Title: Insurance Claims and Privacy: A Rapidly Changing Landscape
1Insurance Claims and Privacy A Rapidly Changing
Landscape
- Ann Cavoukian, Ph.D.
- Information Privacy Commissioner/Ontario
- CICMA and CIAA Joint Conference
- February 3, 2004
2Impetus for Change
- Growth of privacy as a global issue
- EU Directive on Data Protection
- Increasing amounts of personal data collected,
consolidated, aggregated - Consumer backlash heightened consumer
expectations
3Importance of Consumer Trust
- In the post-9/11 world
- Consumers either as concerned or more concerned
about online privacy - Concerns focused on the business use of personal
information, not new government surveillance
powers - If consumers have confidence in a companys
privacy practices, they are more likely to - Increase volume of business with
company.... 91 - Increase frequency of business.... 90
- Stop doing business with company if PI
misused83 - Harris/Westin Poll, Nov. 2001 Feb. 2002
4How The Public Divides on Privacy
The Privacy Dynamic - Battle Dr. Alan
Westin for the minds of the pragmatists
5Information Privacy Defined
- Information Privacy Data Protection
- Freedom of choice control informational
self-determination - Personal control over the collection, use and
disclosure of any recorded information about an
identifiable individual
6Fair Information PracticesA Brief History
- OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data - EU Directive on Data Protection
- CSA Model Code for the Protection of Personal
Information - Canada Personal Information Protection and
Electronic Documents Act (PIPEDA)
7Summary of Fair Information Practices
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
8Federal Private-Sector Privacy Legislation
- Personal Information Protection and Electronic
Document Act (PIPEDA) - Staggered implementation
- Federally regulated businesses, 2001
- Federal health sector, 2002
- Provincially regulated private sector, 2004
9Extension of PIPEDA
- As of January 1, 2004, PIPEDA has extended to
- ? all personal information collected, used or
disclosed in the course of commercial activities
by provincially regulated organizations
(including insurance companies and independent
insurance adjusters) - ? unless a substantially similar provincial
privacy law is in force
10Provincial Private-Sector Privacy Laws
- Québec Act respecting the protection of personal
information in the private sector - B.C. Personal Information Protection Act
- Alberta Personal Information Protection Act
- Ontario draft Privacy of Personal Information
Act, 2002 not introducedso PIPEDA applies
11PIPEDA General Consent Rule
- Assume insurance company and adjuster are in
Ontario (PIPEDA applies) - Knowledge and consent of the individual are
required for the collection, use, or disclosure
of personal information, except where
inappropriate - In insurance claims where there is no suspicion
of fraud, adjuster should only collect, use and
disclose personal information with knowledge and
consent of policyholder
12Fraud Investigations
- Privacy is not an absolute right it needs to be
balanced against other interests - PIPEDA recognizes public interest in collecting,
using and disclosing personal information without
knowledge and consent of individual for fraud
investigations
13Consent Exceptions in PIPEDA
- Investigative bodies designated in regulations
may receive and disclose personal information
without knowledge and consent of individual to
investigate a breach of an agreement or a
contravention of the laws of Canada or a province
14PIPEDA Regulations
- November 6, 2003 Industry Canada issued notice
to amend PIPEDA regulations to include additional
organizations as investigative bodies - Insurance adjusters and private investigators
included in proposed list (among others) - Amended regulation expected to come into effect
very soon (within the next month)
15Protecting Privacy During Investigations
- Investigative body status will not give
insurance adjusters unlimited power to collect,
use and disclose personal information without
consent - Adjusters should only collect, use and disclose
minimum amount of personal information necessary
for purposes of investigation - They should also ensure that any third parties
that are retained (e.g., private investigators)
do not violate privacy laws when assisting with
claims investigations
16Personal Health Information
- For some claims, insurance adjusters collect, use
and disclose policyholders personal health
information (PHI), which is considered highly
sensitive - Justice Krevers Report on the Confidentiality of
Health Information, 1980 - The IPC has been calling for legislation to
protect personal health information since 1987
17Provincial Health Privacy Laws
- Alberta
- Health Information Act
- Manitoba
- Personal Health Information Act
- Saskatchewan
- Health Information Protection Act
18Ontario Health Information Protection Act, 2003
(HIPA)
- Ontario government introduced health privacy bill
(Bill 31) on December 17, 2003 - Referred to Standing Committee on General
Government, which is currently holding public
hearings and receiving submissions - Expected to come into effect July, 2004
19General Principles
- HIPA establishes rules governing the collection,
use and disclosure of personal health information
by health information custodians and other
persons - Health information custodians are defined as
persons who have custody or control of personal
health information as a result of the work that
they do or in connection with the powers or
duties they perform
20Consent
- HIPA allows for implied consent for disclosure of
PHI within a patients circle of care (e.g., from
a family physician to a specialist or a lab for
testing) - HIPA requires express consent for disclosure of
PHI outside the circle of care (e.g., from a
family physician to an insurance adjuster)
21Disclosure Without Consent
- HIPA allows health information custodians to
disclose PHI without consent only in specific and
limited circumstances (e.g., to reduce a risk of
serious bodily harm to a group of persons) - Section 42 of HIPA deals with disclosures related
to HIPA and other Acts
22Investigations Section 42(1)(g)
- Section 42(1)(g) of HIPA allows a health
information custodian to disclose personal
information about an individual to a person
carrying out an inspection, investigation or
similar procedure that is authorized by a warrant
or under an Act of Ontario or Canada for the
purpose of complying with the warrant or that
Act.
23Final Thought
- The privacy landscape is rapidly changing
- Be aware of both PIPEDA and Ontarios proposed
health privacy legislation (HIPA) when
investigating and settling insurance claims
24How to Contact Us
- Commissioner Ann Cavoukian
- Information Privacy Commissioner/Ontario
- 80 Bloor Street West, Suite 1700
- Toronto, Ontario M5S 2V1
- Phone (416) 326-3333
- Web www.ipc.on.ca
- E-mail commissioner_at_ipc.on.ca