Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Benefits administrator takes steps to ensure appropriate consent is obtained before disclosing medical information

PIPEDA Case Summary #2007-383

[Principles 4.3 and 4.3.6]

Lessons Learned

  • Disclosures of a client’s personal information must be limited to what is specified in the signed application form for benefits.
  • Verbatim excerpts from a medical specialist’s report about a patient are that patient’s personal information.
  • Unambiguous express consent must be obtained before disclosing client information to a third party.
  • Employees of benefits administrators need to understand how to obtain such consent.
  • Written consent for the disclosure of medical information is required in most cases.
  • Particular attention should be paid to the terms of a restricted consent.

A rehabilitation officer for a benefits administrator thought she had the complainant’s verbal consent to tell his employer that he was ready to return to work.  She then sent an e-mail to the employer’s health care consultant in which she quoted directly from the medical report prepared by the complainant’s specialist. 

Prior to this disclosure, the complainant had expressed directly to the officer his concerns about any disclosure of medical information to his employer and had signed a limited consent form with the benefits administrator when he first applied for benefits some months before the disclosure.  This consent did not authorize any disclosure of medical information to his employer.  The administrator was of the view that the officer did not inappropriately disclose confidential medical information.

The Privacy Commissioner disagreed.  She determined that the disclosure was inappropriate and that written consent ought to have been obtained since it concerned medical information and the complainant had made his concerns known to her in various ways.  The Commissioner made a number of recommendations to the company, which it implemented.

The following is an overview of the investigation and the Commissioner’s deliberations.

Summary of Investigation

When the complainant applied for long-term disability benefits, he crossed out the clause regarding the release and exchange of medical and other information between the administrator and others.  He added a handwritten note specifying that he did not want his medical information discussed with his employer.  He also appended two pages of notes pertaining to another section of the form, in which he objected to benefits administrator’s “broad blended consent.”  He indicated that he would provide the company with separate and specific consents that “pertain to the verification and disclosure of medical and employment/income information where such information is reasonably required to facilitate the adjudication and administration of this claim.” 

The consent form that the complainant ultimately signed, in conjunction with his application for benefits was an amended and restricted consent he negotiated with an adjudicator for the administrator.  With respect to medical information, the “Authorization for Release of Information” states in part:

I also specifically authorize the redisclosure of such information by (administrator) for purposes related to the claim evaluation, including claim verification or review by any reinsurer or any other insurer providing coverage with respect to the claim.  I understand that except as otherwise expressly permitted or required by law, no other use or transfer of the information may be made without first obtaining my additional written consent on a form stating the need for the proposed new use or transfer to another person or entity.

The complainant’s specific intent in restricting his consent in this manner was to restrict the right of administrator to transfer his medical information to his employer. 

According to the administrator, when the complainant was ready to return to work, he asked that the company write to his treating specialist.  The administrator did so and received a report from the specialist clearing him to return to work on a gradual basis.  A rehabilitation officer was assigned to coordinate his return to work and a graduated return-to-work plan was discussed.

The administrator confirmed that the above-noted modified consent and authorization were on file and valid, and that the rehabilitation officer had copies of the two documents at the time she became involved in coordinating the complainant’s return to work.

The complainant spoke to the rehabilitation officer, who indicated that she was in possession of the medical report from his specialist.  According to the complainant, during the phone conversation he raised concerns about the privacy and confidentiality of his medical information.  The complainant stated that he had signed only a limited medical consent, with the specific intent of restricting the right of the administrator to transfer personal medical information to his employer.  He indicated that the rehabilitation officer assured him that no medical information would be released to his employer’s representatives.

The rehabilitation officer’s recollection of this conversation was different.  She believed that she had his permission to share his information from the specialist’s report with his employer’s health consultant.  She noted that the complainant told her that his employer was aware of his basic diagnoses.  The officer stated that she discussed with him the standard authorization used with his employer.  According to her, the complainant was willing to sign it.  The following day, however, she e-mailed excerpts from the medical report to the employer’s health care consultant, notwithstanding the fact that the complainant had not yet signed the standard three-way authorization form previously discussed.

The e-mail in question included information from the specialist’s medical report, which was placed in quotation marks.  The information did not mention the complainant’s medical condition directly, but did contain comments on his ability to return to work, side effects of his treatment, and any possible limitations on his activities. 

Five days after this e-mail was sent, in a telephone conversation with the rehabilitation officer, the complainant, by his own admission, verbally consented to her advising his employer’s health care consultant that he was able to return to work without restrictions and therefore required a return to work date.  He stated that when the rehabilitation officer indicated to him during this conversation that she intended to forward to the consultant information that appeared to amount to a medical opinion, he explicitly advised her that he would not permit her to do so.  He did not, however, realize that she had already transmitted the information via e-mail to the consultant.

The rehabilitation officer states that during this conversation, she shared the contents of the e-mail with the complainant.  Although she contended that he did not have any objection to this having been provided, she also stated that he seemed to become agitated during this conversation.

The complainant was very upset about the e-mail in question.  It was sent after he had explicitly stressed to the officer his wish to restrict the right of the administrator to transfer personal medical information to his employer.  He contended that when she quoted verbatim from the specialist’s medical report to his employer’s representative, the employer took this as a “complete and accurate basis for its decisions,” which ultimately resulted in the denial of his accommodation requests.  Specifically, he claimed that his office manager, in determining the date of his return to work, indicated that she acted on the basis of “medical information” she had received from the employer’s rehabilitation group.

