Individual objects to insurance company’s consent requirements

PIPEDA Case Summary #2006-358

[Principles 4.3, 4.3.2, 4.3.3, and 4.3.4 of Schedule 1]

An individual objected to an insurance company’s consent requirements as outlined in a form that he was asked to sign when he filed a claim for benefits.  He alleged that the company refused to allow him to amend the authorization provisions in its standard consent form, which he was required to submit as part of his claim.  He believed that the company should provide him with the identities of third parties involved in adjudicating any insurance claim he makes, and that the company should seek his express consent in advance of sharing his personal information with any of these parties.

The complainant works in the medical and disability management field.  He was concerned that his file would be shared with someone with whom he has had professional dealings, and that his right to privacy would be compromised as a result. 

The Assistant Privacy Commissioner felt that the company had explained the purposes for the collection and sharing of the complainant’s personal information, and that it had made a reasonable effort to address his concerns about his information being shared with someone with whom he had had professional dealings.  She nevertheless believed that the company could improve the consent language on its standard authorization form and made a number of recommendations, which the company agreed to implement.

The following is an overview of the investigation and the Assistant Commissioner’s deliberations.

Summary of Investigation

The complainant had an income replacement policy that, under the terms stated in the contract, pays benefits in the event that he became disabled.  When an individual files a claim under this policy, the insurance company collects and reviews personal, medical, occupational and financial information for the purpose of adjudicating the claim.

Some months before filing his claim, the complainant requested a change to his policy.  The company sent him a statement which outlined its collection, use and disclosure of personal information practices, and directed him to the company’s web site, where its privacy materials were posted, for more information.  These materials outline the purposes for which the company may need to collect customers’ personal information, how the information could be used, and with whom it might be shared. 

Part of this package covered personal information handling with respect to disability and critical illness benefits.  In this section, the insurer specified outside parties with which it might share client personal information and explained the purposes of such disclosures.  According to the information, third-party service providers might include medically related services.

The complainant later filed a claim with the company.  At that time, the insurer informed him that it might need to contact his physician for additional information.  He was told that, if this was the case, he would be advised in writing as to what additional information was needed and from which doctors.

Included in the claim form package sent to the complainant was a guide outlining how to make a claim.  The guide also indicates that the company may:

• write to more than one doctor
• arrange for a field representative to visit the claimant
• request additional information in regard to his health, income, occupational duties or activities

• arrange an Independent Medical Examination.

The guide notes that the insurer has a responsibility to all customers to assess claims “based on full disclosure of material information.”

The complainant provided his Claimant Statement and his Attending Physician Statement, along with supporting medical documents.  He did not submit the standard authorization form; rather, he submitted a form that he had amended.   The company wrote to the complainant requesting that he complete and sign the required authorization.  It also explained that it was unable to consider any claim without an unedited signed authorization.  The company stated that, should it not receive the unedited signed authorization by a specified date, it would assume that the complainant did not wish to proceed with his claim, and the claim file would be closed.

The company also indicated that, upon receipt of the authorization, it would refer the medical information on file to the company’s in-house medical consultant for review.  The company stated that, once the review was completed, it would obtain any additional information needed to determine its liability, and all information collected would remain confidential. 

The company communicated with the complainant several times with respect to his concerns.  It outlined how his personal information would be used by the claims area and who would have access to it.  It also explained how the company safeguards client personal information when it enters into contracts with third-party service providers.

According to the insurance company, by refusing to provide the insurer with an unedited authorization form, the complainant prohibited the company from giving its in-house medical consultant or anyone other than the individual claims adjudicator access to his file, without his prior and specific knowledge and consent.  The company could not accept the altered authorization and offered another option.  If the complainant provided the company with a list of specific individuals or entities that he thought the company should refrain from contacting during the claim assessment, it would make every reasonable effort to do so.  The company indicated that it would attempt to advise the complainant, in advance, of the name of the service provider(s) who would have access to his personal information.  Although it could not guarantee that it would not use a certain service provider, the insurer indicated that it would make every effort to accommodate concerns that he might have with a given individual service provider. 

