Medicx Viewpoint: Navigating the Changing Reality of Privacy Legislation
With the first anniversary of the European Union's General Data Protection Regulation (GDPR) effective date in the rearview mirror, legislative ripples continue to move across the US in the form of new state privacy laws with wide-reaching implications for healthcare and pharma marketers.
While the industry focuses heavily on HIPAA-related concerns when it comes to privacy, the realities of the new laws have propelled the topic to the forefront of conversations across sectors, and even for the general public. According to a recent study, 89% of Americans surveyed want to choose whether technology companies share their data. What this means is that compliance with privacy laws is becoming more challenging, and more essential, than ever before. Here is our primer on the critical privacy developments for the coming year and beyond.
Colorado Protections for Consumer Data Privacy Law
On September 1, 2018, Colorado joined the ranks of states addressing privacy and data security with its new law. The legislation establishes three critical responsibilities for businesses and government entities that keep paper or electronic documents containing Coloradans' personal identifying information. Companies must maintain and follow a written policy regarding the disposal of the personal information they hold. Entities must take "reasonable" steps to protect the personal information they keep. Entities must alert consumers of a data breach within 30 days. If the breach impacts more than 500 Coloradans, the business or organization must inform the attorney general's office.
Colorado law requires compliance on a different basis than California. Covered organizations and individuals that maintain, own, or license personally identifiable information (PII) in the course of their work must comply with the new legislation. The state defines PII as social security numbers, passport numbers, other ID numbers, passwords, and biometric data used to authenticate a person trying to access an account. The new Colorado law also imposes requirements on governmental entities such as state agencies, cities and towns, and even school districts.
California Consumer Privacy Act (CCPA)
Signed into law by Governor Jerry Brown and taking effect on January 1, 2020, the CCPA provides California residents with enhanced privacy rights and consumer protection for residents of California. The law empowers consumers to find out what information businesses are collecting about them, their devices, their family, and gives them a choice to opt-out.
CCPA applies to businesses, including any for-profit entity that collects consumers' data, which do business in California and satisfy at least one of these thresholds:
- Annual gross revenue above $25MM
- Possesses the personal information of 50,000 or more consumers, households or devices
- Earns more than half of its annual revenue from selling consumers' personal information
The Domino Effect
Not surprisingly, several other states including Maryland, New Jersey, and Washington have also introduced privacy legislation creating the potential for a very complicated patchwork of laws in the country. In light of the potential uncertainty and expense that these legal changes could present, businesses are starting to call on the US Congress to implement national comprehensive data privacy legislation. Congress has answered by introducing bills such as the American Data Dissemination Act and the Social Media Privacy Protection and Consumer Rights Act of 2019.
Whether it remains a state-level issue or federal legislation passes, there is no doubt that privacy is going to be a hot-button issue for the foreseeable future. With that in mind, it is vital for healthcare and pharma marketers to keep up with developments in the privacy world and to ensure that premium data partners, like Medicx Media, do the same.
The Medicx Advantage
Medicx sets the standard for patient privacy in several ways. First, there is a priority placed on maintaining third-party assessment, known as Risk Re-identification Determination Assessment (RRD), for its patient audience data and its proprietary methods for privacy by design best practices. Completing this exacting review every eighteen to twenty-four months ensures that Medicx audience data is properly deidentified, is defensible, and is compliant with all existing state and federal laws.
"When a brand or agency works with us, they know we remove all risks associated with reaching and communicating with patient audiences. We accomplish this through our HIPAA-compliant patented patient aggregation process. That leaves the client free to focus on delivering strong audience quality, ROI and their preferred KPIs," said Medicx CEO Michael Weintraub.
Next, many companies use the safe harbor method to deidentify protected health information because they want to commercialize their data. But, Medicx safeguards the highest level of privacy by using the expert determination method to aggregate and anonymize its data. And Medicx doesn't license its data—we embed it in the offerings.
Lastly, because of Medicx Media's commitment to maintaining HIPAA compliance and the integrity of its regular RRD Assessments, the company manages its data in a closed-loop environment. The source data never leaves the Medicx environment. Access to the data is limited to company personnel who have undergone HIPAA and data security training. And the data is kept pure and never integrated with any other data. Meeting all these conditions is the only HIPAA-compliant way to leverage real-world data at a level that can be as granular as ZIP+4—a targeting method that is unique to Medicx.
"Our patented Micro-Neighborhood® platform and data-driven audience building process are unique in the market," said Dr. Eric Trepanier, Medicx Media's Executive Vice President and General Manager. "We enable healthcare clients to leverage evidence-based data to target hyper-locally where they know patients of interest live – 'go fishing where the fish are.'"
Medicx Media Solutions has carved out a unique position in the data ecosystem at the intersection of precision and privacy. Learn more about how our Micro-Neighborhood® platform can deliver results for your brand by visiting medicxmedia.com.