The administrator was of the opinion that the complainant provided his verbal consent when he left a voice mail message with the rehabilitation officer on the same day she sent the e-mail, confirming that she should proceed to confirm to his employer that he was able to return to work full time, with no restrictions or limitations.  The complainant countered that he verbally consented only to allowing the officer to advise the employer that he was able to return to work without restrictions and therefore required a return to work date.

The complainant brought his concerns to the administrator before complaining to the Office.  He was told that the rehabilitation officer had not anticipated that he would object to including excerpts from his specialist’s report in her communication and that she had not turned her mind to the distinction he had drawn between wanting the administrator’s opinion in this regard versus that of his specialist.  The administrator apologized to him for the misunderstanding, but concluded that it did not believe there had been an inappropriate disclosure of confidential medical information.

The administrator stated that it takes great care to ensure that no sensitive medical/personal information is disclosed to an employer without consent and that the information released is limited to that which is necessary to fulfil its contractual obligations.  Those obligations could include providing the employer with information pertaining to the employee’s return to work accommodations, rehabilitation efforts and claim status.

The administrator maintained that, in this case, no medical information was released to the employer in that no particulars about the nature of his condition were disclosed in the e-mail.  Further, it stated that the complainant specifically requested that the rehabilitation officer convey that he was able to return to full-time duties with no limitations and restrictions at all.  In complying with this request, the administrator stated that the officer quoted the language from the specialist’s report, although not identified as such.

Findings

Issued October 30, 2007

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.  Principle 4.3.6 states in part that an organization should generally seek express consent when the information is likely to be considered sensitive.

In making her determinations, the Commissioner deliberated as follows:

  • The complainant indicated to this Office that he wanted his complaint to address the question of whether a benefits provider has a right to release medical information to an employer without specific consent and for no legitimate medical purpose. 
  • There were therefore two issues to consider: whether the information released was medical information and whether there was consent to do so.
  • As for the first issue, the administrator admitted that there was a misunderstanding regarding the extent and limits of the authorization that the complainant had provided to it with respect to the contents of the e-mail to his employer. 
  • The administrator’s position was that the excerpts quoted merely confirmed the complainant’s ability to resume his normal occupation and did not amount to an inappropriate disclosure of confidential medical information. 
  • The information at issue was verbatim excerpts from a medical specialist’s report that pertained to the complainant’s medical status.  Although it did not contain information about his specific medical condition(s), it clearly contained information about other aspects of his personal medical status, in the words of a medical specialist.  Specifically, the quoted excerpts addressed his physical ability to perform employment-related tasks, his general medical status at the time (“stable”) and the issue of whether his treatment plan would cause any side effects.  The information at issue was his doctor’s professional opinion about the complainant’s physical health, his treatment plan and the corresponding medical consequences.  In the Commissioner’s view, it qualified as sensitive personal medical information about the complainant, to which the terms of his restricted consent and Principle 4.3.6 applied.  
  • The administrator acknowledged that it had on file a restricted consent, signed by the complainant and negotiated with one of its adjudicators, in lieu of its standard medical consent.  This form indicated that an additional written consent would be required for any use or disclosure beyond that cited on the form (for claim evaluation or review purposes).  The complainant had indicated that he would provide the company with separate and specific consents pertaining to the verification and disclosure of medical and employment/income information to facilitate the adjudication and administration of the complainant’s claim. 
  • Although the administrator believed that it had the complainant’s verbal consent to the disclosure to his employer that he was able to return to work with no restrictions or limitations, it did not have any written consent in place to do so.  In fact, contrary to the complainant’s signed consent, and without obtaining any further written consent, it transmitted to his employer verbatim excerpts from his specialist’s medical report. 
  • In sum, the complainant explicitly communicated his concerns about the disclosure of his medical information to the administrator on both his claim form and in his Authorization for Release of Information form.  Both authorizations were valid at the time the rehabilitation officer provided his employer with verbatim excerpts from a medical report. 
  • The evidence before the Commissioner therefore supported the complainant’s contention that the officer did not have additional written consent from him to transfer medical information to his employer at the time that she did so.  Such a transfer was contrary to Principles 4.3 and 4.3.6.
  • The misunderstanding about the scope of the authorization given to the administrator to share information in order to obtain a return to work date might have been avoided had the administrator obtained an express consent that was reduced to writing.  Such a safeguard, the Commissioner noted, could significantly lessen the risks of miscommunication and is particularly important where sensitive medical information is at issue. 
  • The Commissioner therefore recommended that the administrator demonstrate its commitment to ensuring that its employees obtain an unambiguous express consent to the release of sensitive medical information to third parties prior to such a release.  She recommended that the administrator demonstrate this commitment by informing employees who may be in a position to disclose personal medical information of:
  • the process by which an unambiguous express consent should be properly obtained;
  • the need for written consent in most, if not all, cases;
  • employees’ obligations to adhere to any specific requirements created by the terms of a restricted consent; and
  • her conclusion that verbatim excerpts from a medical specialist’s report about a patient constitute that patient’s personal information. 
  • She also recommended that, where necessary, the administrator update its policy and training materials accordingly.
  • The administrator implemented all of the recommendations and conveyed to its employees the Commissioner’s comments with respect to verbatim excerpts from a medical specialist’s report.
  • Consequently, the Commissioner found that the administrator was now in compliance with Principles 4.3 and 4.3.6.

The Commissioner concluded that the complaint was well-founded and resolved.

See also

#293 Commissioner considers access, correction, and inappropriate disclosure allegations against insurance company

#348 Disclosure of diagnosis was inappropriate, but insurance company considered to be open about its privacy policies and practices

Date modified: