Chapter 8


Access to medical information

Background

8.1                  The duty of disclosure under section 21A of the Insurance Contract Act 1984 (Insurance Contracts Act) requires a person applying for insurance to disclose relevant matters, such as their medical history, to an insurer. The disclosure of relevant matters required by this duty allows an insurer to have access to the information necessary to determine through a risk assessment whether a person can be provided with insurance and, if so, the level of the insurance coverage.

8.2                  In order to facilitate the disclosure process regarding a person's medical history, life insurers request authorisation to access a consumer's medical information. This request for authorisation may occur at the time a consumer acquires a life insurance policy and also at the time of making a claim. The request for authorisation is usually accompanied by information on the life insurer's privacy policy as well as the third parties with whom a consumer's information may be shared. The amount and type of medical information a consumer authorises a life insurer to access and share is typically broad, particularly at the time of policy acquisition. Such broad authority is obtained by life insurers regardless of the nature or type of the life insurance policy.

8.3                  This chapter begins by examining how life insurers receive authorisation to access a consumer's information. This is followed by consideration of why life insurers require a consumer's medical information as well as concerns raised with the committee regarding the breadth of medical information that life insurers can access. How medical information is used during the claims handling stage is examined in Chapter 8 of this report.

Privacy framework

8.4                  The Privacy Act 1988 (Privacy Act) and the 13 principles known as the Australian Privacy Principles (APPs) govern how a life insurer who is an APP entity can obtain, store and share the information with other parties.[1] Under the Privacy Act and the APPs, medical information has the special status of 'Sensitive Information'.

8.5                  Under APP 3, life insurers must only collect information where it is reasonably necessary for the functions of the organisation and a consumer has consented to the collection.[2] The Office of the Australian Information Commissioner (OAIC) explained to the committee that consent must be informed, voluntarily given, up-to-date and provided by an individual who has the capacity to understand and communicate consent.[3]

8.6                  Where an APP entity receives information that it did not solicit and the organisation determines that it could not obtain such information in line with the requirements of consent and reasonable necessity, the information must be
de-identified or destroyed.[4]

8.7                  APP 11 requires that an APP entity ensure the security of the personal information it holds and actively consider whether it is allowed to retain personal information.[5] Reasonable steps must be taken by an APP entity to protect information from interference, loss or misuse, unauthorised access, disclosure or modification.[6] Steps that are reasonable for an entity to take depend on factors such as the size and resources of the entity, the amount of information held, the consequences for an individual if the information is released, and the practical implications of implementing security measures.[7]

8.8                  APP 8 and section 16C of the Privacy Act establish a framework for APP entities disclosing personal information across borders. However, the framework does not apply where an individual has consented to a secondary use of the information, such as the disclosure of the information to overseas recipients or mailing houses.[8]

8.9                  While the OAIC does not have data specific to the life insurance industry in terms of breaches of the APPs, it provided the committee with data on breaches and investigations for financial services (including superannuation) and the insurance industry as a whole.[9]

8.10        Such data applied to all information received, not just medical information. The data indicated that in 2016–17, 366 breaches were reported to the OAIC in relation to financial services (including superannuation) and 94 reports of breaches were received in relation to insurance. However, as breaches are to be reported to the OAIC only after the complainant has tried to resolve the matter with the organisation it claims has carried out the breach, it is unclear how many actual breaches there were in 2016–17.[10]

8.11             In terms of investigations carried out by the OAIC in 2016-17, 86 investigations were conducted into the financial services sector (including superannuation) and 41 investigations were conducted in relation to the insurance industry.[11]

8.12             In the last five years one privacy complaint against an insurer was determined by the Information and Privacy Commissioner.[12] This case involved the sharing of a customer's tax file number with a third party.[13]

Authorisation to access medical information

8.13             The Financial Services Council's (FSC) Life Insurance Code of Practice (Code) is a self-regulatory regime that contains a series of clauses pertinent to accessing medical information.

8.14             In order to facilitate the disclosure process as required under the Insurance Contracts Act, clause 8.6 of the Code states that life insurers are to obtain a general authority from consumers to access information from parties such as a person's doctor.[14] The clause further outlines that the general authority is to only be used by the insurer to obtain information that is relevant to the policyholder's claim.[15]

8.15             While clause 8.6 allows a person to deny an insurer authorisation to access their medical information, it is noted within the clause that such a refusal may delay the assessment of a claim or mean that a claim cannot be assessed at all.[16]

8.16             A number of life insurers provided the committee with the forms used to obtain the general authority described in clause 8.6 of the Code as well as their privacy statements.[17] The forms demonstrated that the authorisation obtained by life insurers for access to medical information can be presented to consumers as a standalone form often titled 'Medical Authority' or as part of a form often titled 'General Authority' or 'Authority'.[18] 'General Authority' or 'Authority' forms may relate to medical information as well as other types of information.

8.17             The forms and privacy statements received by the committee also demonstrated a difference in language used by insurers and distributors, as well as across different insurance products. While not limited to the below, differences also appeared in relation to:

  • the types of third parties that will also have access to a consumer's information, including companies based overseas; and
  • the level of explanation provided to a consumer regarding the insurer's privacy policy and storage practices.

8.18             In terms of third parties who can access a consumer's information, life insurers' privacy disclosure/policy statements provided to consumers at the time of claim varied and included the following statements:

  • To assist us with the purposes outlined above, we may disclose information collected to our related companies or with third parties including our re insurers, advisors, medical service providers and claims investigators. Some of the related companies we may disclose personal information to may be located overseas including the United Kingdom, India, the United States of America and Switzerland.
  • We may also disclose your personal information overseas to countries in certain circumstances that are likely to include India and USA.
  • We are unlikely to send your personal information to any foreign jurisdiction and we take steps to ensure our service providers don't either.[19]

8.19             It is not clear from the privacy statements submitted to the committee whether the information disclosed in the above circumstances would include sensitive information, such as medical information.

8.20             The forms also provided examples of how much information a consumer was given regarding the life insurer's privacy policy. Examples from authorisation forms at the time of claim included:

  • Declaration and consent: I/We have read and consent to the handling, collection, use and disclosure of my/our personal and sensitive information in the manner described in this form and the Privacy Policy on the AIA Australia website as updated from time to time…
  • Our Privacy Policy, a copy of which can be found at www.standrews.com.au, sets out how you can access and correct information we hold about you, how you can complain about a breach by us of your privacy rights and how your complaint will be handled. It also contains a more comprehensive list of countries to which your information may be disclosed and will be updated regularly.
  • You may contact our Privacy Officer in relation to your personal information (or to opt out of marketing) on 1300 363 159 or standrews@standrews.com.au

8.21             A common element present in almost all of the authorisation forms received by the committee was the broad nature of the general authority obtained by life insurers to access all of a consumer's medical information, regardless of the nature of the life insurance policy purchased or the claim made. The following examples demonstrate this:

  • I/We hereby authorise any medical practitioner, medical provider, health professional, hospital, dentist or other person who has attended me/us, to release to AIA Australia Limited or its representatives all information with respect to any sickness or injury, medical history, consultations, prescriptions, or treatment and copies of all hospital or medical records.
  • Medical Authority: I [NAME] agree that any medical practitioner, health care professional, hospital or other health service provider, whether named by me or not, who has been consulted by me, shall be and is hereby authorised and directed by me, to divulge to the insurer, or the insurer's agent all medical or surgical information he/she may have acquired with regard to myself.
  • Policy Owner/Life Insured's consent to obtain a medical report: I hereby consent to St Andrew’s and FlexiSure being provided with medical information, including copies of any medical reports, clinical reports or otherwise, from any Medical Practitioner who at any time has attended me concerning anything which affects my physical or mental health.[20]

8.22             During the inquiry, the committee became aware that life insurers were unsure of the amount of consumer's information that they held in storage. The committee received evidence from life insurers regarding the fact that, while they adhered to the requirements of the Privacy Act, life insurers were unable to determine the amount of personal sensitive information, including a person's complete medical record, that they had in their possession.[21]

8.23             As a consumer has to provide a broad authority to each insurer with whom they take out a policy, the committee understands it is likely that, to the extent that individuals have more than one life insurance policy, those individual's full medical records may be held by more than one life insurer.