The complainant did not agree to provide the insurer with a list of service providers.  He stated that the disability management industry is small, there is a high movement of individuals from company to company, and there are simply too many names.  He thought that this was too onerous a task.

The insurer also attempted to arrange for a field representative to visit the complainant.  The company informed him that it would require an interview in order to obtain a complete understanding of his medical condition, occupation, and overall circumstances, and that the interview would be conducted by a particular third-party firm, the name of which was given to the complainant.  The complainant refused to deal with third parties, including this particular firm since he viewed it as a “competitor.”  The insurance company disagreed that it was a competitor, noting that the firm did not conduct the same type of business as the complainant, nor was the complainant acquainted with its field representative.  The complainant disagreed with the insurer on this point.  He also had no recollection of the insurer attempting to send a field representative to visit him.

Findings

Issued November 8, 2006

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except when inappropriate.  Principle 4.3.2 states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.  To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.  Principle 4.3.3 stipulates that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes.  Principle 4.3.4 provides that in determining the form of consent to use, organizations shall take into account the sensitivity of the information.  Some information, such as medical records, is almost always considered to be sensitive.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• By way of the insurer’s authorization form, the insurer required the complainant to consent to the collection and sharing of his personal information, namely, his medical, occupational and financial information, with its agents and service providers for the purpose of adjudicating his claim for income replacement benefits.  While the Assistant Privacy Commissioner believed that the purpose was not clearly explained on the standard authorization form, it was expressly stated to the claimant in a number of other ways:  he was referred to the insurer’s published privacy policy and privacy information package, which outline why personal information is collected, used or disclosed.  He also had numerous communications with the insurance company’s staff, in which the purposes were explained to him.  Moreover, when the company sent him the claim form, it included a letter and guide which further explained the claims process.
• Through these communications and ancillary documents, the complainant was given a reasonable explanation of the purposes for the collection, use, or disclosure of the personal information the insurer required to adjudicate his claim, in keeping with the requirements of Principle 4.3.2.  The Assistant Commissioner was satisfied that the insurer was not requiring the complainant to consent to any collection, use or disclosure of personal information beyond that required for the purposes, which were eventually clearly explained to him.  She was also satisfied that the purpose, namely, to adjudicate a claim, was a legitimate one.  She therefore determined that the insurer was not in contravention of Principles 4.3 and 4.3.3.
• The complainant’s main concern was that he should be able to opt out of the sharing of his personal information with certain service providers, given the nature of his profession.
•  Our Office has in the past taken the position that companies are not required to provide customers with the choice of opting-out when the third-party service provider is offering services directly related to the primary purposes for which the personal information was collected. 
• In this case, the complainant’s personal information was being collected for the purpose of adjudicating his insurance claim, and the third-party service provider(s) is(are) part of that adjudication process.  In the Assistant Commissioner’s view, the insurer was not required to provide him with the choice of opting out of having the insurance company share his personal information with third-party service providers.  The company nevertheless attempted to make concessions to address his unique privacy concerns to minimize the possibility of his information being shared with a service provider with whom he likely had professional dealings.  The Assistant Commissioner was satisfied that the insurer’s actions in this regard were reasonable, and in keeping with Principle 4.3.4.

The Assistant Commissioner concluded that the complaint was not well-founded.

Notwithstanding the finding, the Assistant Commissioner was of the view that the insurance company could make some improvements to its standard authorization form.  For example, had a claimant not pursued any concerns he or she may have had with the consent language, the claimant would not have received much information on the purposes. 

The Assistant Commissioner therefore recommended that the company:

• Reword its consent language on its claim forms so that it is specific to the assessment, investigation, and ongoing administrative purposes, rather than using the broad rubric of “administration”; and
• Revise its claim forms to refer to additional material (such as the company’s privacy policy or its privacy information package) that explains in greater detail the purposes of the collection, use and disclosure of the claimant’s personal information.

The insurer agreed to implement these recommendations.  The Assistant Commissioner was satisfied that such changes would bring the company’s policies and practices into line with the insurer’s obligations under Principles 4.3 and 4.3.2.