Health Care Facility | Insurers | Related Initiatives  

Storing and Sharing Information

Health Care Facilities and Health Care Providers are asked to:

  • be aware of your responsibility to protect the Personal Information of your clients (patients) as detailed in your organization’s policies and applicable privacy law
  • comply with the requirements as set out in the Provider Terms and Conditions agreements  signed with HCAI
  • obtain and store the claimants’ consent to treatment
  • record only the necessary information for treatment and payment
  • protect PI from unauthorized disclosure in paper, electronic or verbal format
  • ensure claimant data is as accurate as possible

Dos and Don’ts

Do ensure OCFs are submitted to the correct Insurer. You can view the Provider Support – Submitting and Storing Forms page to learn about the matching process and how you can ensure an OCF is matched to the correct adjuster.

Do retain paper copies of signed Provider agreements and signed OCFs. These copies should be stored in compliance with Facility policy outlining privacy and security safeguards to protect from unauthorized access, retention, and destruction. Once an OCF is printed, it is the responsibility of the Facility to protect it.

Do not fax or mail any claimant information to HCAI. Facilities must only submit OCFs via the electronic system ( or through your PMS system). Faxing or mailing to HCAI will constitute a breach of privacy and your Facility will be notified. The information will be shredded.

Do not send any OCF attachments to HCAI. If an OCF is accompanied by attachments, these attachments must be sent directly to the Insurer.

Do not copy data to the hard drive of a portable unit or storage device. Facilities maintaining copies of PDF OCFs are responsible for maintaining a secure system, with audit trails.

Managing your Facility

Access to electronic information in HCAI should be granted on a need-to-know basis to facilitate each User’s responsibilities. Passwords should never be shared. Access should be tracked and removed immediately upon change in role or exit.

Deactivate User and Providers
HCAI User profiles for Providers and Users who leave your Facility must be deactivated as soon as possible by adding an end-date. Adding an end-date to a Provider profile does not delete a Provider from HCAI. Rather, it limits access while preserving the historical information in the system. Once an end-date has been added, you can still invoice on behalf of that Provider for up to six months. Visit the Update Provider Information and Update User Information pages to learn how to end-date Providers and Users.

Delete old drafts
Saving an OCF as a draft in HCAI is an easy way to streamline your workflow. However, OCF drafts older than one year typically do not reflect the most current version of the form. Old drafts containing patient information left in the system could lead to a privacy breach. OCF drafts older than one year should be deleted on a regular basis. View “How do I create or delete a draft?” on the Track my OCF page to learn how.

End-date inactive Facilities
Your Facility should be end-dated if inactive. Removing inactive Facilities from HCAI benefits all Users by reducing cyber security risks. Unmanaged/inactive accounts are more susceptible to fraudulent activity. HCAI Processing periodically reviews Facilities in the HCAI system to end-date Facilities in a timely manner. You may receive a deactivation email or letter if your Facility does not have a valid, FSCO-issued Service Provider Licence AND you have not submitted an OCF in one or more years. When you receive this email/letter, please follow the instructions to end-date your Facility. If you do not end-date your Facility within the assigned time period, HCAI will manually end-date your Facility on your behalf. You must re-enrol with HCAI if you need to submit an OCF in the future.