8.24             Mr Peter Kell, Deputy Chairman, and Mr Michael Saadat, Senior Executive Leader at the ASIC, while not necessarily presenting an argument for or against the use of a broad general authority by life insurers, acknowledged the complexity of the issue due to the contractual and statutory requirements of disclosure.[22]

Arguments for a broad authority to access medical information

8.25             The FSC expressed the view that the duty of disclosure requires a broad authority to ensure that there is a factual basis from which claims can be managed. A broad authority at the time of application also ensures that enough information is obtained at the underwriting stage for risk assessment so that requests for information are limited at the claims stage.[23] AMP submitted a similar view noting that a broad authority may prevent delays to an application or a claim.[24]

8.26             The FSC explained that while a broad general authority allows an insurer to obtain all of a consumer's medical information, such access is not unfettered or unregulated as processes are in place to ensure an excessive amount of medical records are not obtained.[25] Additionally, Zurich Financial Service Australia Limited (Zurich) believed that the consumer understands that the insurer's need for as much information as possible is in the consumer's best interest.[26]

8.27             Beyond these general statements, however, the main reason put forward by the FSC and life insurers, such as Zurich and CommInsure, for a broad general authority to access medical information is to enable an insurer to pool risk and prevent anti-selection due to information asymmetry.[27]

8.28             Zurich explained that at the foundation of insurance is the principle of pooled risk.[28] This means that, rather than an individual bearing a financial risk if a certain event occurs, the individual is able to be a part of a pool with other insured people, thus allowing for the risk to be spread amongst the insured pool.[29]

8.29             However, in order for the pool to be sustainable and equitable for its members, the premium paid by an individual within the pool must appropriately reflect the individual's level of risk.[30]

8.30             For this risk to be accurately priced, the risk must be assessed by the insurer. This is known as a form of underwriting as outlined in chapter 2 of this report. The insurer requires as much information as possible in order to assess risk during the underwriting stage and will consider factors such as gender, age, occupation, and smoker status.[31]

8.31             Insurers will also consider whether the individual's risk warrants certain exclusions in their insurance cover or a denial of insurance cover altogether.[32]

8.32             Accurate pricing of risk ensures that more affordable cover is available, the risk pool is sustainable, and the life insurer is able to pay claims.[33]

8.33             Zurich was of the view that thorough underwriting that accurately assesses risk will, in turn, reduce the pressure on public health and social safety nets.[34]

8.34             Both the FSC and Zurich explained that anti-selection will occur where an insurer cannot accurately price risk due to limited information provided by a consumer.[35]

8.35         Furthermore, anti-selection is not equitable to others in the pool because premiums will be increased to cover an individual risk that was not initially assessed.[36] This in turn can affect the sustainability of the pool to pay claims as policyholders are likely to exit the pool in response to increased premiums.[37]
Anti-selection may also cause underinsurance for certain sections of the community.[38]

8.36         The importance of insurers having access to as much information as possible in order to determine and price risk accurately was also acknowledged by the Productivity Commission in its report Data Availability and Use.[39]

8.37         The Productivity Commission's report noted that economics has long recognised information asymmetry (the consequence of not sharing enough information) as detrimental to competitive markets.[40] The Productivity Commission also noted that sharing information can alleviate such information asymmetries and allow for both competition amongst suppliers and appropriately priced products.[41]

8.38         The Disability Discrimination Act 1992 (Disability Discrimination Act) is intended to ensure that people with disabilities have the same rights as the rest of the community and to eliminate, as far as possible, discrimination against persons on the grounds of disability. Nonetheless, the Disability Discrimination Act allows the insurance industry to uphold the principle of pooled risk by allowing insurers, in some instances, to use medical information to accurately price risk and make decisions about a policyholder.[42]

