Group benefits providers report: Insurers get a boost in the battle against fraud

The fight against fraud

For group benefits providers, the most positive development is likely the new provision that will help them fight fraud by allowing for increased disclosure of information without consent in certain cases.

Section 7(3)(d.2) now permits one organization to disclose personal information to another for the purposes of detecting, suppressing or preventing fraud when “it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud.”

Before the amendment, insurers had to obtain the consent of anyone they had a contract with before disclosing their personal information even if that person was suspected of involvement in fraudulent activity.

Read: Up to 600 TTC employees involved in benefits fraud

The new provision, says Daniel Strigberger, an insurance lawyer in Waterloo, Ont., will essentially allow insurers to talk to each other. That, he says, “has often been such an awful experience, trying to have two different insurance companies working together for the same goal but afraid that they were going to contravene the privacy rights of the alleged fraudsters that they were targeting, which seems a bit counterintuitive.”

The new law, he adds, provides some reassurance. “I think this gives a bit more protection to insurers who might be concerned that they are violating the privacy rights of individuals or other companies, even [those] who might be the subject of fraud investigations, and so I think it’s one of those things that they have to start using.”

Many of the amendments also create welcome consistency with privacy legislation in Alberta and British Columbia, says Canadian Life and Health Insurance Association vice-president and general counsel Frank Zinatelli. The changes, he suggests, give the industry more tools to fight fraud and investigate breaches of an agreement.

For group benefits providers, for example, the new provision makes it clear they have the ability to disclose inappropriate claims or use of benefits that set out a fraudulent pattern to someone other than the policyholder, such as the employer or a regulatory body.

Read: Arrests made in alleged $4-million benefits fraud scheme

The association has also noted publicly that it’s taking on the issue of fraud prevention this year in the face of complex approaches to the misuse of benefits plans. Efforts will include helping insurers to consider ways to share claims data in order to identify fraud trends that the association says can be hard to pinpoint when each provider is working independently.

The group benefits providers themselves have been working with their legal counsel and the association to understand the implications of the Bill S-4 changes. One provider noted that while it’s early days, it believes the amendments will facilitate actions against fraudulent activities in the industry as well as communications with policyholders and other insurers.

‘Huge headache’ around consent

The change that’s perhaps most confusing for insurers is the new provision related to valid consent found in s. 6.1. With that addition, consent is only valid “if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”

Prior to the amendment, organizations only had to “make a reasonable effort” to ensure the individual knew why they were collecting or using the information.

Zinatelli says group benefits providers are still trying to get a better sense of what the change means. While there are suggestions that legislators are referring to children and other vulnerable populations, the legislation doesn’t specifically mention that.

“We’re all for valid consent. We just don’t understand exactly what that additional word does because certainly the definition of consent is something that organizations have come to understand over the last 10 to 15 years since the legislation has been in place, and providing informed consent is what companies strive to do all the time and do,” says Zinatelli. “We’re still paying attention and trying to see if we get any more details as to whether we need to do anything differently going forward,” he adds.

As Strigberger explains, the new consent provision could be a “huge headache” for insurance companies due to the fact that they collect, use and rely upon sensitive data.

Read: The impact of technology on benefits fraud

“If they don’t have the required consent and they’re using it in a way that is necessary for claims handling, then that could cause a lot of problems between them and the claimants and the privacy commissioner,” he says.

Eloïse Gratton, a privacy lawyer with Borden Ladner Gervais LLP who spoke before a House of Commons committee last year about the bill, says companies had come to know what to expect with PIPEDA as it has been around for more than a decade. The new requirements related to obtaining consent, she says, are “a little bit grey.”

“You put together your consent forms and you’re used to doing business a certain way, and then the legislator changes that consent provision. What does that mean? Do you have to reopen your consent forms? And it’s not even clear what they’re looking for,” she says.

Over the last few months, Gratton says she has been reviewing consent forms sent in by concerned clients asking if they’re still in compliance with the law.

While most haven’t required amendments, in some situations, Gratton has recommended changes related to the delivery of the forms rather than the language itself.

“For instance, if it’s obtained online, making sure you see it when you log on or things like that,” she says.

In other cases, it’s about calling attention to specific words. “They’ve had to make sure that the person understands, so sometimes it was about raising attention to some wording, specific wording, making it in bold,” says Gratton.

Strigberger suggests insurers could get together internally to come up with processes that will allow them to put together compliance programs and make sure they’re complying with the consent requirements with respect to their own clients.

New breach requirement

One change from Bill S-4 that’s not yet in force is the mandatory requirement for organizations to notify the federal privacy commissioner and an affected individual of “any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”

Once the government works out the regulations and the section becomes law, organizations will also have to keep and maintain a record of every breach involving personal information.

Read: CHCAA raises fraud awareness

In his comments before the House of Commons committee on the bill last year, Zinatelli cited the association’s concern about the scope of breaches the requirement might include. He suggested clarifying the provision so it wouldn’t include breaches of a minor nature, such as a colleague seeing personal information on a computer screen.

In the meantime, for group benefits providers, minimizing fraud in order to keep costs down for everybody is top of mind, says Zinatelli.

“Certainly, companies are aware of the new rules and looking as to how they can use them with that goal in mind, for the good of everybody, so for the good of members and for the good of policyholders and insurers as well.”

Read: 2016 Group Benefits Providers Report shows strong growth for ASO

Get a PDF of this article.

Helen Burnett-Nichols is a Toronto-based freelance writer.