Back Issues
THE RILEY REPORT - July 2004
from Thomas B. Riley 
www.rileyis.com
Following is the Riley Report for July
2004. Please feel free to pass this on as you see fit. If you wish to use any or part of the Report in an offline publication please acknowledge the author or contact the author if to be fully republished offline. If you are not currently subscribed to the Riley Report (there is no charge) you can email
and simply put subscribe in the body of the text. You can also go to the Riley Report at:
www.rileyis.com/report/index.html and subscribe there.
This month's report is from
author David Keeshan, Ottawa, Canada who presents an overview of recent health
privacy issues.
This article originally appeared in Health Privacy in Canada: Law, Practice and
Compliance, Vol. 2, No. 5, and is reproduced here with the permission of the
publisher, Electric Law Press Limited. Information on Health Privacy in Canada:
Law, Practice and Compliance can be found at www.electriclawpress.com/Publications/HPIC/hpic.html
Patriot Act
Controversy Heats Up
David Keeshan B.A. LL.B.*
Overview
A number of provincial and federal statutes impact how personal health
information can be collected, used and disclosed by government bodies and health
information custodians. Some of these statutes are health sector specific,
such as Alberta's Health Information Act, Manitoba's Personal Health Information
Act, Saskatchewan's Health Information Protection Act, and Ontario's new
Personal Health Information Protection Act. In other provinces, such as
British Columbia and Quebec, the province's general freedom of information and
protection of privacy law applies to the governmental health sector.
As long as the administration of public health services is in government hands,
the personal health information of Canadian residents that flows through the
public system is protected, at least in part, by these public sector privacy
laws. Potential privacy issues arise, however, when the administration of
health services is contracted out to private sector companies, who are not
governed by public sector legislation. Even more vexing legal complications
arise, however, when the contractor is a foreign company, and extraterritorial
jurisdictional issues come into play. This is currently the case in
British Columbia, where the government's stated intention to contract important
health care administration services to an American-based corporation has raised
concerns that some Canadians will thereby become subject to the provisions of a
controversial piece of American legislation, Uniting and Strengthening America
by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA
PATRIOT ACT) Act of 2001, Public Law 10756, better known as the USA Patriot Act,
and that their personal health information will be accessible to American
governmental bodies such as the Federal Bureau of Investigation, and undermine
national sovereignty.
Background
On January 28, 2002, the government of British Columbia enacted Bill 29, the
Health and Social Services Delivery Improvement Act, S.B.C. 2002, c. 2. Among
its many provisions, the Act, which applies to nonclinical services performed by
health care workers, voids certain provisions of existing collective agreements
with the result that a health sector employer may contract with outside service
providers to perform certain services previously provided by the plaintiffs.
On September 11, 2003, the British Columbia Supreme Court ruled[1] that
the Health and Social Services Delivery Improvement Act was constitutional and
did not violate s. 2(d), 7 and 15 of the Canadian Charter of Rights and
Freedoms. The unions challenging the legislation including the
Health Services and Support Facilities Subsector Bargaining Association
and the B.C. Government and Service Employees' Union (BCGEU) appealed the
decision to the B.C. Court of Appeal, and although a ruling of that court is
pending, it is unlikely that the lower court decision will be reversed.
On July 29, 2003, the B.C. Ministry of Health Services announced its intention
to contract with private partners to develop business solutions for the
administrative and technical components of the Medical Services Plan ("MSP")
and BC PharmaCare. (MSP is British Columbia's public health
insurance plan administered under the Medicare Protection Act, and BC PharmaCare
subsidizes eligible prescription drugs and designated medical supplies, and
provides financial assistance to British Columbians under Fair PharmaCare and
other specialty plans.) The provincial government's intention was to
privatize or outsource various administrative health benefits operations,
including services such as: responding to public enquiries; client
enrolment; family status changes; birth registrations; applications for premium
assistance; and processing medical and pharmaceutical claims from health
professionals. On March 31, 2004, the government announced that it was
beginning contract negotiations with Maximus, Inc., an American based
multinational government programs management corporation. A final contract
signing is now targeted for the end of August, 2004. This outsourcing is
not an isolated event, nor is not restricted to the health sector. In
March, 2004, for example, the B.C. Ministry of Management Services selected a
consortium of TELUS Communications Inc., Accenture and Sierra Systems Group, to
take over government payroll operations and information management.