8.39         Treasury informed the committee that section 46 of the Disability Discrimination Act provides an exemption to insurers in some situations.[43] The broad effect of this exemption is that insurance premiums and/or policy terms are permitted to vary according to variations in factors that affect risk, including, as previously explained in this chapter, the age and gender of the insured. In order to be able to rely on this exemption, insurers must base their decision on actuarial or statistical evidence and, in the case where no such evidence exists, have regard to other relevant factors.[44] Additionally, some accountability is provided by Section 107 of the Disability Discrimination Act which gives the Disability Discrimination Commissioner the power to require an insurance company to present the actual or statistical data or risk being found to have breached the law.[45]

8.40         As set out in this and the prior section, the evidence from both the FSC and life insurers shows that the words used by insurers in their forms actually requests as much information as possible from consumers. However, in contrast to the wording contained in the medical request forms and the reasons given by various life insurers, Ms Sally Loane, Chief Executive Officer of the FSC, appeared to contradict the position that the FSC had previously put forward. Appearing before the committee on 1 December 2017, Ms Loane stated that life insurers do not want 'to go through more information than they need to assess an application or a claim'. Instead, Ms Loane said that life insurers only want information pertaining to specific issues.[46]

8.41         The FSC also expressed that they 'are committing to reframe [clauses] 8.5 and 8.6 [of the Code] because we do understand the concerns'.[47] Ms Loane stated that the life insurance industry would welcome a recommendation from the committee that the industry develop a framework with the Royal Australian College of General Practitioners (RACGP) for GPs and insurers to use when determining what information should be provided to the insurer. This framework would be included in the next iteration of the Code.[48]

Arguments against a broad authority to access medical information

8.42         The committee received evidence from medical organisations and mental health advocacy organisations that raised various concerns about life insurance companies having a broad authority to obtain copies of patient medical records, including consultation notes. These concerns included:

  • the appropriateness of life insurers gaining access to potentially highly sensitive but not necessarily relevant personal medical information;
  • the difficulty for a medical practitioner in determining whether the release of complete medical records would be in the patient's best interest;
  • the difficulty in determining whether a patient's prior consent to release medical information can reasonably be taken to be up-to-date;
  • the risk that doctors may under-document a patient's condition in their consultation notes because of concerns about how a life insurer might use or misinterpret certain information; and
  • the risk that a patient may not fully disclose their condition, for example, mental health, for fear of how a life insurer might use that information to assess cover or a subsequent claim.[49]

8.43         Dr Edwin Kruys, Vice President and Chair of the Royal Australian College of General Practitioners (RACGP) Queensland, explained the difference between 'medical records' and 'medical reports'. He told the committee that 'medical records' reflect a patient's encounters with a GP and can include reports and consultation notes. By contrast, 'medical reports' are prepared by GPs after they have reviewed 'medical records' and may contain facts and opinion, where an opinion is requested by a third party.[50]

8.44         Dr Bastian Seidel, President of the RACGP, explained that while a medical record may contain a diagnosis of a patient, it will not necessarily include a prognosis. Dr Seidel emphasised the vital importance of a prognosis when considering a patient's future risk of illness and life expectancy because it may take account of treatment options and lifestyle changes.[51]

8.45         Zurich stated that they only ask for medical reports on a customer's medical history during the underwriting stage for risk assessment.[52] However, the RACGP shared its belief that there has been a movement by life insurers towards requesting whole medical records due to the lower costs associated with accessing a full medical record compared to obtaining a tailored report.[53] Dr Kruys noted that currently 50 per cent of requests for medical information made by life insurers are for whole medical records rather than medical reports.[54] Furthermore, Associate Professor Stephen Bradshaw, a Practitioner Member of the Medical Board of Australia, suggested this may be higher indicating that he has 'never had a targeted inquiry'.[55] Dr Seidel was firmly of the view that the cost of a medical record should not be a relevant consideration in terms of determining whether a medical record or a medical report should be obtained by an insurer. In this regard, Dr Seidel noted that 'a patient's medical record is not a tradeable commodity'.[56]

