Merck Ethical Operating Standards Handbook
communications privacy laws, data security laws, and unfair/deceptive trade practice and consumer
protection laws.
Health information privacy laws relate to the use and disclosure of individually identifiable personal
health information (PHI). These include the Federal Health Insurance Portability and Accountability
Act (HIPAA), the Federal Health Information Technology for Economic and Clinical Health Act
(HITECH), and various State health information privacy laws. State privacy laws, such as the
California Privacy Rights Act (CPRA) impose specific requirements for transparency, notices,
consent processes, limits on collection and sharing of information, and access, deletion, suppression
and correction of data. Certain states also provide rights such as “do not sell” and limits for tracking
user behavior. Communication privacy laws impose requirements on the method or channel of
communication (e.g., e-mail, social media, apps, telephone (including SMS), fax, and other online
regulations), how and when the channel is used, appropriate recipients, and the content of the
communication. Data security laws set requirements to protect the security and confidentiality of
certain types of personal information as well as requirements for notification to affected individuals
in the event of an unauthorized access to certain types of personal information. And more recently,
states have been enacting privacy laws and expectations, which depending on the vehicle of delivery
or collection, may extend beyond the jurisdiction of that state.
Unfair/deceptive trade practice and consumer protection laws establish minimum requirements for all
communications with consumers and customers and may also set minimum standards for the manner
in which personal information is secured, subject to more restrictive requirements established by
health information privacy laws, state privacy laws, communications privacy laws, and data security
laws. Additionally, in light of the rapid, ongoing evolution of mobile and connected data platforms
as well as the use of data analytics across business sectors, some states are considering broader
consumer privacy laws providing further protections related to the collection, tracking, and sale of
personal information. In fact, multiple states have already enacted new and broader privacy laws
effective on or after January 1, 2023.
Merck Privacy Program, policies and implementing standards have been developed to facilitate
compliance with all applicable privacy laws and regulations. For a more complete description, refer
to Corporate Policy 13 – Information Management and Protection, Corporate Policy 13.2 – Global
Privacy and Data Protection, and Corporate Policy 13.10 – Global Workplace Privacy. For
additional information, visit the Privacy Hub - Home (merck.com)
REGULATORY GUIDANCE AND INDUSTRY STANDARDS
In addition to the laws discussed above, there are two important sets of standards that shape how
Merck employees should act. Both of these standards have been incorporated into Merck policies.
In 2003, the Office of the Inspector General (OIG) of the Department of Health and Human Services
(HHS) issued guidance for pharmaceutical manufacturers’ compliance programs. HHS OIG is
responsible for providing objective oversight to promote the economy, efficiency, effectiveness, and
integrity of HHS programs by conducting, among other activities, a nationwide network of audits,
investigations, and inspections. The 2003 guidance signaled three areas that OIG is particularly
concerned about: the integrity of pricing data provided to the federal government to establish payment
amounts; kickbacks and other illegal remuneration to health care professionals; and prescription drug
samples, vouchers and/or coupons.