Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2006-364

Employer agrees to revise language of consent form regarding exchange of health information

[Principles 4.3 and 4.4]

An employee of a transportation company claimed that his employer was forcing its employees to consent to the open-ended exchange of personal information in order to obtain disability benefits. His concerns centred on the language of the consent forms the company was using. Although the investigation established that employees were not required to sign the consent form to receive their benefits, the Assistant Privacy Commissioner found the language of consent and the information provided to employees problematic. She agreed that the consent language was overly broad and understood why employees thought they had to consent given the information included in the claim form package. She recommended that the employer revise the claim form package to make it clear that employees were not required to consent, and the employer agreed to work with the complainant’s union to revise the language of the forms. The Assistant Commissioner also signaled the Office’s commitment to pursuing the matter of consent language with insurance industry representatives in order to ensure that such language conforms to the Personal Information Protection and Electronic Documents Act (the Act).

The following is an overview of the investigation and the Assistant Commissioner’s deliberations.

Summary of Investigation

The employer had recently contracted a third-party medical services provider to assist it in managing a group benefits disability plan administered by a particular insurance company. The complainant alleged that his employer was requiring its employees who are members of a particular union to sign a new authorization form in order to obtain the benefits. In his view, this new form required the employee to consent to an almost limitless exchange of confidential medical information to and from healthcare providers, the insurance company, the third-party medical services provider, the company, and other agencies and organizations, as a precondition of applying for benefits. In his opinion, his employer and the third-party medical services provider did not require confidential medical information to administer the plan—only the insurance company needed such information.

The employer stated that the third party had been contracted to provide healthcare management, not to assist the insurance company in managing the benefits program. The third party’s specific mandate is to offer disability case management services to the employer to deal with absences due to illness or non-work related injuries. Such illnesses and injuries are covered by the benefits program, commencing on day six of an absence and continuing until the employee returns to work or for a maximum period of six months.

The employer provided its employees with information documents that explained the third party/employer/insurance provider health management program, which the Office reviewed. These documents include an overview of the program, the processes and procedures for employees to follow, and a set of Questions and Answers about the program. In the Questions and Answers document, it notes that the third-party medical services provider will share medical information with the employer’s occupational health group for the purpose of return to work planning, and with the insurance company in order to expedite the claim process, and only with the employee’s consent.

With respect to the allegation that employees were required to sign the new authorization form in order to gain access to benefits, the Office reviewed the benefits claim form package. On the first page, it states that in order to properly process the disability claim, the third-party medical services provider must receive all portions of the claim paperwork completed in full and signed. Failure to do so may result in processing delays of a claim and affect payment.

The insurance company indicated that a signed authorization form allows the insurer to make such investigations as may be necessary to satisfy itself that the definition of disability is met. If the person chooses not to sign the authorization as presented, or otherwise modifies the authorization, but provides the insurance company with sufficient supporting claim information (medical or otherwise), the insurer may still be in a position to assess the claim. It stated that it might, however, be restricted in its exchange of information with the various parties listed on the authorization.

The employer stated that since incorporating the third-party medical services provider into its health management program, several hundred benefits claims have been submitted by employees who are members of the union. Of those, a small number of employees had refused to sign the form, and, to date, each of those individuals had received his or her benefits. The employer stated that an employee can choose not to sign the consent form and instead send the claim directly to the insurance company. The process that had previously been in place would then be followed, and the employer’s human resources group would follow up with the employee.

As for the allegation regarding the open-ended disclosure of personal information, according to the insurance company, the authorization form in question lists the various entities or persons with whom it may need to exchange information in order to manage the claim. The purposes for any exchanges of information are also listed. The insurance company stated that it will not exchange information with any of the entities noted on the form unless the exchange is relevant and necessary, and even then, only to the extent required to fulfil the purpose. The fact that the entities are listed does not mean that they will necessarily be contacted. The insurance company’s disclosure process is based on a strict need-to-know basis; however, should a situation arise that requires input from any of the listed parties, the wording will accommodate the information exchange.

The complainant had also raised the concern that his employer, by way of the third party, is obtaining employee medical information that it does not have the right to have. The employer clarified that it is not obtaining more information than it received in the past. The third-party medical services provider is providing disability case management on behalf of the company. The employer maintained that confidential medical information will not be shared with managers by the third party. Specifically, it stated that its management personnel will not have (nor have they ever had in the past) access to the detailed confidential medical information of employees. Managers involved in rehabilitation and return to work processes need to know the restrictions, limitations and capabilities of employees. The employer reiterated that managers do not need detailed medical information.

Findings

Issued December 14, 2006

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.  Principle 4.4 stipulates that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.

In making her determinations, the Assistant Commissioner deliberated as follows:

  • The investigation established that some employees were still able to obtain their benefits without signing the new consent form. The employer and the insurance company both confirmed that employees could send their information directly to the insurance company. The Assistant Commissioner noted, however, that the language in the information package left the impression that consent to the exchange of information with the third-party medical services provider must be received before disability benefits are processed.
  • Therefore, as employees were not being forced to consent to an apparently open-ended collection by the third-party medical services provider of personal information as a condition of receiving benefits, there was no contravention of Principle 4.3.
  • The Assistant Commissioner then considered whether it would be appropriate to require employees to sign the consent form in question. After reviewing the language, she was uncomfortable with the scope of the “exchange” of information contemplated. She noted that the language of consent in the insurance industry is one that is of concern to this Office. Preliminary discussions with industry members suggest that such clauses are broadly written because they must encompass many different activities. For example, the consents are valid “for the duration” because they apply not only to the original assessment of the claim, but also to any and all administration/management of the benefits for the life of the claim.
  • While recognizing the needs of insurers, she noted that it is incontrovertible that if one makes consent clauses broad enough, they will apply to any behaviour contemplated by an organization. This Office has previously stated that consent clauses that are vaguely worded or that do not clearly identify the type of information and the sources from which such information is collected are not acceptable under the Act as they require individuals to consent to the open-ended collection of their personal information, contrary to Principle 4.4.
  • Thus, she concluded, as the language on the form was problematic, it would not be appropriate for employees to be required to consent to the exchange of personal information outlined on the form.
  • In this instance, though, it would appear that employees are not being forced to consent in order to obtain disability benefits. Yet, the Assistant Commissioner noted that the complainant was clearly of the view that employees were required to sign the form. She felt that the wording of consent was such that it left the reader with the impression that he or she must fill out the new consent form in order to receive benefits. While feeling coerced into giving consent is not the same as being coerced, the adverse effect on consent is nonetheless the same.
  • She recommended that the employer clarify the wording of its consent language to ensure that employees understand that consent to the third party’s collection of personal information is not a condition of receiving benefits. The employer agreed to do so and to send the Office a copy of the amended form once revisions were completed.
  • On a final note, she stated that should it be the employer’s wish to have all employees sign this particular form, then the language of consent must be far less broadly worded in order for it to be considered acceptable under the Act. She stated that this Office is committed to pursuing the matter of consent language with industry representatives in order to ensure that the language of consent conforms to the Act. 

The Assistant Commissioner concluded that the complaint was well-founded and resolved.