8.46         The committee also heard concerns from medical bodies in relation to how a broad authority will apply to electronic health records. Ms Anne Trimmer, Secretary General, Australian Medical Association (AMA) raised with the committee the possibility that electronic health records alongside a broad authority will present a further challenge for a GP and/or treating doctors who will have to collate all reports placed on the electronic record by different doctors.[57] This will mean that what the current GP or treating doctor provides to the insurer will consist of documentation outside of their relationship with the patient.[58]

8.47         MDA National, a Medical Defence Organisation informed the committee that it does not record the exact number of times its members ask for assistance regarding an insurer's request for patient records.[59] However, MDA National did confirm that it provides such assistance to GPs every week.[60]

8.48         In terms of the advice provided to its members, MDA National explained that this broadly involves assisting its members in identifying what has been specifically requested and whether patient consent has been granted.[61]

8.49         The Medical Indemnity Protection Society also stated that they regularly provide advice on this matter but noted there has been no increase in requests for advice.[62] Medical Insurance Group Australia, another Medical Defence Organisation, also noted that it has not seen an increase in the number of requests for advice.[63]

8.50         Dr Kruys raised concerns about the appropriateness of life insurers having access to full medical records:

For any organisation or business, we would find it inappropriate if you would ask your customers to provide information about their sexual health, for example. Yet insurers requesting all this information, including sexual health and other intimate information, that's stored in that record is apparently appropriate.[64]

8.51         Associate Professor Stephen Bradshaw, a Practitioner Member of the Medical Board of Australia, highlighted that ultimately the problem of providing full medical records is of an ethical nature. For Associate Professor Bradshaw, a broad authority places GPs and other medical doctors in an invidious position in that doctors are being asked to provide information to life insurers that may not be in the best interest of the patient.[65]

8.52         This difficulty in determining whether the release of medical records would be in the patient's best interest is compounded by the fact that the issue of consent in relation to insurers' access is fraught, as such consent can be out-dated and provided to an insurer prior to any specific insurance claim being made.[66]

8.53         Dr Kruys drew the committee's attention to the experiences of RACGP members that have been required to explain to patients that an insurer having access to their medical information could lead to higher premiums or their claims being denied.[67] The committee also heard that where a GP explains to the patient what they were actually consenting to, a number of patients withdraw their consent.[68] However, Ms Trimmer and Associate Professor Bradshaw pointed out that most doctors would not have the time to have such a conversation with their patients.[69]

8.54         MDA National asked the committee to consider recommending a requirement that life insurers must inform the patient/policyholder of any requests they make for the patient's/policyholder's medical records and provide the patient/policyholder with the opportunity to say no to such a request.[70]

8.55         This approach would be similar to how parties in litigation are informed when a subpoena is issued to a third party.[71] It was MDA National's belief that such a requirement placed on insurers would provide 'greater certainty for medical practitioners who are the subject of such requests, often where the issue of consent is not clear'..[72]

8.56         The committee also heard that GPs may be under-documenting a patient's risk for fear of what consequences this would have for a patient to obtain insurance or make an insurance claim.[73]

8.57         For example, the RACGP explained to the committee that consultation notes are not created for the purpose of a life insurer to assess an individual's risk.[74] Rather, as Dr Kruys explained to the committee, 'consultation notes are…a comprehensive written record of the conversations that have taken place, containing sensitive information to support us when providing quality care'.[75]

8.58         However, the inclusion of consultation notes in the documentation provided to life insurers under a broad authority places GPs in a difficult situation where they want to record a patient's consultation appropriately and in line with 'medico-legal' obligations, but must also consider the broader impact such notes will have on a patient, such as obtaining insurance or making an insurance claim.[76]