The government sees such a private partnership as a means to modernize the
system, improve customer service, promote efficiency and inject capital
investment into MSP's and PharmaCare's technology infrastructure. Currently,
MSP "customers" cannot fill out forms online for functions such as new
enrolments, changes in status of family members, registrations of babies or
applications for premium assistance, but must mail in those forms for
processing, resulting in the processing of more than 800,000 paper forms
annually. The government has argued that the Ministry of Health Services'
approach to administering MSP hasn't changed significantly in the past 30 years,
despite an 80 per cent increase in population, increased expectations from a
more culturally diverse client base, and the province's expansion of access to
premium assistance to more than 200,000 low income B.C. families.
In seeking to address privacy concerns, the government has stated that:
- it will continue to own
all information, be accountable for services and ensure that personal
privacy is protected;
- the contracted for
solutions will meet or exceed the requirements of the Freedom of Information
and Protection of Privacy Act and Maximus will manage health-care
information in accordance with that Act;
- comprehensive audit and accountability measures will be key components of the contract, along with clearly defined consequences for failing to meet performance expectations, which will be rigorously enforced by the Ministry.
(In January, 2003,
former B.C. Privacy Commissioner David H. Flaherty prepared a privacy analysis
of the outsourcing for the B.C. Ministry of Health Services.[2] The
analysis recommended that, at a minimum, the standards set out in BCFIPPA be
incorporated into any outsourcing contract.)
In an effort to stop the outsourcing to Maximus, BCGEU has launched a court
challenge[3], and seeks injunctive relief to stop the B.C. government from
contracting with the services management corporation. Subsequently, on May
28, 2004, B.C.'s. Information and Privacy Commissioner, David Loukedelis,
launched a public examination[4] of the implications of the USA Patriot Act for
British Columbians' personal information involved in outsourcing of public
services to US linked service providers. He will examine the issues,
provide a public report and offer recommendations to deal with any problems that
may be identified. In addition, the BC-based "Right to Privacy
Campaign"[5] was launched by a diverse group of rights, health, union and
other organizations to demand that the BC government drop its proposed deal with
the Maximus corporation because of the privacy implications of the USA Patriot
Act.
USA Patriot Act Issues and Concerns
Provincial labour unions understandably see privatization as a significant
threat to the financial interests of their membership. Privacy advocates
see this outsourcing both as a general threat to privacy, and, in the specifics
of the Maximus case, as opening up the personal health information of
British Columbians to unjustified surveillance by the American government.
That concern arises out of several provisions in the USA Patriot Act, which
expands government powers of surveillance and search and seizure in order to
combat international and domestic terrorism. Of particular concern is sec. 215
of the Act, which amends Title V, sections 501 through 503 of the Foreign
Intelligence Surveillance Act of 1978 (FISA) (50 U.S.C. 1861 et seq.). The key
provision in sec. 215 is the amendment of sec. 501 of FISA. (Sec.
502 provides for semiannual Congressional oversight and sec. 503 was repealed.)
Sec. 501 of FISA, as amended, deals with access to certain business
records for foreign intelligence and international terrorism investigations, and
authorizes the American Federal Bureau of Investigation to apply to a designated
Judge or magistrate for an order requiring the production of any tangible things
(including books, records, papers, documents, and other items) for an
investigation to protect against international terrorism or clandestine
intelligence activities. The statute is broadly worded, and would on its
face include all types of companies and records, including medical and
administrative records.
An investigation conducted under this section shall be conducted under
guidelines approved by the Attorney General under Executive Order 12333[6] and
the investigation of a United States person is not conducted solely upon the
basis of activities protected by the first amendment to the Constitution. (The
First Amendment states: Congress shall make no law respecting an
establishment of religion, or prohibiting the free exercise thereof; or
abridging the freedom of speech, or of the press; or the right of the people
peaceably to assemble, and to petition the government for a redress of
grievances.) Sec. 501 as amended also provides for nondisclosure, to
the effect that no person shall disclose to any other person, other than those
persons necessary to production, that the Federal Bureau of Investigation has
sought or obtained tangible things under the section.
