Access to medical information
8.1 The duty of disclosure under section 21A of the Insurance Contract
Act 1984 (Insurance Contracts Act) requires a person applying for insurance
to disclose relevant matters, such as their medical history, to an insurer. The
disclosure of relevant matters required by this duty allows an insurer to have
access to the information necessary to determine through a risk assessment
whether a person can be provided with insurance and, if so, the level of the insurance
8.2 In order to facilitate the disclosure process regarding a person's
medical history, life insurers request authorisation to access a consumer's
medical information. This request for authorisation may occur at the time a consumer
acquires a life insurance policy and also at the time of making a claim. The request
for authorisation is usually accompanied by information on the life insurer's
may be shared. The amount and type of medical information a consumer authorises
a life insurer to access and share is typically broad, particularly at the time
of policy acquisition. Such broad authority is obtained by life insurers regardless
of the nature or type of the life insurance policy.
8.3 This chapter begins by examining how life insurers receive authorisation
to access a consumer's information. This is followed by consideration of why
life insurers require a consumer's medical information as well as concerns
raised with the committee regarding the breadth of medical information that life
insurers can access. How medical information is used during the claims handling
stage is examined in Chapter 8 of this report.
8.4 The Privacy Act 1988 (Privacy Act) and the 13 principles known as
the Australian Privacy Principles (APPs) govern how a life insurer who is an
APP entity can obtain, store and share the information with other parties. Under the Privacy Act and the APPs, medical information has the special status
of 'Sensitive Information'.
8.5 Under APP 3, life insurers must only collect information where it is reasonably
necessary for the functions of the organisation and a consumer has consented to
the collection. The Office of the Australian Information Commissioner (OAIC) explained to the
committee that consent must be informed, voluntarily given, up-to-date and
provided by an individual who has the capacity to understand and communicate
8.6 Where an APP entity receives information that it did not solicit and the
organisation determines that it could not obtain such information in line with
the requirements of consent and reasonable necessity, the information must be
de-identified or destroyed.
8.7 APP 11 requires that an APP entity ensure the security of the personal
information it holds and actively consider whether it is allowed to retain
personal information. Reasonable steps must be taken by an APP entity to protect information from
interference, loss or misuse, unauthorised access, disclosure or modification. Steps that are reasonable for an entity to take depend on factors such as the
size and resources of the entity, the amount of information held, the consequences
for an individual if the information is released, and the practical
implications of implementing security measures.
8.8 APP 8 and section 16C of the Privacy Act establish a framework for APP
entities disclosing personal information across borders. However, the framework
does not apply where an individual has consented to a secondary use of the
information, such as the disclosure of the information to overseas recipients or
8.9 While the OAIC does not have data specific to the life insurance
industry in terms of breaches of the APPs, it provided the committee with data on
breaches and investigations for financial services (including superannuation)
and the insurance industry as a whole.
8.10 Such data applied to all information received, not just medical
information. The data indicated that in 2016–17, 366 breaches were reported to
the OAIC in relation to financial services (including superannuation) and 94
reports of breaches were received in relation to insurance. However, as
breaches are to be reported to the OAIC only after the complainant has tried to
resolve the matter with the organisation it claims has carried out the breach,
it is unclear how many actual breaches there were in 2016–17.
8.11 In terms of investigations carried out by the OAIC in 2016-17,
86 investigations were conducted into the financial services sector
(including superannuation) and 41 investigations were conducted in relation to
the insurance industry.
8.12 In the last five years one privacy complaint against an insurer was
determined by the Information and Privacy Commissioner. This case involved the sharing of a customer's tax file number with a third
Authorisation to access medical information
8.13 The Financial Services Council's (FSC) Life Insurance Code of Practice
(Code) is a self-regulatory regime that contains a series of clauses pertinent
to accessing medical information.