8.59         In addition, the RACGP noted that its members are concerned about life insurers misinterpreting consultation notes, and the risk this poses for both GPs and patients.[77]

8.60         In this regard, the forms provided to the committee from life insurers illustrated the following references to clinical notes at the time of a customer making a claim:

  • I /we authorise any treating doctor, physician, rehabilitation specialist or other medical or health care provider, ambulance service, hospital, police, social security or other government department, workers compensation insurer, employer, accountant, other insurer (or entity providing insurance type services), to provide/release to ClearView Life Assurance Limited all medical information… I am / we are aware that clinical notes, or part of the clinical notes, will inevitably include confidential medical information, which is irrelevant to the claim.
  • I hereby authorise Zurich to provide my personal information (which may including sensitive or health information) to any physician, hospital or any other health care provider that has attended or examined me in order for them to supply Zurich with full particulars of my medical history, including copies of all hospital or medical records, referral letters, reports and details of any clinical notes that have been made.

8.61         Dr Kruys observed that GPs, or any other medical doctor, are subject to legal and ethical obligations to produce truthful medical reports that do not omit important issues.[78]

8.62         In addition to the concerns raised above regarding the risks to overall patient welfare posed by the release of full medical records including consultation notes, Dr Kruys and Dr Seidel were of the view that a targeted medical report would be more appropriate for insurers as the information contained in the report would be easier to apply a risk assessment to, rather than a life insurer potentially having to consider years of raw data.[79]

8.63         In light of the above, both the RACGP and the AMA argued that life insurers should only be authorised to obtain targeted medical reports rather than complete medical records.[80]

8.64         In terms of how a broad authority affects patients, Dr Stephen Carbone, Policy, Research and Evaluation Leader at beyondblue, expressed the view that patients may be reluctant to share their problems with GPs for fear of how insurers will use the information when deciding whether to provide cover or when assessing a claim.[81] Such fears seem to be particularly related to mental health conditions being used to deny cover or a claim unrelated to mental health.[82] The committee was told that this may lead to patients not receiving adequate treatment or appropriate care for mental health conditions.[83]

8.65         In terms of being able to purchase life insurance, it was pointed out to the committee that a beyondblue study found that 67 per cent of the study's participants 'agreed it was difficult to obtain life and income protection insurance' due to mental health conditions.[84]

8.66         Furthermore, the study noted that while people with mental health conditions can obtain life insurance, this at times is at a higher cost due to mental illness or through a policy that has mental health exclusions.[85]

8.67         Ms Nadine Bartholomeusz-Raymond, General Manager of Education, Families and Diversity and Access at beyondblue, told the committee that it is not just having a mental health condition that may make it difficult to obtain insurance, but also the fact that a person may have seen a counsellor once and this was documented in consultation notes.[86] Such documentation was claimed to be used by insurers to deny access to insurance products.[87] Claims handling is discussed in detail in chapter 10 of this report.

8.68         The RACGP, beyondblue and the Royal Australian and New Zealand College of Psychiatrists (RANZCP) pointed out that the way in which a person's mental health information is used by an insurer for risk assessment purposes is problematic.[88]

8.69         Specifically, these groups believed that it is unclear what data is being used by insurers to make underwriting decisions that include assessment of mental health information, whether such data is up to date, and if the data reflects the fact that mental illness takes many forms and affects individuals differently.[89]

8.70         Ms Michelle Marie Cohen, Senior Solicitor at the Public Interest Advocacy Centre, shared similar concerns and Ms Alexis Goodstone, Principal Solicitor at the Public Interest Advocacy Centre, added that she believed these concerns relate to a range of insurers.[90]

8.71         In its response to the concerns raised about the use of mental health information by life insurers, the FSC informed the committee that it is very rare for a blanket exclusion to be in place for pre-existing mental health conditions when applying for life insurance. Furthermore, the FSC was not aware of any of its members denying complete insurance coverage due to pre-existing mental health conditions.[91]

8.72         In addition, the FSC submitted that there is a range of life insurance cover that is available for mental health.[92]