Because Maximus is an American corporation, it is subject to the provisions of
sec. 215 of the USA Patriot Act and the amended sec. 501 of FISA.
If the proposed MSP contract is with the American arm of Maximus (Maximus
US) and if the health data of British Columbians is physically stored in the
United States as part of the performance of the MSP/PharmaCare contract, then it
could be seized under court order by the FBI as part of a terrorist
investigation, without Canadian government involvement and without knowledge of
the persons involved. This would be tantamount to extraterritorial
application of American law to Canadian residents, and very troubling. And,
in order for Maximus to realize the necessary economies of scale, it is likely
that Maximus affiliate data will be warehoused and processed, at least in part,
in the United States, although this has not been determined.
If, however, a Canadian affiliate of Maximus (Maximus CAN) contracts with the
British Columbia government and the data is stored in entirely in Canada, the
issues become more subtle. Maximus CAN would not be directly subject to a
sec. 215 order, nor would the data be directly accessible to the American
parent. Presumably, however, the parent corporation would, as a practical
matter, have hierarchical authority over the affiliate and could order the
latter to deliver the requested data to the United States.
Jameel Jaffer of the American Civil Liberties Union argues that while there is
no specific American case law deciding whether an American company served
with a sec. 215 order could be forced to disclose information held by a Canadian
affiliate, cases such as Hunter Douglas Inc. v. Comfortex Corp[7], involving a
subpoena served on United States companies with foreign affiliates, suggest that
the test to determine whether a corporation has custody and control over
documents located with an overseas affiliate is not limited to whether the
corporation has a legal right to those documents, but rather focuses on whether
the corporation has "access to the documents" and the "ability to obtain the
documents." If that reasoning was applied to a warrant under sec. 215,
then Maximus US would likely be held to have access and control to MSP data,
regardless of where it was physically housed, and required to access and deliver
the relevant records. Because sec. 215 appears to lack any mechanism for
review of the order, and because disclosure of the order is prohibited, both
Maximus US and Maximus CAN would be placed in a very difficult legal and
logistical situation. The negotiation of a contract that restricted access
to the documents by Maximus US would be difficult, and perhaps ultimately,
financially and logistically impractical.
How the legal issues will unfold remains to be seen, but it is worth noting
that, unless it is renewed, the USA Patriot Act will expire in 2005. Stay
tuned.
End Notes
Riley Information Services Inc will present a one day seminar on Health Privacy
in Ottawa, Canada on September 17, 2004. For further details go to:
www.rileyis.com/seminars/index.html
1. Health Services and Support Facilities Subsector Bargaining Assn. v.
British Columbia (2003), 19 B.C.L.R. (4th) 37 (B.C.S.C.)
2. See www.healthservices.gov.bc.ca/msp/privacy_review.pdf
3. British Columbia Government & Services Employees' Union (petitioner)
v. The Minister of Health Services & The Medical Services Commission
(respondents), British Columbia Supreme Court, Victoria Registry No. 040879.
4. Request for Submissions, www.oipcbc.org/new/21120publicinvite.pdf
5. www.righttoprivacycampaign.com
6. See www.cia.gov/cia/information/eo12333.html
7. 1999 WL 14007 (S.D.N.Y. 1999).
* David Keeshan is a lawyer and author of, inter alia, The Law of Search
& Seizure in Canada, 5th Ed., published by Butterworths Canada.
Thomas Riley is available for consultations, preparation of reports, presenting workshops or delivering speeches at conferences and seminars on e-government, e-governance and e-democracy. Please contact me at the email address below for further details.
Thomas B. Riley
Executive Director and Chair
Commonwealth Centre for E-Governance
www.electronicgov.net
Visiting Professor, University of Glasgow
President, Riley Information Services Inc.
www.rileyis.com