Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party marketing automation tools that collect personal information in Hawaii? What are the requirements?

Using Third-Party Marketing Automation Tools in Hawaii

If you are using third-party marketing automation tools that collect personal information in Hawaii, you must comply with the state’s laws and regulations regarding the disclosure of nonpublic personal financial information [1.1].

Under HIRS 431:3A-303, a licensee shall not disclose, directly or through an affiliate other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer’s policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer [1.2]. However, subsection (a) does not apply if a licensee discloses a policy number or similar form of access number or access code to the licensee’s service provider solely in order to perform marketing for the licensee’s own products or services, if the service provider is not authorized to directly initiate charges to the account [1.2].

Additionally, under HIRS 487J-7, a pharmacy benefit manager shall not use an individual’s health information, or share an individual’s health information with any pharmacy affiliated with or owned, wholly or in part, by the pharmacy benefit manager, for the purpose of marketing, unless the use of the individual’s health information is medically necessary to the health and safety of the individual, the use of the individual’s health information is consistent with regulations of the federal Centers for Medicare and Medicaid, if the plan is governed by those rules, or the individual has affirmatively opted in, in writing, to use of the information [3.1].

Best Practices for Personal Information Security

HIRS 487N-6 identifies best practices to assist government agencies in improving security and privacy programs relating to personal information. The council shall identify best practices relating to automated tools, training, processes, and applicable standards. The best practices identified by the council shall be posted on each government agency’s website in a manner that is readily accessible by employees of the government agency [2.1].

Conclusion

To summarize, if you are using third-party marketing automation tools that collect personal information in Hawaii, you must comply with the state’s laws and regulations regarding the disclosure of nonpublic personal financial information. You must ensure that the third party is a nonaffiliated third party, that you have entered into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, and that you provide the initial notice in accordance with section 431:3A-201 [1.1]. Additionally, you must ensure that you are not disclosing policy numbers or similar access codes to nonaffiliated third parties for marketing purposes, unless the disclosure is to a service provider solely in order to perform marketing for your own products or services [1.2]. Finally, if you are a pharmacy benefit manager, you must ensure that you are not using an individual’s health information for marketing purposes, unless the use of the information is medically necessary to the health and safety of the individual, the use of the information is consistent with regulations of the federal Centers for Medicare and Medicaid, if the plan is governed by those rules, or the individual has affirmatively opted in, in writing, to use of the information [3.1].

Source(s):
Jurisdiction

Hawaii