8.73         The FSC also stated that while most insurance providers meet their legal obligation to clearly explain the duty of disclosure to consumers, the misunderstanding regarding blanket exclusions and mental health conditions reflected a need for greater education of consumers. [93]

8.74         In this regard, the FSC explained it is creating a key fact sheet to improve consumer understanding regarding disclosure for insurance within superannuation.[94]

Committee view

8.75         The committee agrees with the view put to it by ASIC that the issue of life insurers accessing a broad range of a consumer's personal information is complex due to the statutory requirements for consumers to disclose relevant information to an insurer.

8.76         The committee notes the evidence it received from the Financial Services Council and from life insurers explaining the principles of pooled risk and underwriting that underlie insurance and why this serves as a justification for a broad general authority to access a customer's medical information.

8.77         The committee further notes the claim made by life insurers that while a broad range of information may be obtained, life insurers only use information that is relevant to assessment of a policyholder's risk.

8.78         However, it remains unclear to the committee why approximately half of life insurers ask for complete medical records considering the assertion made by the industry that only relevant information is used by the insurer. The committee believes that the view that this is a less expensive way of obtaining information is insufficient justification.

8.79         It is also unclear how information within the records is both determined to be relevant and assessed for risk purposes, particularly in relation to mental health. The committee discusses and makes recommendations on the assessment of mental health issues during the claims process in chapter 10.

8.80         While the committee acknowledges that life insurers have not been found to have breached Australian Privacy Principles in relation to the access and sharing of a consumer's information, the committee is concerned that life insurers are unable to determine the number of full medical records kept in storage. This is problematic when not all of the medical information requested or received by life insurers is required to determine a claim. It is also particularly problematic that, in some instances, insurers may share information with third parties overseas, the extent and oversight of which is unclear.

8.81         The committee notes that the authorisation forms used by life insurers vary between insurers and products, and that consumers are offered an opportunity to decline to provide life insurers with a broad authorisation to access medical information. However, declining to provide a broad authorisation may lead to delays in the approval of an application or a claim. Given the consequent risk of delay, the committee questions whether the option to decline to provide a broad authority actually represents a genuine choice for consumers. In fact, the tone and language of the current FSC Code does not reflect assertions by the industry that full medical records are rarely required.

8.82         Chapter 3 of this report considered consumer protections in the financial services sector, including life insurance. As set out in chapter 3, the committee recommended legislative reform such that consumer protections would apply to all insurance. As such, the committee is of the view that forms requesting access to a consumer or policyholder's information should be subject to consumer protections including laws on unfair contract terms. Where the forms requesting such access do not form a part of the contract, the committee considers that the forms should be brought into the insurance contract so that consumer protections apply.

8.83         The access of life insurers to full medical records and related documentation rather than targeted reports has placed medical doctors, particularly GPs, in an invidious position. Evidence to the committee from medical organisations emphasised the ethical dilemma that medical practitioners face in terms of having to provide information to life insurers that may not be in their patients' best interest.

8.84         The committee is very concerned about evidence provided that patients are reluctant to seek necessary treatment, particularly for mental ill health, due to concerns over life insurers having access to their full medical record and then using such information to limit or deny coverage or a claim. Individuals should not have to trade off financial stability, which could be secured through life insurance, against their health.

8.85         Based on the evidence provided to the committee about the effect a broad authorisation has on both GPs and patients, as well as the questions raised regarding the utility of insurers obtaining all of a consumer's medical information, the committee is firmly of the view that life insurers should only have access to targeted information.

8.86         This more targeted approach will ensure unnecessary information is not kept in storage and will protect the privacy of individuals. It should also improve the doctor-patient relationship, ease some of the ethical burden placed on GPs, and no longer impact on an individual's decision to seek treatment.

8.87         In relation to informed and up-to-date consent, the committee notes the need for medical practitioners, particularly GPs, to be sure that their patient is aware that they have provided consent to a life insurer to access their medical records.

