guidelines do I need to follow for marketing health-related data derived directly from a patient/health care provider relationship?

You must obtain prior consent from the consumer before transferring health-related data.
You must provide clear notice if you wish to contact consumer's using this data and inform them of your intended uses of the data. Also, the consumer needs to be provided the opportunity to request not to be contacted.

2. What guidelines do I need to follow for marketing health-related data that is not obtained directly from a provider/patient relationship?

The following conditions should be met if you plan on collecting, maintaining, using, and/or transferring health or medical data

For data volunteered by the consumer (i.e., surveys or questionnaires), a clear notice must be provided by the marketer at the time the data are collected. The notice must include:
(1) the marketer's intended uses of the data,
(2) whether the marketer will transfer the data to third parties for further use,
(3) the name of the collecting organization, and
(4) the opportunity to opt-out of having the data transferred.
For data inferred about the consumer and based on purchasing behavior (i.e., donations, frequent shopper programs, toll-free numbers), prompt notice must be provided and the opportunity to opt-out of any transfer of the data for marketing purposes per The DMA's Privacy Promise.

3. Do these guidelines apply to non-profit organizations?

Yes, both for-profit and non-profit organizations must comply with these guidelines.

4. How should I make my notice to consumers clear?

Your notice should be easy to find, read and understand.

5. What kind of access to data do I need to provide consumers?

Marketers using personally-identifiable health-related data should provide both the source and the nature of the information they have about that consumer, upon request of that consumer and appropriate verification of identification.

6. Can I condition health care-related services upon receiving personally identifiable health-related information?

No. Consumers should not be required to release personally-identifiable health-related information about themselves to be used for marketing purposes as a condition of receiving insurance coverage, treatment or information, or otherwise completing their health care-related transaction. (Same rules apply under HIPAA.)

7. What should I consider when marketing using health-related data?

Take care and be considerate when corresponding to consumers about health-related data. The text, appearance and nature of solicitations directed to consumers on the basis of health-related data should take into account the sensitive nature of such data.

8. What steps should I take to protect consumer's health-related data?

Marketers should ensure that safeguards are built into their systems to protect personally identifiable health-related data from unauthorized access, alteration, abuse, theft or misappropriation. Employees who have access to personally identifiable health-related data should agree in advance to use those data only in an authorized manner.

If personally identifiable health-related data are transferred from one direct marketer to another for a marketing purpose, the transferor should arrange strict security measures to assure that unauthorized access to the data is not likely during the transfer process. Transfers of personally identifiable health-related data should not be permitted for any marketing uses that are in violation of any of The DMA's Guidelines for Ethical Business Practice.

9. How does this affect my ability to market using aggregate information obtained from health-related data?

Nothing in these guidelines is meant to prohibit research, marketing or other uses of health-related data which are not personally-identifiable, and which are used in the aggregate.

10. Where do I find more information about DMA guidelines on ethical business practices?

For more information about DMA's guidelines, please review The DMA Guidelines for Ethical Business Practices

11. If I comply with DMA's Health Marketing Guidelines, then am I in compliance with HIPAA?

No. Although there are similarities between HIPAA and DMA's Health Marketing Guidelines, HIPAA is law and The DMA's Guidelines are not, and in some areas HIPAA requires more than The DMA Guidelines.