For those of us in the business of helping educate patients and healthcare providers (HCPs) about new therapies that can improve quality of life, we constantly face an ever-growing set of state legislation, partner requirements and third-party rules, coupled with our individual principles concerning data ethics.
This rapidly evolving landscape has led to widespread confusion, especially regarding sensitive conditions and information.
What are sensitive conditions/sensitive information?
The first ambiguity is simply how to define what’s being discussed, which varies widely. With five state laws currently in effect, self-regulatory groups such as the Network Advertising Initiative (NAI), healthcare advertising ecosystem partners and other third parties like social media platforms, there are often different meanings to these terms. On top of that, there are currently 22 states with pending legislation that will impact health data privacy, which is only amplifying the puzzling nature of this landscape.
Sensitive medical conditions, which may be defined as issues related to mental health, sexually transmitted diseases or other health issues that can’t be treated with over-the-counter medication require a differentiated level of processing. While there is some level of overlap of what’s considered a sensitive condition among the various parties, it is important to understand that definitions vary based on state, provider or partner.
Sensitive information typically refers to the type of data being used about a consumer or patient. This can range from the very narrow “biometric data,” referenced in the California Consumer Privacy Act (CPRA) to the very broad “mental or physical health diagnosis” in the Virginia Consumer Data Protection Act (VCDPA).
Third-party and partner requirements
Additionally, platforms many marketers rely on have their own set of standards and definitions regarding sensitive conditions. For instance, some aren’t concerned with the data used to target or the methodology in building the audiences, but instead prohibit the intent to target certain conditions. In this instance, examples of sensitive conditions that are essentially off-limits can include: reproductive health and rights, fertility and pregnancy, sexually transmitted diseases, mental health-related conditions, sexual orientation, pediatric disease, information describing any individual’s known health or medical condition(s), including Protected Health Information (PHI). Again, this will vary by platform.
The NAI focuses more on the handling of data and how that data is used for the creation of targeting for sensitive conditions. Recognizing how subjective targeting via health data can be, they provide general guidelines of what makes a condition sensitive including its seriousness, prevalence and whether an average person would consider the condition to be sensitive in nature. They include drug addiction, sexually transmitted diseases, mental health, cancer, conditions predominantly affecting children and pregnancy termination to be sensitive in nature. The NAI does not prohibit targeting these conditions, but sets out very specific rules around how these targeting segments can be created. The NAI also provides a very valuable service by auditing all of its members annually to verify compliance.
State Regulations: The nuances of individual state regulations can be very complex, so it is always best to consult with your data partner’s privacy experts for detailed answers around compliance. In general, however, all current legislation follows similar guidelines around sensitive information. First, they define personally identifiable information (PII). They then define a sub-category of PII, which is most often called sensitive information (SI). SI usually includes some definition of health-related conditions and health-related data. The important caveat in all cases is that de-identified information is not considered to be PII — so, if a partner utilizes de-identified information, there is no SI.
Ensuring compliance despite restrictions
Given these numerous requirements, it’s obvious that privacy in healthcare marketing will become increasingly more complicated over the next few years. To be successful, advertisers must consolidate their supply chain — trying to ensure 10 or more vendors are all in compliance with so many different rules simply isn’t a viable strategy. However, by relying on your most trusted, highest performing partners, you can provide the proper oversight.
At Swoop, we’re built on a patented privacy-safe data architecture that ensures the highest level of privacy. We don’t expect marketers to know and change course to meet every new privacy restriction because it’s what we do — we’re on top of each new law or platform-specific change to ensure the integrity of our segments and protect our clients and their patients, above all.
Ron Elwell, CEO and founder, Swoop
Ron brings more than 30 years of executive experience in high-tech and digital media. He previously served as an operating partner at Bessemer Ventures, CEO of Goal.com and CEO of Octave Communications.