8.88         The committee agrees with MDA National's position that a life insurer should inform the patient/policyholder when the life insurer requests access to a patient's medical records, reports or other medical information. In addition, the committee is of the view that a life insurer should inform the patient/policyholder when the life insurer seeks to provide their medical information to any third party, including any overseas third party. The committee feels that this would be best served by progressing to a system of real-time disclosure that would allow consumers to track the progress of their claim.

8.89         The committee considers that the interests of consumers are paramount, but recognises that two competing consumer interests at play, namely the consumer's interest in privacy and the consumer's interest in reduced costs.

8.90         The committee is also of the view that doctors have a responsibility to only provide the information that is requested and not provide a patient's full medical record, particularly as doctors also have a responsibility to protect the privacy of their patients.

8.91         The committee is also of the view that a patient/policyholder should have the opportunity to decline a request for medical information, including the provision of that information to a third party. The committee acknowledges that any objection to the release of medical information may affect the assessment of a claim. In this regard, the committee is of the view that requiring life insurers to request a medical report rather than having access to full medical records would substantially alleviate any possibility that a patient/policyholder would deny access to medical information relevant to the proper determination of a claim.

8.92         The committee notes that data storage in the life insurance industry is currently regulated by APRA and the National Privacy Principles.  These cover onshore and offshore arrangements.

Recommendation 8.1

8.93         The committee recommends that:

  • the Financial Services Council and the Royal Australian College of General Practitioners collaborate to prepare and implement agreed protocols for requesting and providing medical information;
  • the Financial Services Council develop a uniform authorisation form for access to medical information at the time of application and at the time of claim that must be used by all of its members;
  • this uniform authorisation form explain to consumers/policyholders in clear and simple language how information will be stored and used by third parties; and
  • a consumer/policyholder should be able to use the same uniform authorisation form between different life insurers and different life insurance products.

Recommendation 8.2

8.94             If the Financial Services Council and the Royal Australian College of General Practitioners have not agreed to protocols within six months, the committee recommends that at the time of application, life insurers must only ask a consumer's General Practitioner, or other treating doctor where relevant, for a medical report specific to the consumer's relevant medical conditions. In circumstances where such a report cannot be prepared, life insurers cannot ask for access to clinical notes regarding the consumer/policyholder.

Recommendation 8.3

8.95             If the Financial Services Council and the Royal Australian College of General Practitioners have not agreed to protocols within six months, the committee recommends that at the time of a consumer/policyholder making a claim, life insurers can only ask a policyholder's General Practitioner, or other treating doctor where relevant, for a medical report that is specifically targeted to the subject matter of the claim. In circumstances where such a report cannot be prepared, life insurers cannot ask for access to clinical notes regarding the consumer/policyholder.

Recommendation 8.4

8.96             If the Financial Services Council and the Royal Australian College of General Practitioners have not agreed to protocols within 6 months, the committee recommends that life insurers must obtain consent from a policyholder each time it intends to:

  • request a policyholder's medical records, reports or other medical information from their General Practitioner or other treating doctor; and
  • share a policyholder's information with a third party.

Recommendation 8.5

8.97             The committee recommends that the Financial Services Council, in discussion with the Royal Australian College of General Practitioners, update the Life Insurance Code of Practice and relevant Standards to reflect Recommendations 8.1, 8.2, 8.3, and 8.4.

Recommendation 8.6

8.98             The committee recommends that if insurance contracts are to be subjected to consumer protections, including laws on unfair contract terms:

  • where the authorisation form for a life insurer to access a consumer's/policyholder's medical information is within the insurance contract, consumer protections apply, including laws on unfair contract terms; and
  • where the authorisation form for a life insurer to access a consumer's/policyholder's medical information is outside of the contract, authorisation forms are to be brought within the contract to allow for the application of consumer protections, including laws on unfair contract terms.

Recommendation 8.7

8.99             The committee recommends that it become the practice of life insurers to institute real-time disclosure that would allow consumers to track the progress of their claim.