This report presents the findings of the Privacy Impact Assessment (PIA) of the Health Care Benefits Program. On June 18, 2009, amendments to the War Veterans Allowance Act received Royal Assent expanding the War Veterans Allowance (WVA) Program and associated benefits, including those that fall under the Health Care Benefits Program, to Allied Veterans who served during the Second World War or the Korean War, their survivors and/or their dependents. The expansion of the program afforded the opportunity to perform a Privacy Impact Assessment of the Health Care Benefits Program, including the current expansion to Allied Veterans. This PIA reflects the status of the Health Care Benefits Program as of October 31, 2009.
Health care benefits and services have been extended to Veterans in one form or another since the end of the First World War (1914-1918). Following the Second World War (1939-1945), the Department of Veterans Affairs, newly formed in 1944, recognized the need to provide large scale sustained rehabilitation programs to meet the needs of Veterans who returned home wounded, or had served, and were finding the return to civilian life challenging for various reasons. What resulted was the development of a comprehensive set of programs to address the challenges faced by Veterans, including medical treatments.
About the Privacy Impact Assessment (PIA)
This Privacy Impact Assessment reflects an analysis of the Health Care Benefits Program activities that are delivered by VAC but does not include the claims administration which is handled under contract by a third-party administrator. The scope of this PIA is limited to the Health Care Benefits Program from the point at which a positive eligibility decision under certain programs establishes a client’s eligibility for Health Care Benefits.
Veterans Affairs Canada is committed to protecting the personal information of all clients and has taken the appropriate measures to ensure that the Health Care Benefits Program conforms to the principles of the Privacy Act, its associated regulations and the Treasury Board Secretariat (TBS) Policy on Privacy Protection that govern the collection, use, disclosure, correction, protection, retention and disposal of personal information.
The PIA reviews how personal information is being collected, used and disclosed throughout the life-cycle of the Health Care Benefits Program. PIAs are based on the ten universal privacy principles and are derived from the requirements of the Privacy Act. The Health Care Benefits Program PIA has identified five potential privacy risks.
Risk #1 - Guidance Required Relating to the Collection and Disclosure of Personal Information (Risk Rating: Low)
Issue:
The majority of personal information required to provide authorizations and approvals for benefits and services is collected indirectly from service providers and health care professionals. There is a lack of guidance relating to the collection and disclosure of personal information that could lead to the collection of unnecessary information and the unauthorized disclosure of information.
Management Plan:
This risk is deemed low as there is implied consent provided by the client that the required information may be exchanged to facilitate the delivery of services and benefits when he provides his health card number to a service provider. To minimize the risks associated with this activity and to ensure that the exchange of information is limited to that which is required to deliver services and benefits, information required for the purposes of providing authorizations and approvals will be identified and guidance on the collection, use and disclosure of personal information will be communicated to staff.
Risk #2 - Privacy Notice Statements (Risk Rating: Low)
Issue:
Some of the forms used for the collection of personal information in the Health Care Benefits Program do not have privacy notice statements. For many of the Programs of Choice (POC), forms are not the typical method of collection of personal information. There does not appear to be a documented consistent message to inform clients of their rights with respect to the collection, use and disclosure of information.
Management Plan:
Review and update the privacy notice statements on forms and establish/document notices related to eligibility for Health Care Benefits to conform with Treasury Board requirements and VAC standards.
Risk # 3 - Use of the Agreement and Consent Form (Risk Rating: Medium)
Issue:
The Agreement and Consent Form is used to obtain consent from clients to collect information in relation to varying diagnoses, treatments and services rendered by service providers and health care professionals. The form contains only the date, the client signature and the witness signature, making it difficult to identify the client. There is a lack of clarity regarding how the form will be used, and for how long, and no information is provided about the consequences of a refusal to sign the form. As a result, the client may not be fully informed of his rights.
Management Plan:
The Agreement and Consent Form will be revised to include the necessary client identifiers to enable proper linkage to the correct client and to explain the length of validity. Clear information will be provided to the client that will explain when and how consent will be used.
Risk #4 - VAC's Electronic Systems do not have Disposition Functionality (Risk Rating: Low)
Issue:
VAC’s electronic systems, the Client Service Delivery Network (CSDN) and the Federal Health Claims Processing System (FHCPS), do not have the functionality to perform disposition, which leads to information not being managed completely through its life cycle in accordance with legislative and central agency requirements. While this issue poses no immediate security risk to client information, this practice is a clear violation of both privacy and information management laws and policies.
Management Plan:
This is a departmental risk that is not solely related to the Health Care Benefits Program. At this time, an action plan has been developed that outlines the high level tasks that must be completed in order to address this problem. Progress against this action plan has been made that includes the establishment of retention periods for VAC client information and the development of a proposal for Information Technology prioritization. To ensure continued progress, VAC will develop a more detailed action plan, including cost estimates, for management consideration and business planning.
Risk #5 - Threat and Risk Assessment (TRA) for Safeguarding Personal Information (Risk Rating: Low)
Issue:
A Threat and Risk Assessment (TRA) has not been completed on the Health Care Benefits Program, which may lead to sensitive information not being properly identified and protected.
Management Plan:
The use of existing physical office space, previously used processes and existing staff lowers the probability of a security incident/privacy breach. The Health Care Benefits Program has been in operation for a significant period of time, ensuring that the practices and procedures are well established and understood and ensuring that the privacy of the client is respected. At this time, VAC will accept the risk and monitor the situation. If the situation changes (i.e., processes, systems, etc.), the approach will be re-evaluated.
Conclusion
Although this PIA has identified a number of privacy risks, management plans commensurate with the degree of risk have been developed.