8.14 In order to facilitate the disclosure process as required under the Insurance
Contracts Act, clause 8.6 of the Code states that life insurers are to obtain a
general authority from consumers to access information from parties such as a person's
doctor. The clause further outlines that the general authority is to only be used by
the insurer to obtain information that is relevant to the policyholder's claim.
8.15 While clause 8.6 allows a person to deny an insurer authorisation to
access their medical information, it is noted within the clause that such a refusal
may delay the assessment of a claim or mean that a claim cannot be assessed at
8.16 A number of life insurers provided the committee with the forms used to
obtain the general authority described in clause 8.6 of the Code as well as
their privacy statements. The forms demonstrated that the authorisation obtained by life insurers for
access to medical information can be presented to consumers as a standalone
form often titled 'Medical Authority' or as part of a form often titled
'General Authority' or 'Authority'. 'General Authority' or 'Authority' forms may relate to medical information as
well as other types of information.
8.17 The forms and privacy statements received by the committee also demonstrated
a difference in language used by insurers and distributors, as well as across
different insurance products. While not limited to the below, differences also
appeared in relation to:
- the types of third parties that will also have access to a consumer's
information, including companies based overseas; and
- the level of explanation provided to a consumer regarding the
8.18 In terms of third parties who can access a consumer's information, life
insurers' privacy disclosure/policy statements provided to consumers at the time
of claim varied and included the following statements:
- To assist us with the purposes outlined above, we may disclose
information collected to our related companies or with third parties including
our re insurers, advisors, medical service providers and claims investigators.
Some of the related companies we may disclose personal information to may be
located overseas including the United Kingdom, India, the United States of
America and Switzerland.
- We may also disclose your personal information overseas to
countries in certain circumstances that are likely to include India and USA.
- We are unlikely to send your personal information to any foreign
jurisdiction and we take steps to ensure our service providers don't either.
8.19 It is not clear from the privacy statements submitted to the committee
whether the information disclosed in the above circumstances would include
sensitive information, such as medical information.
8.20 The forms also provided examples of how much information a consumer was given
at the time of claim included:
- Declaration and consent: I/We have read and consent to the handling,
collection, use and disclosure of my/our personal and sensitive information in
access and correct information we hold about you, how you can complain about a
breach by us of your privacy rights and how your complaint will be handled. It
also contains a more comprehensive list of countries to which your information
may be disclosed and will be updated regularly.
- You may contact our Privacy Officer in relation to your personal
information (or to opt out of marketing) on 1300
363 159 or email@example.com
8.21 A common element present in almost all of the authorisation forms
received by the committee was the broad nature of the general authority
obtained by life insurers to access all of a consumer's medical information,
regardless of the nature of the life insurance policy purchased or the claim
made. The following examples demonstrate this:
- I/We hereby authorise any medical practitioner, medical provider,
health professional, hospital, dentist or other person who has attended me/us,
to release to AIA Australia Limited or
its representatives all information with respect to any sickness or
injury, medical history, consultations, prescriptions, or treatment and copies
of all hospital or medical records.
- Medical Authority: I [NAME] agree that any medical practitioner,
health care professional, hospital or other health service provider, whether
named by me or not, who has been consulted by me, shall be and is hereby
authorised and directed by me, to divulge to the insurer, or the insurer's
agent all medical or surgical information he/she may have acquired with
regard to myself.
- Policy Owner/Life Insured's consent to obtain a medical report: I
hereby consent to St Andrew’s and FlexiSure being provided with medical
information, including copies of any medical reports, clinical reports or
otherwise, from any Medical Practitioner who at any time has attended me
concerning anything which affects my physical or mental health.
8.22 During the inquiry, the committee became aware that life insurers were unsure
of the amount of consumer's information that they held in storage. The
committee received evidence from life insurers regarding the fact that, while
they adhered to the requirements of the Privacy Act, life insurers were unable
to determine the amount of personal sensitive information, including a person's
complete medical record, that they had in their possession.
