 |
 |
 |
 |
Log In
|
Log Out
|
 |
 |
News Feed  |
|
|
 |
|
|
 |
|
|
 |
 This work is licensed under a Creative Commons License. |
|
PrivacyInfo.ca Decision Summary 525
| DECISION # 383: Rehabilitation Officer Provides Confidential Medical Information to Employer Without Consent | ||||
Complaint Summary |
||||
When applying for long-term disability benefits the complainant signed a limited consent form which restricted the right of the benefits administrator to transfer his medical information to his employer. The limited consent form did not permit any disclosure of personal information to the complainant’s employer without his express written consent. The limited written consent form also indicated that additional written consent was required for any use or disclosure for claim evaluation or review purposes. When the complainant was ready to return to work, a specialist provided a report to clear him to work on a gradual basis. A rehabilitation officer was assigned to coordinate his return to work. The complainant expressed directly to the rehabilitation officer his concerns about any disclosure of medical information to his employer, and he noted that he had signed only a limited medical consent with the intent of restricting the right of the administrator to transfer personal medical information to his employer. The rehabilitation officer thought she had the complainant’s verbal consent to tell his employer he could return to work, as indicated within the specialist’s report. Before the complainant could sign a standard three-way authorization form, the rehabilitation officer sent an email to the employer’s health care consultant quoting from the specialist’s medical report on the complainant. The information quoted did not mention the complainant’s condition but did contain notes on his ability to work, side effects of his treatment and possible limitations on his activities. Five days after the email was sent, the complainant verbally consented to the rehabilitation officer on the phone that she could advise his employer’s health care consultant that he was able to return to work without restrictions and that he required a return-to-work date. However, the complainant objected to her sending any information that seemed to be a medical opinion. The complainant did not realize she had already transmitted this information through email to the consultant. The complainant was very upset about this disclosure as it resulted in his employer denying his accommodation requests. His office manger indicated she acted on the basis of “medical information” received from the employer’s rehabilitation group when setting the complainant’s return to work date. The complainant informed the administrator of his complaint. Although an apology was provided, the administrator did not think there was an inappropriate disclosure of confidential medical information. The benefits administrator stated that it took great care to ensure no sensitive information was disclosed without consent and information was released only to the extent required to fulfill its contractual obligations. The benefits administrator maintained that no medical information was released since no particulars about the condition were disclosed in the email. The benefits administrator believed the complainant provided verbal consent in a voicemail with the rehabilitation officer on the same day she sent the email. The complainant maintained that he only consented to the officer advising his employer that he was able to work without restrictions and required a return to work date, not that the officer could inform his employer without restrictions or limitations on what the officer said. |
||||
Findings Summary |
||||
The Privacy Commissioner considered two issues: (1) whether the information released was medical information; and (2) whether there was consent to release that information. First, the Privacy Commissioner found that the excerpts from the specialist’s report pertained to the complainant’s personal medical status even though it did not pertain to his specific medical condition. The Commissioner found that the specialist’s professional opinion about the complainant’s physical health, his treatment plan and the side effects qualified as sensitive personal information about the complainant. Thus, the complainant’s restricted consent applied, as did Principle 4.3.6. Second, the Privacy Commissioner found that although the administrator felt it had the complainant’s verbal consent, no written consent was given by the complainant to disclose to his employer that he was able to return to work with no restrictions or limitations. This was contrary to the complainant’s signed restricted consent on file with the administrator. The complainant had also directly communicated his concerns about the disclosure of medical information to the administrator in his claim form and Authorization for Release of Information form. Therefore, the transfer of the medical information to the complainant’s employer was contrary to Principles 4.3 and 4.3.6. The Privacy Commissioner recommended that the administrator ensure its employees obtain unambiguous express consent to the release of sensitive medical information to third parties prior to such a release. This would avoid misunderstandings about the scope of authorization provided and provide a safeguard against disclosing sensitive medical information. She also recommended that the administrator inform the employees about: (i) the process by which express consent should be properly obtained; (ii) the need for written consent in most, if not all, cases; (iii) the employees’ obligations to adhere to specific requirements of restricted consents; and (iv) the fact that verbatim excerpts from medical specialist’s reports on a patient constitute that patient’s personal information. Finally, the Commissioner recommended that the administrator should update its policy and training materials. Since the administrator implemented all of the recommendations and informed the employees that verbatim excerpts from medical specialist reports constitute a patient’s personal information, the Privacy Commissioner found that the administrator had now complied with Principles 4.3 and 4.3.6. Therefore, the Assistant Privacy Commissioner deemed the complaint to be well-founded and resolved. |
||||
Resolution |
||||
Notes/Comments |
||||
Provisions Raised/Addressed |
||||
Principles 4.3 and 4.3.6 |
||||
Other Information |
||||
| Decision Date: | 2007 October 30th | |||
| (Not) Well-Founded: | Well-Founded | |||
| (Not) Resolved: | Resolved | |||
| Sector #1: | Healthcare/Medical | |||
| Sector #2: | Employment/Employer | |||
| Online at: | http://www.priv.gc.ca/cf-dc/2007/383_20071030_e.cfm | |||
| 525 | ||||
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
|
Copyright (c) 2003 Michael Geist