Effective January 1, 2004, legislation dealing with personal privacy in the electronic age referred to as the “Personal Information Protection and Electronic Documents Act” (PIPEDA), will apply to all personal information collected, used and/or disclosed in the course of commercial activities, unless provinces enact legislation that is substantially similar. As written, this legislation will impact most, if not all employers, and have a direct impact on the administration of group health plans.

Knowledge and Consent

The central concepts of PIPEDA are Knowledge and Consent. Under PIPEDA, organizations are required to obtain the consent of individuals before acquiring and handling their personal information. In obtaining consent, it is the responsibility of the organization to identify the purpose(s) for which the personal information is being collected, as well as how it will be used, disclosed, etc., when the information is collected. The use or disclosure of such information is limited only to those purposes consented to by the individual.

HealthSource Plus and You - Partners in Privacy

In responding to the requirements of PIPEDA, HealthSource Plus (HSP) has developed its Privacy Policy and Complaint Procedure, identifying how plan member information will be handled, shared, stored and destroyed. Please review our policy and complaint process statements to ensure they are in alignment with your own privacy policy and practices. It is our understanding that it is the responsibility of each employer to obtain the consent of each employee and where applicable, each employee’s spouse/partner, identifying how their personal information will be used and shared with respect to outsourced services, such as group health plans. It is our expectation that such consent will be obtained by you prior to providing HealthSource Plus with personal information about an individual.

HealthSource Plus Privacy Policy

HealthSource Plus will make every effort to ensure that personal information regarding group benefit plan members, their spouses/partners and/or eligible dependents is handled, secured, shared and destroyed using means that reflect the spirit of enacted privacy legislation. Only the information necessary to effectively administer each group benefits plan; obtain quotes for underwritten/insured products within that plan; verify the identity and eligibility of a plan member, spouse or eligible dependent; adjudicate and pay eligible claims; and audit plan expenditures will be collected and used by HealthSource Plus. Such information will only be provided to those insurers/adjudicators contracted by HealthSource Plus to provide services within the plan. Health benefit providers contracted to provide services through HealthSource Plus will be required to have their own privacy policy and practices defined and in operation. HealthSource Plus will endeavour to strike a reasonable and appropriate balance between individuals’ privacy rights, and the requirements of HealthSource Plus to collect, use, disclose and report such information in the operation of the plan. HSP’s Privacy Policy will be reviewed from time to time to ensure it is accomplishing its purpose and as may be necessary to respond to changes in legislation.

HealthSource Plus Privacy Practices

Enrollment and claims information will be collected from plan sponsors for their plan members:

• To enroll the employee (and spouse/partner/eligible dependents where applicable) in the elected plan coverage, to correct or amend member information, or to implement changes to coverage that may be enacted over the term of the plan;
• To verify eligibility and authenticate the identity of the employee and/or eligible dependents;
• To ensure benefits are paid in accordance with the policy provisions;
• To protect the plan from undue expenses due to error or fraud by auditing and reporting on plan activity to the plan sponsor;
• To only use such information as is required to provide the services outlined in the group benefits contract.

Enrollment and other plan member records will be secured in locked cabinets while on HealthSource Plus premises. Such documentation will be retained for a reasonable period of time after the member has left the plan, or after the plan has terminated, to ensure any and all outstanding claims can be adjudicated in accordance with the plan design. When documentation is destroyed it will be shredded.

HealthSource Plus Complaint Process

The following process will be used when responding to Privacy Act complaints:

1. The complaint should be made in writing to the HealthSource Plus Privacy Officer;
2. The Privacy Officer will investigate the complaint and provide a written report of his/her findings to the Executive Team of HealthSource Plus. The investigation will require sufficient time so as to be thorough; however, will be completed in a timely manner;
3. The Executive Team will respond to the complainant outlining the outcome of the investigation and if necessary, identify any remedial steps that will be taken to resolve the complaint and the timeframe in which such steps will be completed;
4. A copy of the complaint, the investigation report, the outcome, along with a record showing the completion of any required remedial steps will be retained by HealthSource Plus and will be made available to the Privacy Commission at their request.