The British Columbia government has signed a $324-million contract to outsource management of the Medical Services Plan (MSP) and Pharmacare program to a U.S. company, renewing concerns around the security of personal medical data.
The 10-year contract with Reston, Virginia-based Maximus Inc. will be delivered by two new Canadian subsidiaries, Maximus BC Health Inc. and Maximus BC Health Benefit Operations Inc. Maximus will provide program management and IT services, including responding to public inquiries, registering clients, and processing medical and pharmaceutical claims.
Concerns were first raised in the spring that outsourcing the program to a U.S. company could lead to the authorized disclosure of private information to U.S. authorities under the Patriot Act, introduced to fight terrorism.
The government says through recent amendments to provincial privacy legislation and specific measures in the contract, it has ensured medical information is safe from unauthorized disclosure.
“”The government had made a commitment that we would not enter into any arrangement that would put the privacy of personal health information at risk,”” said Lisa Brewster, a spokesperson for the BC Ministry of Health Services. “”The government feels it has reasonable and appropriate provisions in the contract to make sure privacy is protected.””
The amendments to privacy legislation include a $500,000 fine for the unauthorized disclosure of personal information and the contract with Maximus contains a number of specific provisions, including a requirement that data storage and access be based solely in Canada with no remote access from outside the country, restrictions on employee use of outbound Web and e-mail access, and limited use of data transfer hardware.
“”We also have an agreement that if there ever was a threat of unauthorized disclosure we would be able to take control of the company,”” said Brewster.
The Maximus outsourcing deal was announced just six days after the release of a detailed report by B.C.’s Information and Privacy Commissioner, David Loukidelis, examining issues around the Patriot Act and the outsourcing of IT services.
Loukidelis’ report concluded there is a definite risk of the Patriot Act reaching across the border, but it can be minimized. A blocking provision, for example, is a common way to stop foreign laws from attempting to apply in another jurisdiction without going through appropriate channels. When a U.S. court is considering granting an order under the Patriot Act to reach across the border, Loukidelis said it will look at the foreign law to see how clear it is, the severity of penalties under the foreign law, and if there is another way of obtaining the information.
“”The court will then undertake a balancing test in deciding whether or not to even issue the order,”” said Loukidelis. “”But it does place U.S. companies that want to do business here through subsidiaries in a bit of a dilemma.””
That’s why Loukidelis said he would like to see the penalties for unauthorized disclosure stiffened, from the current $500,000 to $1 million and/or a two-year jail term. Despite the measures put in place, Loukidelis said there is still a measured risk a company may be caught between conflicting U.S. and Canadian laws.
“”If they want to bid on these outsourcing contracts they will still have to make a choice,”” said Loukidelis. “”We need to make sure the choice is a clear one.””
That risk was downplayed though by the Information Technology Association of Canada, whose policy director Bill Munson said there are easier ways for U.S. authorities to gain access to Canadian data then via the Patriot Act.
“”The additional risk to privacy allegedly posed by the Patriot Act has been overstated,”” said Munson.
In its submission the B.C. privacy commissioner’s report, ITAC said existing agreements between Canadian and U.S. law enforcement authorities make it easier for U.S. authorities to use existing channels rather then the Patriot Act.
“”The records can still be accessed by U.S. d authorities but via Canadian authorities, and under Canadian laws consistent with our Charter of Rights and Freedoms,”” said Munson.
Still, Munson said companies that rely on outsourcing want to comply with all relevant laws, and will welcome new measures that allow outsourcing to continue.
“”No company in the outsourcing business wants to see its markets dry up because governments don’t want to outsource anymore,”” said Munson. “”We see the measures as enough (to protect privacy), what the public may feel is a different thing. Time will tell whether they are workable from a business point of view.””
The Maximus contract may done be a done deal yet however. Public attention was first drawn to the planned outsourcing when the British Columbia Government Employees’ Union filed a lawsuit seeking to block it, saying it violated B.C. privacy legislation and the Canadian Health Act. After the outsourcing announcement, the union vowed to go ahead with its court fight.
“”If the Campbell Liberals think they’re above Canadian privacy laws and the Canada Health Act, they’re wrong,”” said BCGEU president George Heyman. “”We’ll see them in court.””
Maximus Inc. did not return repeated calls for comment on this article.