8.23 As a consumer has to provide a broad authority to each insurer with whom
they take out a policy, the committee understands it is likely that, to the
extent that individuals have more than one life insurance policy, those
individual's full medical records may be held by more than one life insurer.
8.24 Mr Peter Kell, Deputy Chairman, and Mr Michael Saadat, Senior Executive
Leader at the ASIC, while not necessarily presenting an argument for or against
the use of a broad general authority by life insurers, acknowledged the
complexity of the issue due to the contractual and statutory requirements of
Arguments for a broad authority to access medical information
8.25 The FSC expressed the view that the duty of disclosure requires a broad
authority to ensure that there is a factual basis from which claims can be
managed. A broad authority at the time of application also ensures that enough
information is obtained at the underwriting stage for risk assessment so that
requests for information are limited at the claims stage. AMP submitted a similar view noting that a broad authority may prevent delays
to an application or a claim.
8.26 The FSC explained that while a broad general authority allows an insurer
to obtain all of a consumer's medical information, such access is not unfettered
or unregulated as processes are in place to ensure an excessive amount of
medical records are not obtained. Additionally, Zurich Financial Service Australia Limited (Zurich) believed that
the consumer understands that the insurer's need for as much information as
possible is in the consumer's best interest.
8.27 Beyond these general statements, however, the main reason put forward by
the FSC and life insurers, such as Zurich and CommInsure, for a broad general authority
to access medical information is to enable an insurer to pool risk and prevent
anti-selection due to information asymmetry.
8.28 Zurich explained that at the foundation of insurance is the principle of
pooled risk. This means that, rather than an individual bearing a financial risk if a
certain event occurs, the individual is able to be a part of a pool with other
insured people, thus allowing for the risk to be spread amongst the insured
8.29 However, in order for the pool to be sustainable and equitable for its
members, the premium paid by an individual within the pool must appropriately reflect
the individual's level of risk.
8.30 For this risk to be accurately priced, the risk must be assessed by the
insurer. This is known as a form of underwriting as outlined in chapter 2 of
this report. The insurer requires as much information as possible in order to
assess risk during the underwriting stage and will consider factors such as gender,
age, occupation, and smoker status.
8.31 Insurers will also consider whether the individual's risk warrants
certain exclusions in their insurance cover or a denial of insurance cover
8.32 Accurate pricing of risk ensures that more affordable cover is
available, the risk pool is sustainable, and the life insurer is able to pay
8.33 Zurich was of the view that thorough underwriting that accurately
assesses risk will, in turn, reduce the pressure on public health and social
8.34 Both the FSC and Zurich explained that anti-selection will occur where
an insurer cannot accurately price risk due to limited information provided by
8.35 Furthermore, anti-selection is not equitable to others in the pool because
premiums will be increased to cover an individual risk that was not initially
assessed. This in turn can affect the sustainability of the pool to pay claims as policyholders
are likely to exit the pool in response to increased premiums.
Anti-selection may also cause underinsurance for certain sections of the community.
8.36 The importance of insurers having access to as much information as
possible in order to determine and price risk accurately was also acknowledged
by the Productivity Commission in its report Data Availability and Use.
8.37 The Productivity Commission's report noted that economics has long
recognised information asymmetry (the consequence of not sharing enough
information) as detrimental to competitive markets. The Productivity Commission also noted that sharing information can alleviate
such information asymmetries and allow for both competition amongst suppliers
and appropriately priced products.
8.38 The Disability Discrimination Act 1992 (Disability Discrimination
Act) is intended to ensure that people with disabilities have the same rights as
the rest of the community and to eliminate, as far as possible, discrimination
against persons on the grounds of disability. Nonetheless, the Disability
Discrimination Act allows the insurance industry to uphold the principle of pooled
risk by allowing insurers, in some instances, to use medical information to
accurately price risk and make decisions about a policyholder.
