OIAA Claims 2005: Privacy in Review

A full year into the implementation of the federal Protection of Information Privacy and Electronic Documents Act (PIPEDA), many issues remain unresolved for insurers, lawyers told delegates of the Ontario Insurance Adjusters Association (OIAA) Claims 2005 Conference in Toronto recently.

Lawyer Lee Samis, of Samis & Co., says claims professionals are particularly vulnerable because “there’s almost nothing we do in the claims business” that does not require the collection, use and/or disclosure of personal information. Also, he expects the “traditional foes” insurers face during the claims settlement process will use privacy as another weapon in their arsenal to push a settlement in favor of the claimant.

Samis says there is still a great deal that is undecided about how the Privacy Commission will react to issues insurers may face in the claims process.

He gives the example of an adjuster taking a claimant’s accident information and giving this to company underwriters to use in assessing rates for the policyholder’s next renewal. Even if the claimant has given consent to have the information used to process their claim, they are not likely to consent to its use in underwriting, he notes.

“The pendulum has swung so far in the other direction…if you actually applied the legislation to the letter, all commerce would stop,” Samis says, partly because the language in the act is so broad. He says the act is “a large hammer sitting over the head of industry” because there remain so many questions about how the act will be interpreted.

For example, the definition of “personal information” is so broadly worded, if a claimant were to give information about others involved in an accident – passengers in the vehicle, or the driver of the other car, etc. – there exists the potential for those other parties to claim a breach of privacy because they have not given the insurer consent to collect or use their information, Samis explains. “It [personal information] is not even necessarily things we see as “secret” or “personal” information.” Is it considered an infringement on privacy for a claimant to give the name of potential witnesses to an accident?

CHOICE OF WORDS

Other areas where Samis sees potential problems are in poorly written company privacy statements which he says in some cases are “a joke”. For example, he has seen website privacy statements in which insurers make statements such as “we only use information to better serve you”.

There is a another potential problem in the expectation that claimants can request to view and potentially change what they perceive as “errors” in their claim file information, Samis adds. If an insurer denies a policyholder access to their information, they are obliged to tell the Privacy Commission that they have done so.

And there also remains the question of what insurers can disclose to their reinsurers in the course of obtaining reinsurance, he adds.

UNDER A MICROSCOPE

Insurers may also have issues when it comes to surveillance used in investigating claims, suggests Neil Colville-Reeves, also of Samis & Co. Guidance can be found in the Ferenzy v. MCI Medical Clinics case, which involved a medical malpractice claim. The court ruled first that privacy was not an issue of admissibility, and also that because the defendant was not engaged in an “act of commerce” in terms of the surveillance, but was responding to being sued, breach of privacy claims did not apply. In essence, the ruling suggests a plaintiff making a personal injury claim has opened themselves up to surveillance, Colville-Reeves notes.

However, the Eastmond case sends a less positive message for insurers to heed. This case suggests that there would have to be some reasonable expectation of fraud, theft, etc. based on other information or assessments in order to justify surveillance (for e.g., an insurer would need a test such as an independent medical examination giving indications of possible fraud in a claim). Unfortunately, “many claims files put in surveillance as a matter of course,” he says, and this may no longer be acceptable. The question now is, “how much evidence do you need before you undertake surveillance?”

CAUGHT IN A TRAP

In Ontario, insurers should also be prepared to deal with new legislation protecting healthcare information under Bill-31. It remains to be seen if this legislation will be deemed to be “substantially similar” to PIPEDA, Samis notes, but even if it is, the Ontario legislation will only supercede PIPEDA as respects healthcare information. If Ontario’s legislation is not deemed similar enough, it will still be law.

While the Ontario law is supposed to apply only to healthcare custodians, which would not include insurers, Samis says two provisions could “hit you square in the eyes”. The first is Section 49 which says a healthcare custodian can only disclose information as per the consents given by the “patient”, which means insurers will only be able to access information from healthcare professionals with the proper consent from the insured and/or injured party following a claim. Also, under the new legislation, it is illegal to require someone to produce their health card or health card number. Samis says he knows of far too many insurers who continue to use this information.