The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, April 29, 2005
Finally some clarity on the privacy aspects of independent medical examinations since PIPEDA. I've had to deal with a number of these over the last year and though all my files are still winding their way through the OPC's system, it's good to see some clarity on the issue.
In this finding, a complaint was made against a physician who was working for an insurance company doing medical examinations of insurance claimants. The individual asked for access to his/her records and was denied as the physician did not keep any records provided to him/her. The individual also complained that the doctor disclosed his/her medical information without consent. The Assistant Commissioner found that both complaints were not well founded.
Commissioner's Findings - PIPEDA Case Summary #294: Denial of access and inappropriate disclosure allegations are made against a physician - March 17, 2005 - Privacy Commissioner of Canada:"Complaint
An individual alleged that a physician refused to provide him with access to his personal information and disclosed a medical report about him to an insurance company without his consent. The complainant in this case also filed two complaints against the insurance company, which are discussed in greater detail in Case Summary #293.
Summary of Investigation
The complainant had been absent from work for medical reasons, and was insured under the terms of a group insurance policy between his employer and an insurance company. The physician, an independent medical consultant under contract with the insurance company, provided it with a report on the complainant's medical condition. After obtaining a copy of this report from the insurance company, the complainant wrote to the doctor requesting a copy of his file, including copies of the materials provided to the doctor by the insurance company and an independent medical examiner.
The doctor works as a non-treating medical consultant on the premises of the insurance company, approximately one day a week. His position was that he was hired by the company to provide medical opinions on disability files and that these files are owned by the company. As a result, he was not in a position to grant or deny access to them. He states that he does not keep his own files or copies of any records relating to his work for the insurance company. He dictated his report for the company, which was subsequently typed by one of its employees. The company confirmed that its employees type the reports dictated by doctor, and the report also indicated that it was first dictated and later typed.
The College of Physicians and Surgeons of Ontario has a policy for its members, governing the standards of care for non-treating physicians who prepare reports for third parties. Where the doctor is providing a report to a third party based on a file review, which was the case with the physician in question, the policy states that there is no obligation to keep notes or records. The duty to provide a copy of the report will vary according to the nature of the agreement with the third party. The policy also states:
Physicians who are given... documentation to review should make a comprehensive list of all materials reviewed in preparation of the report... Once a comprehensive list of materials is prepared and the report has been submitted to the third party, the physician may keep a copy of this material in his or her file but is not obligated to do so. This background material can be returned to the third party without making a copy....The doctor's practice appeared to be consistent with the guidelines of the Ontario College of Physicians and Surgeons.
As for the inappropriate disclosure allegation, the doctor stated that, as per his contractual obligations, he prepared a report summarizing his review of the complainant's file, which was under the control of the insurance company. In his view, he was acting as an agent of the company and thus there was no disclosure.
We reviewed the consent form the complainant signed when applying for disability benefits, and noted that he consented to the provision and exchange of information between any physician and the insurance company for the purpose of assessing his claim and providing rehabilitation assistance.
Findings
Issued March 17, 2005
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; and Principle 4.9 stipulates that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.
The Assistant Privacy Commissioner deliberated as follows:
With respect to the denial of access complaint, the Assistant Commissioner was satisfied that the information the complainant requested from the doctor was neither in his possession nor under his control, and that as a result he could not provide the complainant with access to his personal information. The Assistant Commissioner found that the doctor had not contravened Principle 4.9. She therefore concluded that the access complaint was not well-founded.
As for the disclosure complaint, the Assistant Commissioner noted that even if she did not accept the doctor's claim that he was acting under contract to the insurance company, it nevertheless was the case that the complainant had provided his consent to the exchange of personal information between the physician and the company for the purpose of assessing his claim for benefits. She therefore found that there was no contravention of Principle 4.3.
The Assistant Commissioner concluded that the disclosure complaint was not well-founded."
Labels: information breaches, pipeda findings, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.