Key Privacy Terms
Personal Information (PI) is any information about an identifiable individual. Used alone, the term PI includes PHI (see below)
Personal Health Information (PHI) is identifying information about an individual in oral or recorded form, if the information:
- Related to the physical or mental health of the individual, including information that consists of the health history of the individual’s family;
- Relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual;
- Is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual;
- Relates to payments or eligibility for health care in respect of the individual;
- Relates to donation by the individual of any body part or bodily substance of the individual or is deriving from testing or examination of any such body part or bodily substance;
- Is the individual’s health number, OR
- Identifies an individual’s substitute decision-maker.
HCAI becomes responsible for the privacy and security of PI and PHI when the data enters the HCAI system, while the data is stored by HCAI, and when HCAI destroys the data.
Any printed data is the Health Care Facility and/or Health Care Provider’s responsibility. Read the Storing and Sharing Information page for more information on best practices.
Health Claims for Auto Insurance Processing (HCAIP) is responsible for the operation of the electronic processing system (HCAI) for automobile insurance claims for rehabilitation post-accident. This system allows health care facilities and insurers to communicate with each other by facilitating the transmission of Ontario claim forms (OCFs). The aim is to facilitate the claims adjudication process. Data which has all personal identifiers removed (aggregated data) is also used to assess how insurance resources are accommodating the needs of claimants. In order to fulfill our mandate the HCAI system contains sensitive personal health information. Protecting this information is the job of HCAIP, healthcare providers, insurers and the claimants.
Below are the main actions HCAIP will take and the actions we depend on others to take, in order to protect the confidentiality of personal information (PI).
HCAIP commits to:
- maintain appropriate technical and administrative safeguards to protect the data in the HCAI system
- audit the privacy practices of any third parties that HCAI contracts to establish consistency with HCAIP standards
- contact the appropriate organization (insurer or provider facility) in the event we are approached by a claimant for PI. If we are required by law to release information we will, in most cases, advise you of the fact.
- provide training material and update users on the HCAI system
- take prompt action in the instance of a privacy breach
Healthcare facilities management and healthcare providers are asked to:
- be aware of your responsibility to protect the Personal Information of your clients (patients) as detailed in your organization’s policies and applicable privacy law
- ensure that the Authorizing Officer is familiar with the HCAI application and that access to users in your organization is provided on a role based model. In addition as staff moves within the facility or leaves, have access promptly changed or removed.
- comply with the requirements as set out in the Provider terms and conditions agreements signed with HCAI
- obtain and store the claimants consent to treatment
- record only the necessary information for treatment and payment
- access only the files of the claimants/patients you are working with
- protect PI from unauthorized disclosure in paper, electronic or verbal format
- ensure claimant data is as accurate as possible
Claimants are asked to:
- ensure your healthcare provider has accurate information about your status, your place of residence and your insurer.
- be sure your healthcare provider explains whom they will be sharing your information with in order to both provide treatment and receive payment. You will be asked to sign a consent form to confirm that you understand the process.
If you have any concerns about your PI, contact the Privacy Officer for the insurance company you deal with or the Chief Privacy Officer at HCAIP at firstname.lastname@example.org or by fax at 416-664-3121
Why am I receiving HCAI emails?
Use of the HCAI system is mandated by the Financial Services Commission of Ontario (FSCO) for the transmission of Ontario Claims Forms (OCFs) by Health Care Facilities and Insurers. As such, HCAI Communications is required to inform each registered and currently active Facility of any changes to the HCAI system. This may include changes to functionality and/or changes in the regulatory business environment that concern how HCAI is used by Facilities and Insurers.
Each Authorizing Office (AO) in HCAI carries certain responsibilities on behalf of the Facility or Facilities s/he represents, as outlined on the Authorizing Officer Information page. By agreeing to be the AO for a Facility and thereby accepting the responsibilities specific to that role, you are giving HCAI consent to contact you. The responsibilities of the AO include a requirement to share important HCAI information with every other HCAI user at the facility. To stay informed of critical changes to the HCAI system, receive password reset emails as required, and remain compliant with HCAI, it is not possible for the AO to opt out of receiving HCAI emails. HCAI is not subject to Canada’s anti-spam legislation (CASL) as users of the HCAI system have a contractual relationship with HCAI. HCAI Processing does not give, sell, or trade lists containing personal information.
Should you wish to no longer receive emails from HCAI Communications, either your Facility’s AO must be changed or your Facility’s HCAI account must be deactivated. Visit the Authorizing Officer Information page or the Deactivate Facility page to learn how.