|
Under the new federal privacy legislation--which, starting
next month, governs the collection, use and disclosure of personal health
information--these employers may be in for a shock. Much of that information will
no longer be available to them.
"What's causing [some employers] concern with the privacy
legislation is that it's now becoming obvious that they have no absolute right to
all of the details," says Keith Golem, vice-president, group insurance, disability
management with Clarica in Waterloo, Ont. For the information employers still
receive, there will be stricter guidelines about how they use, store and share the
data. For many, the new rules will mean a careful new look at disability processes,
and in some cases, serious changes.
The Personal Information Protection and Electronic Documents
Act (formerly Bill C-6) came into effect last January for federally regulated
organizations. It will apply to all other organizations as of 2004, unless the
provinces they operate in have introduced similar privacy legislation. Quebec, for
example, already has its own privacy law in place.
The section of the Act dealing with health information
doesn't come into effect until Jan. 1, 2002, and, once again, it is only applicable
to federally regulated employers. However, insurers--the parties that manage the
information in most cases--are complying now. So the flow of data to plan sponsors
has already ceased for some plan sponsors.
The Act defines personal health information as information
concerning "the personal, physical or mental health of the individual" or "any
health service provided to the individual." Even information collected "in the
course of providing health services" falls under the Act.
"The drafting of this statute is quite broad. In many
important areas it's vague," says Hugh O'Reilly, a partner in the Toronto office of
the international law firm, Torys. "If you're talking about an insured benefit
product, whether it's an administration-services only product or an insured
product, it's potentially caught there."
The problem with the legislation, says O'Reilly, is that it
is based on Canadian Standards Association guidelines that were never intended to
be made into law. "This was a national standard of privacy guidelines put together
by various industry players probably in a desire to show that they were good
corporate citizens. There's no way on earth that those people thought these would
be the regulations."
Golem says Clarica is still providing plan sponsors with
information that is "necessary for the employer to effect a safe and timely return
to work." He adds that when employees sign a claims form, they authorize the
insurer to share information pertinent to their absence and ability to return to
work with the plan sponsor. This means information about when an employee can be
expected to return to work and his or her functional limitations can be passed
on--but not specific details about the nature of the condition.
"[The employee] would not expect us to share things like
diagnostic information and treatment information in the context of managing their
claim because, quite honestly, it's not necessary," says Golem. Many employers do
believe that they need this type of information. "When they think of that
[information] going away, they suddenly think they don't have all the tools. But I
think they still have all the tools they need," he says.
NO NEED TO SHARE
Anne Nicoll, a practice leader of managed time loss at William M. Mercer in
Toronto, agrees that confidential medical information--including diagnosis and
treatment--isn't something an employer needs to effectively manage a disability.
Nicoll adds that other information, such as the employee's abilities and
capacities, is crucial to disability management. "That information has a different
purpose. There's a need for sharing it because that's what's used to identify
return-to-work opportunities, accommodation needs and so on."
While information about functional abilities and limitations
may be enough to manage individual disability cases, it may not be enough to
identify and target any recurring health problems. Employers need specific
information about illnesses and injuries to identify causes and trends, develop
targeted prevention programs and measure wellness initiatives.
Insurers say they will still be able to provide information
about specific diagnoses--albeit in aggregated form--under the new legislation. "We
don't see a problem with aggregated data, so that you can't identify individuals,"
says Mike Sampson, vice-president of group marketing at Great-West Life Assurance
Co. in Winnipeg. He adds that his company is careful about reports it provides to
smaller clients because, in some cases, it's easier to identify individuals.
INFORMATION ON CONSENT
Not everyone agrees that anonymous aggregate data is enough. "If you're doing
something in your business that's causing disability, whether that be mental or
physical, I don't know that you're going to get it on a general overall basis,"
says Barry Entwistle, vice-president, Comprehensive Benefits Solutions in Toronto.
"If you have a major [health] problem in your organization, how do you fix it
without knowing that Sally is suffering these conditions? What does your third
party do? Simply advise the company that they should have a general overall
program?"
Entwistle adds that if employers only receive aggregate data,
it could also hinder their ability to link instances of disability in the workplace
with the use of other benefits, such as prescription drugs. For those employers
that feel they do need details about a claimant's condition or treatment to
effectively manage disability, there is an option available to them. The
legislation allows for personal health information to be shared, so long as the
claimant consents to having it released, with a clear understanding of who will see
it and how it will be used.
Nicoll points out that some employers already have their own
consent forms in place. "Ensuring that [the form] is specific in terms of why [the
information] is being collected, who's going to get it and what kinds of
information, is really the first step."
Handling personal health information under the new
legislation can be a potential minefield, and employers must put stringent measures
in place to ensure their employees' privacy is protected. Shelley Ptolemy knows
this. She is the senior occupational health adviser for the City of Medicine Hat in
Alberta, which administers its own short-term disability benefits. The City
collects disability claimants' personal health information itself, and it has had
to put its own consent and information handling processes in place.
When one of the City's employees applies for disability, they
are asked to sign a form allowing their physician to release medical information to
one of the City's two occupational health advisers.
The consent forms provided to employees claiming disability
are quite specific, clearly spelling out who the information will be shared with,
what it will be used for and the time frame to which the consent applies. It also
states that only medical information related to the condition for which the
employee is currently being treated will be released.
Once that information is obtained, it is secured in a totally
different manner than all other data housed in the City's human resources
department. "It is contained in a locked office, in a double-locked file cabinet,"
says Ptolemy.
"Anything on the software system is triple-coded with
passwords and then everyone who has access to that information must sign an annual
waiver signifying that they have reviewed the confidentiality practice." She adds
that staff members have a copy of the confidentiality policy so that they know and
understand it.
Complying with the privacy legislation is even more difficult
for employers that do not have an in-house occupational health professional.
Because of all the safeguards required to ensure compliance, Ptolemy believes many
of these organizations may now decide to outsource the disability management
function to a third party. "There's nothing wrong with that decision as long as you
clearly understand that you've just given some of your control away."
Nicoll agrees that outsourcing may be the best bet for some
employers who are currently self-insured. "Some of the smaller and medium-sized
employers have probably relied on forms they may have received from an insurer and
are using them for their internal program." She adds that employers still have to
help employees back to work. "The legislation is not an excuse to say 'it's not my
problem.' It's still the employer's [responsibility]."
There is always potential for information about an employee's
health to end up in the employer's hands. For instance, an employee may give a
completed disability claim form directly to the human resources department. "The
entry point for confidential health information is from the employee. The employee
can be handing it to all kinds of different people," says Nicoll. She notes that
handing someone a completed claim form or telling a supervisor about a medical
condition, does not imply consent to release that information. For this reason, all
employers will have to take a close look at how they handle and share
information.
It's also important for employers to communicate their policy
about handling personal health information, says Entwistle. "Even if you are
[complying] with the legislation, let people know what you're doing. Whatever you
do, communicate." BC
Don Bisch is managing editor of Canadian Healthcare
Manager, a sister publication of Benefits Canada. dbisch@rmpublishing.com.
|
News
News
