Scheduled Outages: The HCAI system will be unavailable from 5:00 p.m. (EDT) September 29 to 8:00 a.m. (EDT) October 2
Scheduled Outages: The HCAI system will be unavailable from 5:00 p.m. (EDT) September 29 to 8:00 a.m. (EDT) October 2
Health Care Facility | Insurers | Related Initiatives  

Access and Security


Health Care Facility management and Health Care Providers are asked to:

  • be aware of your responsibility to protect the Personal Information of your clients (patients) as detailed in your organization’s policies and applicable privacy law
  • comply with the requirements as set out in the Provider Terms and Conditions Agreements signed with HCAI
  • access only the files of the claimants/patients you are working with
  • protect PII from unauthorized disclosure in paper, electronic or verbal format

Explore the information on the side menu to learn more about managing your professional credentials, access, and security.

Removing and Adjusting Access Settings

Your Facility’s Authorizing Officer must be familiar with the HCAI application and provide access to Users in your organization on a role-based model. As staff moves within the facility or leaves, their access must be promptly changed or removed.

HCAI User profiles for Providers and Users who leave your Facility must be deactivated as soon as possible by adding an end-date. Adding an end-date to a Provider does not delete the Provider from HCAI. Rather, it limits access while preserving the historical information in the system. Once an end-date has been added, you can still invoice on behalf of that Provider for up to six months. Visit the Update Provider Information and Update User Information pages to learn how to end-date Providers and Users.

Access and Security


Managing your Professional Credentials

Health Care Providers using HCAI are accountable for ensuring their credentials are used appropriately by the Facilities for which they work. Here’s how you can ensure your professional credentials are accurately represented:

  • Retain copies of all OCFs you have signed for a Facility. Check that your name, profession, and registration number are all documented correctly.
  • Retain copies of all Affiliated Provider and Dependent Provider forms you have signed. You should have one form for each Facility that has registered you as an Associated Provider in HCAI.
  • When you end your affiliation with a Facility, ask the Facility to verify that they have added an end date to your Provider profile in HCAI.
  • If you are considering certifying an OCF-18 for a Facility you don’t work for, ask how this Facility plans to record your credentials in HCAI. If you prefer not to be added to their roster of Associated Providers, you have the right to request that they describe you as an external Provider instead. The Facility does not need to add you to their roster if you have certified a Plan but are not providing or supervising any services at that Facility.
  • If you are a Dependent Provider at a Facility, you can ask the Facility for a printout of your Provider records. This will show the way your name, profession, and college registration number appears on Forms submitted via HCAI by the Facility.
  • If you have, in the past, certified OCF-18 treatment plans for a Facility you don’t work for, you can determine whether the Facility added you as an in-house Provider or as an external Provider by looking at the Facility name and address associated with your name in Part 4 of the form. If you have been listed as working for the Facility, ask the Facility to add an end-date to your name in their Facility registry so that you are not represented as an employee on an ongoing basis.
  • When in doubt, call the Facility to ask whether they have registered you in HCAI, and how they are using your professional credentials. You have both the right and the responsibility to check in with any Facility with whom you work to find out how your information is being used.

If you have any questions or concerns about how a Facility has used your credentials in HCAI, contact HCAI Processing’s Chief Privacy Officer via email (privacyofficer@hcaiprocessing.ca) or telephone at 416-644-3120.

Click here to learn about the HCAI Anti-Fraud Working Group and its work investigating how the HCAI system can be used to detect and prevent fraud in Ontario’s auto insurance system.

Accessing your professional information in HCAI

HCAIP shares professional information only with the professional whose information it is, those who require it to process OCF submissions, or as required by law. As a Health Care Provider, you should investigate instances where you have reason to believe your professional credentials may have been used inappropriately.

Professional information includes your name, college ID number, profession, the Health Care Facilities that have listed you as a Provider, the date your services started with each Facility, and the end date where applicable. It can also include a list of OCFs submitted with your credentials.

If you have concerns, you may fill out a Request for Access to Professional Information by filling out this Provider Access Form. The form contains two possible reports. As a first step we recommend you request the list of Facilities that have you registered as a Provider. If after receiving the report you see that your name has not been removed or has been used where you have never worked, request a report of OCFs submitted by that Facility using your credentials.

Fax, mail, or email the form to HCAIP; we will not accept requests on the telephone or by a third party (employer, lawyer, etc). No information will be released without a signature and the reply address must be an address going directly to the professional requesting the information.

You will receive your information within 30 days of HCAIP receiving your signed request. If for some reason we cannot comply with your request, you will receive an explanation within the same time frame. You may supply an email address for the reply. We suggest using a secure site. Alternatively, you may supply a street address.

Access and Security


Password Protection

The need for numerous passwords necessitates the listing of passwords. This list should be as cryptic as possible so that it is meaningless to anyone but the user. Composition should meet the company standards but in general users should use

  • Mixture of upper and lower case letters
  • Numerals
  • No names, words, or dates
  • Special characters when allowed
  • At least 8 characters
  • No user name as part of your password

One option is to use a sentence or rhyme that can be easily remembered by the user. For example, “Mary Mary quite contrary, how does your garden grow?” could be translated into a password that reads “MmQ1hDyGg?”

When it comes time to change your password, consider changing a few characters or advancing the numeral by 1.

Access and Security


Computer Security

Take special precautions when accessing HCAI via a laptop or home computer. Do not share your office laptop with friends and family at home and avoid letting others see your screen. Clear your cache after using a public computer.