8.39 Treasury informed the committee that section 46 of the Disability
Discrimination Act provides an exemption to insurers in some situations. The broad effect of this exemption is that insurance premiums and/or policy
terms are permitted to vary according to variations in factors that affect
risk, including, as previously explained in this chapter, the age and gender of
the insured. In order to be able to rely on this exemption, insurers must base
their decision on actuarial or statistical evidence and, in the case where no
such evidence exists, have regard to other relevant factors. Additionally, some accountability is provided by Section 107 of the Disability
Discrimination Act which gives the Disability Discrimination Commissioner the
power to require an insurance company to present the actual or statistical data
or risk being found to have breached the law.
8.40 As set out in this and the prior section, the evidence from both the FSC
and life insurers shows that the words used by insurers in their forms actually
requests as much information as possible from consumers. However, in contrast
to the wording contained in the medical request forms and the reasons given by
various life insurers, Ms Sally Loane, Chief Executive Officer of the FSC, appeared
to contradict the position that the FSC had previously put forward. Appearing
before the committee on 1 December 2017, Ms Loane stated that life insurers do
not want 'to go through more information than they need to assess an
application or a claim'. Instead, Ms Loane said that life insurers only want
information pertaining to specific issues.
8.41 The FSC also expressed that they 'are committing to reframe [clauses]
8.5 and 8.6 [of the Code] because we do understand the concerns'. Ms Loane stated that the life insurance industry would welcome a
recommendation from the committee that the industry develop a framework with
the Royal Australian College of General Practitioners (RACGP) for GPs and
insurers to use when determining what information should be provided to the
insurer. This framework would be included in the next iteration of the Code.
Arguments against a broad authority to access medical information
8.42 The committee received evidence from medical organisations and mental
health advocacy organisations that raised various concerns about life insurance
companies having a broad authority to obtain copies of patient medical records,
including consultation notes. These concerns included:
- the appropriateness of life insurers gaining access to
potentially highly sensitive but not necessarily relevant personal medical
- the difficulty for a medical practitioner in determining whether
the release of complete medical records would be in the patient's best
- the difficulty in determining whether a patient's prior consent
to release medical information can reasonably be taken to be up-to-date;
- the risk that doctors may under-document a patient's condition in
their consultation notes because of concerns about how a life insurer might use
or misinterpret certain information; and
- the risk that a patient may not fully disclose their condition,
for example, mental health, for fear of how a life insurer might use that
information to assess cover or a subsequent claim.
8.43 Dr Edwin Kruys, Vice President and Chair of the Royal Australian College
of General Practitioners (RACGP) Queensland, explained the difference between
'medical records' and 'medical reports'. He told the committee that 'medical
records' reflect a patient's encounters with a GP and can include reports and consultation
notes. By contrast, 'medical reports' are prepared by GPs after they have reviewed
'medical records' and may contain facts and opinion, where an opinion is
requested by a third party.
8.44 Dr Bastian Seidel, President of the RACGP, explained that while a
medical record may contain a diagnosis of a patient, it will not necessarily include
a prognosis. Dr Seidel emphasised the vital importance of a prognosis when
considering a patient's future risk of illness and life expectancy because it
may take account of treatment options and lifestyle changes.
8.45 Zurich stated that they only ask for medical reports on a customer's
medical history during the underwriting stage for risk assessment. However, the RACGP shared its belief that there has been a movement by life
insurers towards requesting whole medical records due to the lower costs associated
with accessing a full medical record compared to obtaining a tailored report. Dr Kruys noted that currently 50 per cent of requests for medical information
made by life insurers are for whole medical records rather than medical reports. Furthermore, Associate Professor Stephen Bradshaw, a Practitioner Member of the
Medical Board of Australia, suggested this may be higher indicating that he has
'never had a targeted inquiry'. Dr Seidel was firmly of the view that the cost of a medical record should not
be a relevant consideration in terms of determining whether a medical record or
a medical report should be obtained by an insurer. In this regard, Dr Seidel
noted that 'a patient's medical record is not a tradeable commodity'.
8.46 The committee also heard concerns from medical bodies in relation to how
a broad authority will apply to electronic health records. Ms Anne Trimmer,
Secretary General, Australian Medical Association (AMA) raised with the
committee the possibility that electronic health records alongside a broad
authority will present a further challenge for a GP and/or treating doctors who
will have to collate all reports placed on the electronic record by different
doctors. This will mean that what the current GP or treating doctor provides to the
insurer will consist of documentation outside of their relationship with the
8.47 MDA National, a Medical Defence Organisation informed the committee that
it does not record the exact number of times its members ask for assistance
regarding an insurer's request for patient records. However, MDA National did confirm that it provides such assistance to GPs every
8.48 In terms of the advice provided to its members, MDA National explained
that this broadly involves assisting its members in identifying what has been
specifically requested and whether patient consent has been granted.
8.49 The Medical Indemnity Protection Society also stated that they regularly
provide advice on this matter but noted there has been no increase in requests
for advice. Medical Insurance Group Australia, another Medical Defence Organisation, also
noted that it has not seen an increase in the number of requests for advice.
8.50 Dr Kruys raised concerns about the appropriateness of life insurers having
access to full medical records:
For any organisation or business, we would find it
inappropriate if you would ask your customers to provide information about
their sexual health, for example. Yet insurers requesting all this information,
including sexual health and other intimate information, that's stored in that
record is apparently appropriate.
8.51 Associate Professor Stephen Bradshaw, a Practitioner Member of the
Medical Board of Australia, highlighted that ultimately the problem of
providing full medical records is of an ethical nature. For Associate Professor
Bradshaw, a broad authority places GPs and other medical doctors in an
invidious position in that doctors are being asked to provide information to
life insurers that may not be in the best interest of the patient.
8.52 This difficulty in determining whether the release of medical records
would be in the patient's best interest is compounded by the fact that the
issue of consent in relation to insurers' access is fraught, as such consent
can be out-dated and provided to an insurer prior to any specific insurance claim
8.53 Dr Kruys drew the committee's attention to the experiences of RACGP
members that have been required to explain to patients that an insurer having
access to their medical information could lead to higher premiums or their
claims being denied. The committee also heard that where a GP explains to the patient what they were
actually consenting to, a number of patients withdraw their consent. However, Ms Trimmer and Associate Professor Bradshaw pointed out that most
doctors would not have the time to have such a conversation with their
8.54 MDA National asked the committee to consider recommending a requirement
that life insurers must inform the patient/policyholder of any requests they make
for the patient's/policyholder's medical records and provide the
patient/policyholder with the opportunity to say no to such a request.
8.55 This approach would be similar to how parties in litigation are informed
when a subpoena is issued to a third party. It was MDA National's belief that such a requirement placed on insurers would
provide 'greater certainty for medical practitioners who are the subject of
such requests, often where the issue of consent is not clear'..
8.56 The committee also heard that GPs may be under-documenting a patient's
risk for fear of what consequences this would have for a patient to obtain
insurance or make an insurance claim.
8.57 For example, the RACGP explained to the committee that consultation
notes are not created for the purpose of a life insurer to assess an
individual's risk. Rather, as Dr Kruys explained to the committee, 'consultation notes are…a
comprehensive written record of the conversations that have taken place,
containing sensitive information to support us when providing quality care'.
8.58 However, the inclusion of consultation notes in the documentation
provided to life insurers under a broad authority places GPs in a difficult
situation where they want to record a patient's consultation appropriately and
in line with 'medico-legal' obligations, but must also consider the broader
impact such notes will have on a patient, such as obtaining insurance or making
an insurance claim.
8.59 In addition, the RACGP noted that its members are concerned about life
insurers misinterpreting consultation notes, and the risk this poses for both
GPs and patients.
8.60 In this regard, the forms provided to the committee from life insurers
illustrated the following references to clinical notes at the time of a
customer making a claim:
- I /we authorise any treating doctor, physician, rehabilitation
specialist or other medical or health care provider, ambulance service,
hospital, police, social security or other government department, workers
compensation insurer, employer, accountant, other insurer (or entity providing
insurance type services), to provide/release to ClearView
Life Assurance Limited all medical information… I am / we are aware that
clinical notes, or part of the clinical notes, will inevitably include
confidential medical information, which is irrelevant to the claim.
- I hereby authorise Zurich to provide my personal information (which may including sensitive or health
information) to any physician, hospital or any other health care provider that
has attended or examined me in order for them to supply Zurich with full particulars of my medical history, including
copies of all hospital or medical records, referral letters, reports and
details of any clinical notes that have been made.
8.61 Dr Kruys observed that GPs, or any other medical doctor, are subject to
legal and ethical obligations to produce truthful medical reports that do not
omit important issues.
8.62 In addition to the concerns raised above regarding the risks to overall
patient welfare posed by the release of full medical records including
consultation notes, Dr Kruys and Dr Seidel were of the view that a
targeted medical report would be more appropriate for insurers as the
information contained in the report would be easier to apply a risk assessment
to, rather than a life insurer potentially having to consider years of raw
8.63 In light of the above, both the RACGP and the AMA argued that life
insurers should only be authorised to obtain targeted medical reports rather
than complete medical records.
8.64 In terms of how a broad authority affects patients, Dr Stephen Carbone,
Policy, Research and Evaluation Leader at beyondblue, expressed the view that
patients may be reluctant to share their problems with GPs for fear of how insurers
will use the information when deciding whether to provide cover or when
assessing a claim. Such fears seem to be particularly related to mental health conditions being
used to deny cover or a claim unrelated to mental health. The committee was told that this may lead to patients not receiving adequate
treatment or appropriate care for mental health conditions.
8.65 In terms of being able to purchase life insurance, it was pointed out to
the committee that a beyondblue study found that 67 per cent of the study's
participants 'agreed it was difficult to obtain life and income protection
insurance' due to mental health conditions.
8.66 Furthermore, the study noted that while people with mental health
conditions can obtain life insurance, this at times is at a higher cost due to
mental illness or through a policy that has mental health exclusions.
8.67 Ms Nadine Bartholomeusz-Raymond, General Manager of Education, Families
and Diversity and Access at beyondblue, told the committee that it is not just
having a mental health condition that may make it difficult to obtain insurance,
but also the fact that a person may have seen a counsellor once and this was
documented in consultation notes. Such documentation was claimed to be used by insurers to deny access to
insurance products. Claims handling is discussed in detail in chapter 10 of this report.
8.68 The RACGP, beyondblue and the Royal Australian and New Zealand College
of Psychiatrists (RANZCP) pointed out that the way in which a person's mental
health information is used by an insurer for risk assessment purposes is
8.69 Specifically, these groups believed that it is unclear what data is
being used by insurers to make underwriting decisions that include assessment
of mental health information, whether such data is up to date, and if the data
reflects the fact that mental illness takes many forms and affects individuals
8.70 Ms Michelle Marie Cohen, Senior Solicitor at the Public Interest
Advocacy Centre, shared similar concerns and Ms Alexis Goodstone, Principal
Solicitor at the Public Interest Advocacy Centre, added that she believed these
concerns relate to a range of insurers.
8.71 In its response to the concerns raised about the use of mental health
information by life insurers, the FSC informed the committee that it is very
rare for a blanket exclusion to be in place for pre-existing mental health
conditions when applying for life insurance. Furthermore, the FSC was not aware
of any of its members denying complete insurance coverage due to pre-existing
mental health conditions.
8.72 In addition, the FSC submitted that there is a range of life insurance cover
that is available for mental health.
8.73 The FSC also stated that while most insurance providers meet their legal
obligation to clearly explain the duty of disclosure to consumers, the
misunderstanding regarding blanket exclusions and mental health conditions
reflected a need for greater education of consumers.
8.74 In this regard, the FSC explained it is creating a key fact sheet to
improve consumer understanding regarding disclosure for insurance within
8.75 The committee agrees with the view put to it by ASIC that the issue of
life insurers accessing a broad range of a consumer's personal information is
complex due to the statutory requirements for consumers to disclose relevant
information to an insurer.
8.76 The committee notes the evidence it received from the Financial Services
Council and from life insurers explaining the principles of pooled risk and
underwriting that underlie insurance and why this serves as a justification for
a broad general authority to access a customer's medical information.
8.77 The committee further notes the claim made by life insurers that while a
broad range of information may be obtained, life insurers only use information
that is relevant to assessment of a policyholder's risk.
8.78 However, it remains unclear to the committee why approximately half of
life insurers ask for complete medical records considering the assertion made
by the industry that only relevant information is used by the insurer. The
committee believes that the view that this is a less expensive way of obtaining
information is insufficient justification.
8.79 It is also unclear how information within the records is both determined
to be relevant and assessed for risk purposes, particularly in relation to
mental health. The committee discusses and makes recommendations on the assessment
of mental health issues during the claims process in chapter 10.
8.80 While the committee acknowledges that life insurers have not been found
to have breached Australian Privacy Principles in relation to the access and
sharing of a consumer's information, the committee is concerned that life
insurers are unable to determine the number of full medical records kept in storage.
This is problematic when not all of the medical information requested or
received by life insurers is required to determine a claim. It is also particularly
problematic that, in some instances, insurers may share information with third
parties overseas, the extent and oversight of which is unclear.
8.81 The committee notes that the authorisation forms used by life insurers
vary between insurers and products, and that consumers are offered an
opportunity to decline to provide life insurers with a broad authorisation to
access medical information. However, declining to provide a broad authorisation
may lead to delays in the approval of an application or a claim. Given the
consequent risk of delay, the committee questions whether the option to decline
to provide a broad authority actually represents a genuine choice for consumers.
In fact, the tone and language of the current FSC Code does not reflect
assertions by the industry that full medical records are rarely required.
8.82 Chapter 3 of this report considered consumer protections in the
financial services sector, including life insurance. As set out in chapter 3,
the committee recommended legislative reform such that consumer protections would
apply to all insurance. As such, the committee is of the view that forms
requesting access to a consumer or policyholder's information should be subject
to consumer protections including laws on unfair contract terms. Where the
forms requesting such access do not form a part of the contract, the committee
considers that the forms should be brought into the insurance contract so that
consumer protections apply.
8.83 The access of life insurers to full medical records and related
documentation rather than targeted reports has placed medical doctors,
particularly GPs, in an invidious position. Evidence to the committee from
medical organisations emphasised the ethical dilemma that medical practitioners
face in terms of having to provide information to life insurers that may not be
in their patients' best interest.
8.84 The committee is very concerned about evidence provided that patients
are reluctant to seek necessary treatment, particularly for mental ill health,
due to concerns over life insurers having access to their full medical record
and then using such information to limit or deny coverage or a claim.
Individuals should not have to trade off financial stability, which could be
secured through life insurance, against their health.
8.85 Based on the evidence provided to the committee about the effect a broad
authorisation has on both GPs and patients, as well as the questions raised
regarding the utility of insurers obtaining all of a consumer's medical
information, the committee is firmly of the view that life insurers should only
have access to targeted information.
8.86 This more targeted approach will ensure unnecessary information is not
kept in storage and will protect the privacy of individuals. It should also improve
the doctor-patient relationship, ease some of the ethical burden placed on GPs,
and no longer impact on an individual's decision to seek treatment.
8.87 In relation to informed and up-to-date consent, the committee notes the
need for medical practitioners, particularly GPs, to be sure that their patient
is aware that they have provided consent to a life insurer to access their
8.88 The committee agrees with MDA National's position that a life insurer
should inform the patient/policyholder when the life insurer requests access to
a patient's medical records, reports or other medical information. In addition,
the committee is of the view that a life insurer should inform the patient/policyholder
when the life insurer seeks to provide their medical information to any third
party, including any overseas third party. The committee
feels that this would be best served by progressing to a system of real-time
disclosure that would allow consumers to track the progress of their claim.
8.89 The committee considers that the interests of consumers are paramount,
but recognises that two competing consumer interests at play, namely the
consumer's interest in privacy and the consumer's interest in reduced costs.
8.90 The committee is also of the view that doctors have a responsibility to
only provide the information that is requested and not provide a patient's full
medical record, particularly as doctors also have a responsibility to protect
the privacy of their patients.
8.91 The committee is also of the view that a patient/policyholder should
have the opportunity to decline a request for medical information, including
the provision of that information to a third party. The committee acknowledges
that any objection to the release of medical information may affect the
assessment of a claim. In this regard, the committee is of the view that requiring
life insurers to request a medical report rather than having access to full
medical records would substantially alleviate any possibility that a
patient/policyholder would deny access to medical information relevant to the
proper determination of a claim.
8.92 The committee notes that data storage in the life insurance industry is
currently regulated by APRA and the National Privacy Principles. These
cover onshore and offshore arrangements.
8.93 The committee recommends that:
- the Financial Services Council and the Royal Australian College
of General Practitioners collaborate to prepare and implement agreed protocols
for requesting and providing medical information;
- the Financial Services Council develop a uniform authorisation
form for access to medical information at the time of application and at the
time of claim that must be used by all of its members;
- this uniform authorisation form explain to
consumers/policyholders in clear and simple language how information will be stored
and used by third parties; and
- a consumer/policyholder should be able to use the same uniform
authorisation form between different life insurers and different life insurance
8.94 If the Financial Services Council and the Royal Australian College of
General Practitioners have not agreed to protocols within six months, the
committee recommends that at the time of application, life insurers must only
ask a consumer's General Practitioner, or other treating doctor where relevant,
for a medical report specific to the consumer's relevant medical conditions. In
circumstances where such a report cannot be prepared, life insurers cannot ask
for access to clinical notes regarding the consumer/policyholder.
8.95 If the Financial Services Council and the Royal Australian College of
General Practitioners have not agreed to protocols within six months, the
committee recommends that at the time of a consumer/policyholder making a claim,
life insurers can only ask a policyholder's General Practitioner, or other
treating doctor where relevant, for a medical report that is specifically
targeted to the subject matter of the claim. In circumstances where such a
report cannot be prepared, life insurers cannot ask for access to clinical
notes regarding the consumer/policyholder.
8.96 If the Financial Services Council and the Royal Australian College of
General Practitioners have not agreed to protocols within 6 months, the committee
recommends that life insurers must obtain consent from a policyholder each time
it intends to:
- request a policyholder's medical records, reports or other
medical information from their General Practitioner or other treating doctor;
- share a policyholder's information with a third party.
8.97 The committee recommends that the Financial Services Council, in
discussion with the Royal Australian College of General Practitioners, update
the Life Insurance Code of Practice and relevant Standards to reflect
Recommendations 8.1, 8.2, 8.3, and 8.4.
8.98 The committee recommends that if insurance contracts are to be subjected
to consumer protections, including laws on unfair contract terms:
- where the authorisation form for a life insurer to access a
consumer's/policyholder's medical information is within the insurance contract,
consumer protections apply, including laws on unfair contract terms; and
- where the authorisation form for a life insurer to access a consumer's/policyholder's
medical information is outside of the contract, authorisation forms are to be
brought within the contract to allow for the application of consumer
protections, including laws on unfair contract terms.
8.99 The committee recommends that it become the practice of life insurers to
institute real-time disclosure that would allow consumers to track the progress
of their claim.