A group insurance policy often involves several parties, namely the insurance company, the plan administrator and the insured employee (or “member” of the plan), who rarely however has any negotiating power in this regard. In addition, it is often the case that a member’s dependents will be eligible for benefits under the policy.
Administering a group insurance plan requires the disclosure and communication of various items of personal information that can be quite sensitive in nature. The information that must be submitted in order to be eligible for benefits generally consists of medical information and, potentially, in the case of a member’s dependants, other personal information that they may be reluctant to disclose to the member. An example of this could be where a teenage girl wants to take contraceptives but doesn’t want her father, the member, to know about it, or where a dependent spouse doesn’t want the member to know that he or she is being treated for a sexually transmitted disease, or for depression.
Under both the federal statute on the protection of personal information, i.e. the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the various substantially similar provincial privacy statutes, the basic underlying principle is that every person must have the opportunity to consent to the collection, use and disclosure of personal information concerning him or her. In this regard it is interesting to note that in two recent
McMillan LLP Brookfield Place, 181 Bay Street, Suite 4400, Toronto, Ontario, Canada M5J 2T3 t 416.865.7000 f 416.865.7048
Lawyers Patent & Trade-mark Agents Avocats Agents de brevets et de marques de commerce Vancouver Calgary Toronto Ottawa Montréal Hong Kong mcmillan.ca
decisions, one by Quebec’s access to information commission, the Commission d'accès à l'information du Québec (the “CAIQ”) and the other by the Office of the Privacy Commissioner of Canada (the “OPCC”), limits were placed on the degree of privacy that must be afforded to a dependent’s personal information in a group insurance context.
In Quebec, the CAIQ recently took the position1 that an insurer could disclose personal information to a member in connection with a claim made by the member’s dependent that is necessary for the administration of the group insurance plan, without having to obtain the dependent’s consent.
In the matter in question, the complainant alleged that the insurance company had disclosed, without his consent, personal information concerning him to the woman he was living with, who was a member of the group insurance plan involved. The complainant considered this disclosure to be a violation of his privacy rights, particularly since, under the Act respecting Prescription Drug Insurance2 he was obliged to obtain coverage under his partner’s group insurance, thereby forfeiting his coverage under the public drug insurance plan. In its defence, the insurance company argued that the information disclosed was necessary for the member to properly administer her insurance under the plan, particularly with respect to co-insurance and application of the deductible. The insurer pointed out that it had to verify several details before approving a claim, including eligibility,
the amount of the deductible, the extent of coverage, etc. It should be noted that in this case, the insurance policy provided that reimbursement of the claim was to be paid directly to the member.
In Quebec, the Act respecting the Protection of Personal Information in the Private Sector3 (the “Quebec Statute”) provides that any information concerning an individual that allows that person to be identified is personal information. Thus, the information about the complainant appearing on the reimbursement statement sent to the member constituted personal information of the dependent as understood by the Quebec Statute. That legislation also provides that no one may disclose to a third party personal information contained in a file that it maintains in respect of an individual, or use such information for purposes unrelated to the reason the file is being maintained, unless the individual in question consents or such disclosure is required by the Quebec Statute. Moreover, consent to the disclosure must be “manifest, free, and enlightened, and must be given for specific purposes”.
The contract with the insurance company in this case was on behalf of the member, not the complainant. Thus, while the CAIQ sympathized with the complainant’s objection to the disclosure of his personal information to the member, it decided that his complaint was not well-founded. The insurance company had simply disclosed to the member information that was necessary for the administration of the contract, and had thus not contravened the Quebec Statute.
At the federal level, the approach taken by the OPCC appears to be more or less the same. In a recent Report of Findings4 pursuant to PIPEDA,5 the OPCC took a position similar to that of the CAIQ, dismissing the complaint of a young woman who, as a dependent under her father’s group health insurance plan, contested the plan
3 CQLR c. P-39.1.
4 PIPEDA Report of Findings # 2013-012, Adult daughter required to submit insurance claims through her father and consent to disclose personal information to her father upon claiming benefits from his private health insurance plan, Office of the Privacy Commissioner of Canada, 2013 CanLII 92363 (OPCC).
administrator’s policy of requiring her to submit claims through her father.
The complainant alleged that the insurance company’s refusal to process her claims directly and its disclosure to her father of personal information concerning her constituted a breach of PIPEDA Principle 4.3.3 set out in Schedule 1 of that statute, which provides that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil explicitly specified and legitimate purposes. In its analysis, the OPCC took into account the rights and responsibilities of plan members and their dependents.
The members of a group health insurance plan often bear sole responsibility for all claims made, and are answerable for any errors, abuse or fraud stemming from those claims. The OPCC accordingly decided that the insurer’s practice of refusing to deal directly with a member’s dependent and thereby compelling in a way the disclosure of the dependent’s personal information to the member, complied with Principle 4.3.3. In the OPCC’s view, since a dependent under the plan has none of the same responsibilities as the member does in respect of the plan, dependents cannot expect absolute protection of their personal information and must consent to its disclosure to the plan member. While it recognized the legitimacy of the complainant’s concerns, the OPCC also took into account how the plan was structured and other practical considerations in concluding that the dependent’s complaint was not well-founded.
These two decisions are welcome news for employers, in that they impose only limited obligations on them with regards to dependents in group insurance matters, by allowing them to manage claims through the intermediary of a single person, i.e.
the member, and authorizing them to disclose personal information regarding the latter’s dependents to the member if the information is necessary for the administration of the group insurance plan, without having to obtain the dependent’s consent. However, the effect of these decisions is to afford only limited protection to the personal information of a member’s dependents. While this may inconvenience dependents who wish to keep their purchases of medication private, this limitation on their privacy rights has now been deemed acceptable by two Canadian privacy tribunals in a context where personal information must be disclosed to a member for claims management purposes.