Never open suspicious emails from an unexpected contact or written in poor English. If you do not know who is sending the e-mail do not open it to investigate. Banks will never email to ask for your password for identity verification or because your account has been compromised.

Avoid clicking links in an email. Type the URL and check carefully to make sure it is valid. Fake URLs can look surprisingly real.

Access and Security


Health Care Facility management and Health Care Providers are asked to:

  • be aware of your responsibility to protect the Personal Information of your clients (patients) as detailed in your organization’s policies and applicable privacy law
  • comply with the requirements as set out in the Provider Terms and Conditions Agreements signed with HCAI
  • access only the files of the claimants/patients you are working with
  • protect PII from unauthorized disclosure in paper, electronic or verbal format

Jump to:

Removing and Adjusting Access Settings

Your Facility’s Authorizing Officer must be familiar with the HCAI application and provide access to Users in your organization on a role-based model. As staff moves within the facility or leaves, their access must be promptly changed or removed.

HCAI User profiles for Providers and Users who leave your Facility must be deactivated as soon as possible by adding an end-date. Adding an end-date to a Provider does not delete the Provider from HCAI. Rather, it limits access while preserving the historical information in the system. Once an end-date has been added, you can still invoice on behalf of that Provider for up to six months. Visit the Update Provider Information and Update User Information pages to learn how to end-date Providers and Users.

Managing your Professional Credentials

Health Care Providers using HCAI are accountable for ensuring their credentials are used appropriately by the Facilities for which they work. Here’s how you can ensure your professional credentials are accurately represented:

  • Retain copies of all OCFs you have signed for a Facility. Check that your name, profession, and registration number are all documented correctly.
  • Retain copies of all Affiliated Provider and Dependent Provider forms you have signed. You should have one form for each Facility that has registered you as an Associated Provider in HCAI.
  • When you end your affiliation with a Facility, ask the Facility to verify that they have added an end date to your Provider profile in HCAI.
  • If you are considering certifying an OCF-18 for a Facility you don’t work for, ask how this Facility plans to record your credentials in HCAI. If you prefer not to be added to their roster of Associated Providers, you have the right to request that they describe you as an external Provider instead. The Facility does not need to add you to their roster if you have certified a Plan but are not providing or supervising any services at that Facility.
  • If you are a Dependent Provider at a Facility, you can ask the Facility for a printout of your Provider records. This will show the way your name, profession, and college registration number appears on Forms submitted via HCAI by the Facility.
  • If you have, in the past, certified OCF-18 treatment plans for a Facility you don’t work for, you can determine whether the Facility added you as an in-house Provider or as an external Provider by looking at the Facility name and address associated with your name in Part 4 of the form. If you have been listed as working for the Facility, ask the Facility to add an end-date to your name in their Facility registry so that you are not represented as an employee on an ongoing basis.
  • When in doubt, call the Facility to ask whether they have registered you in HCAI, and how they are using your professional credentials. You have both the right and the responsibility to check in with any Facility with whom you work to find out how your information is being used.

If you have any questions or concerns about how a Facility has used your credentials in HCAI, contact HCAI Processing’s Chief Privacy Officer via email (privacyofficer@hcaiprocessing.ca) or telephone at 416-644-3120.

Click here to learn about the HCAI Anti-Fraud Working Group and its work investigating how the HCAI system can be used to detect and prevent fraud in Ontario’s auto insurance system.

Accessing your professional information in HCAI

HCAIP shares professional information only with the professional whose information it is, those who require it to process OCF submissions, or as required by law. As a Health Care Provider, you should investigate instances where you have reason to believe your professional credentials may have been used inappropriately.

Professional information includes your name, college ID number, profession, the Health Care Facilities that have listed you as a Provider, the date your services started with each Facility, and the end date where applicable. It can also include a list of OCFs submitted with your credentials.

If you have concerns, you may fill out a Request for Access to Professional Information by filling out this Provider Access Form. The form contains two possible reports. As a first step we recommend you request the list of Facilities that have you registered as a Provider. If after receiving the report you see that your name has not been removed or has been used where you have never worked, request a report of OCFs submitted by that Facility using your credentials.

Fax, mail, or email the form to HCAIP; we will not accept requests on the telephone or by a third party (employer, lawyer, etc). No information will be released without a signature and the reply address must be an address going directly to the professional requesting the information.

You will receive your information within 30 days of HCAIP receiving your signed request. If for some reason we cannot comply with your request, you will receive an explanation within the same time frame. You may supply an email address for the reply. We suggest using a secure site. Alternatively, you may supply a street address.

Password Protection

The need for numerous passwords necessitates the listing of passwords. This list should be as cryptic as possible so that it is meaningless to anyone but the user. Composition should meet the company standards but in general users should use

  • Mixture of upper and lower case letters
  • Numerals
  • No names, words, or dates
  • Special characters when allowed
  • At least 8 characters
  • No user name as part of your password

One option is to use a sentence or rhyme that can be easily remembered by the user. For example, “Mary Mary quite contrary, how does your garden grow?” could be translated into a password that reads “MmQ1hDyGg?”

When it comes time to change your password, consider changing a few characters or advancing the numeral by 1.

Computer Security

Take special precautions when accessing HCAI via a laptop or home computer. Do not share your office laptop with friends and family at home and avoid letting others see your screen. Clear your cache after using a public computer.

Never open suspicious emails from an unexpected contact or written in poor English. If you do not know who is sending the e-mail do not open it to investigate. Banks will never email to ask for your password for identity verification or because your account has been compromised.

Avoid clicking links in an email. Type the URL and check carefully to make sure it is valid. Fake URLs can look surprisingly real.

Top