On January 1, 2004, the federal government enforced legislation governing how commercial companies collect, use and disclose an individual’s personal information. The federal rules apply in those provinces where provincial legislation of a “substantially similar nature” does not exist. All private sector companies in Canada, including insurance companies and consultants, are governed by the Act or by similar provincial legislation.

Bill C-6, also known as PIPEDA, is the Personal Information Protection and Electronic Documents Act. It stipulates that consent must be given for the collection, use or disclosure of an individual’s personal information. The individual has the right to access personal information held by an organization and to challenge its accuracy. Personal information can only be used for the purposes for which it was collected; otherwise, consent must be again obtained from the individual for each distinct purpose.

PIPEDA will affect the type of information that can be given by insurers to employers or to consultants/brokers. It will also affect the type of information that can be required by insurers and the methods of physical protection and retention of personal information. The means for establishing identity must be enhanced (i.e.: PIN or password when requesting information over the telephone). All files with personal information (both paper and electronic) must be sealed, locked up or encrypted.

Member consent should be obtained before or at the time of collection of personal information such as:

  • when an employee enrolls for benefits or submits a claim form
  • when a transaction or relationship is initiated (when a member dependent accepts a drug card to use for direct transactions)

Most insurers have updated their enrollment forms to include the existing authorization and a new confidentiality section above the employee’s signature. These forms should be used and can generally be downloaded from the insurer’s website. For existing plan members, the insurer can use “implied consent” and can disclose appropriate information.

Traditionally, insurers have provided employers with detailed reports on everything from health and dental claim activities, drug utilization, incidence of disability, etc. Under PIPEDA, these reports can no longer include any identifying information about specific employees. Information will be limited to aggregate, non-identifying data. For small groups, this could be even more limited, as identification is often possible through deductive reasoning. Therefore, employers will get less information to manage their disability, health or dental plan.

Generally, an employer has to justify the need to obtain any medical or personal information from a third party, such as a hospital, medical clinic, and insurer. The need has to be evaluated within the context of the purpose of the request. It is an accepted fact that the medical diagnosis of an employee is not considered information that an employer needs to effectively manage through human resources, barring special circumstances such as reasonable grounds to suspected fraud or abuse. Most health specialists are bound by a code of ethics for their profession. Consequently, these specialists will not provide any information without obtaining the informed consent of the patient regarding transmission of medical data to the patient’s employer. The quantity and nature of information may also be restricted.

As our client, you trust us with your personal information. We value that trust and want you to be aware of our commitment to protect the information you share in the course of doing business with us.

We are committed to respecting the privacy of our clients and visitors, and we are dedicated to safeguarding the business and financial information entrusted to us. We adhere to strict privacy protection guidelines to ensure your personal and business information is kept confidential. We respect your identity and keep it private. We do not share the information you provide in any way.