Provision of medical information through physician challenged

PIPEDA Case Summary #2005-322

(Principles 4.9 and 4.9.1 of Schedule 1)

Complaint

An individual claimed that an insurance company denied him access to his personal information and failed to set out its reasons for doing so.

Summary of Investigation

The complainant had applied for insurance, but had been declined for medical reasons.  Shortly afterward, he wrote to the company to request a copy of his files, which included all medical reports.  Three days later, an employee called him and informed him that his medical information would be made available through his attending physician.  The complainant and the company communicated frequently about the request.  The organization maintained that it would release the medical report to the complainant according to its normal practice – that is, when medical information is received from a physician and not from the individual, it is made available to the individual through the physician of his or her choice.  In the complainant’s case, the insurance company also told him that it was attempting to contact the physician who had provided the report, to seek his permission to release the report directly to the complainant. 

The complainant told the Office that the insurance company had not provided him with a reason for not disclosing the report.  He believed that the company should also have given him some form of recourse if he did not agree with its rationale for refusing access, and that it should have cited the section(s) of the Personal Information Protection and Electronic Documents Act that it was applying.  As he believed that the information he was seeking, specifically, the attending physician’s statement (APS), was a reiteration of information the complainant had provided the physician, he did not think it should be considered sensitive medical information. 

The Office reviewed the company’s privacy materials, which are available on the company’s web site.  These materials clearly state that, if an individual wants access to medical information about himself/herself that the company obtained from a third party, the company will release this information only through the individual’s physician.  It also provides a section explaining the company’s complaint resolution procedures and contact information for its privacy officer.

The company was of the view that it had provided the complainant with an explanation of its practice of releasing medical information through a physician, as well as its rationale for this practice, in its correspondence with him.  In its representations to the Office, the company elaborated on this rationale.  It believes that the physician is in the best position to explain the contents of the attending physician’s report, to help provide a context to the message, and to “develop a strategy for the situation.”  The individual is not always aware of the content of the medical report or the severity of the conditions described in the report.  The company stated that its objective is to ensure that individuals have the support they need.

According to the insurance company, when an individual has concerns about its practice of releasing medical information provided by a physician (and not provided by the individual) to the physician of his or her choice, the company’s medical director helps determine the appropriateness of releasing the information directly to the individual.  In this case, the company’s medical director was consulted.  She determined that the complainant’s medical report should be communicated to him through his attending physician.  This was outlined to the complainant in a letter.  At that time, the company suggested that the complainant approach the physician directly or provide the name and address of another doctor to whom the company could release the APS.  The complainant did not follow up on either suggestion.  Notwithstanding its practice, the insurance company was eventually able to contact the complainant’s attending physician, who agreed that the company could release the report directly to him, which it did.  When it sent this information to him, the company explained why it was able to provide the report. 

The report in question was a brief summary of the complainant’s office visits over a number of years.  The complainant indicated to the Office that he was already aware of the information contained within the report.

Findings

Issued December 22, 2005

Application: Principle 4.9 states that, upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.  Principle 4.9.1 allows the organization to choose to make sensitive medical information available through a medical practitioner;

In making her determinations, the Privacy Commissioner deliberated as follows:

  • Although the insurance company did not initially provide the complainant with access to the information he was seeking by giving him a copy of the report, it indicated that it would provide him with access to this information through his attending physician, or another doctor of his choice, according to its practices.  The company also informed him that it was attempting to contact the attending physician to confirm if the report could be released directly to the complainant on an exceptional basis. 
  • The Commissioner did not agree with the complainant’s view that the company did not provide him with reasons for its actions.  After reviewing the correspondence he received, she was satisfied that the organization did not refuse his request and did clearly outline its reasons for providing him with access to the information through a physician.  Its practice of releasing medical information obtained from a third party through an individual’s physician is also explained in its privacy policy posted on the company’s web site.
  • As for the acceptability of such a practice, the Commissioner noted that Principle 4.9.1 allows an organization the option of making sensitive medical information available through a medical practitioner. 
  • Although the complainant did not believe that the information he was seeking was particularly sensitive, the Commissioner was of the view that it could be considered sensitive in that it was related to the insurance policy that the company had declined. 
  • Furthermore, she agreed with the company that an individual may not always be aware of the content of a medical report or the severity of conditions described in the report, and therefore any medical report provided by a physician directly to the insurance company could be considered “sensitive medical information.” 
  • In this instance, the complainant was provided with a copy of the information only after the attending physician agreed to its release.
  • The Commissioner determined that the company could rely on Principle 4.9.1 in giving the complainant access to his personal information. 
  • She also determined that the complainant was eventually provided with the information he was seeking, in accordance with Principle 4.9.

She therefore concluded that the complaint was resolved.

Date modified: