Insurers’ right to know: a line is drawn
Do insurers have an unimpeded right to see your complete medical record? A UK regulator has just ruled that they don’t and told the insurance sector “to ensure that future use of medical records is in line with the law.” So what are the implications of this ruling for insurers?
As I outlined in this post last month, the British Medical Association asked the Information Commissioner’s Office (ICO) to consider whether insurers are able to use a patient’s rights to make a subject access request (SAR) to their doctor in order for the insurer to obtain a copy of their full medical record. The reason for them so doing were partly financial, but mainly to get as much information about their proposer as possible.
The ICO’s ruling has important implications for insurers on two fronts. I’ll look at one in this post and the other in the next post. On the first front, it confirms that insurers don’t have an unimpeded right to know. ‘Lifestyle underwriting’ may create a mindset that says underwriters need to know everything about a customer, on the basis that there may be something in all that information that could affect the risk being insured, but the ICO doesn’t agree, labelling insurer’s use of SARs as “inappropriate and an abuse of that right.”
The ICO has reminded insurers that they already benefit from special rights to access medical information and told them to stick to established processes that balance the interests of patients, doctors and insurers. Yet medical records are not the only information that proposers might find sensitive: some might view information about their financial or legal history as sensitive (and if questions like ‘what have they got to hide’ come to mind, read this). Indeed, in some US states, insurers are specifically barred from using policyholders’ credit ratings.
So what should insurers do, other than, as one insurer rather cheekily phrased it, to no longer “offer” the SAR option they’d “introduced”? They need to look at their big data strategy and make sure that it incorporates the type of ethical and compliance processes that ensure that legal boundaries are respected. Clearly the ICO has found these lacking. My fear is that where compliance failures exist, things like integrity will be even further off management’s radar.
Those in charge of big data strategies may see integrity as somewhat remote from their day to day work. That would be a mistake, given the way the Prudential Regulation Authority’s (PRA) thinking on the ‘Senior Insurance Managers Regime’ is going. Their ‘supervisory statement’ issued last week clearly expects insurers with information technology as a key function (are there insurers where it’s not?) to bring it within their frameworks for ensuring individual accountability to the PRA’s conduct standards. Conduct standard number one is ‘You must act with integrity’ and, as the regulator rather pithily puts it, “the PRA does not expect to have to describe what is meant by acting with integrity”.
Taking these lines from the PRA and ICO, the ball seems to be firmly in the insurers’ court to establish what ‘acting with integrity’ means in relation to big data. In view of the Financial Conduct Authority’s forthcoming thematic review of big data, this isn’t something that should be left to a rainy day, otherwise the insurance sector risks exposing their big data plans to expensive disruption. And that is just what the PRA is looking to avoid.