Scheduled Outages: The HCAI system will be unavailable from 5:00 p.m. (EDT) September 29 to 8:00 a.m. (EDT) October 2
Scheduled Outages: The HCAI system will be unavailable from 5:00 p.m. (EDT) September 29 to 8:00 a.m. (EDT) October 2
Health Care Facility | Insurers | Related Initiatives  

Access and Security


Insurers are asked to:

  • Ensure your staff has privacy/security training on a regular basis and that changes in the HCAI system are communicated in a timely manner.
  • Provide access on a role-based model and promptly remove or change access as staff moves or leaves (view ‘User Administration’ page for details)
  • Assist in any investigation should there be a breach involving your organization’s data

Removing and Adjusting Access Settings

Insurers are asked to provide access to HCAI on a role-based model. Access to electronic information in HCAI should be granted on a need-to-know basis to facilitate each user’s responsibilities. Access should be tracked and removed immediately upon change in role or exit.

HCAI users who leave your organization should be deactivated as soon as possible. Deactivating the user access prevents unauthorized access to the HCAI system. Adjusters must also eventually have their adjuster account deactivated to prevent documents arriving to an unattended worklist.

Access for independent adjusters (IAs) should be managed promptly as adjusters change. For the security of your account, each independent adjuster must have his or her own user ID and password that is closely administered by a representative within your organization. Role descriptions for those with IA responsibilities should include backup persons for cases of temporary or permanent absence. Contracts with IAs should involve a process for handing passwords promptly, especially in unexpected staff changes.

Password Protection

We use passwords for so many accounts in our lives (i.e. banking, email, taxes, social media, work logins). In most cases, it makes sense to carry some kind of list or ‘cheat sheet’ to help us out. If find it helpful to keep a password cheat sheet, it should never contain the password itself, and should be as cryptic as possible so that it is meaningless to anyone but the user.

The password should meet the company standards but in general users should be composed of:

  • A mixture of upper and lower case letters
  • Numerals
  • No names, words, or dates
  • Special characters when allowed
  • At least 8 characters
  • No user name as part of your password

One option is to use a sentence or rhyme that can be easily remembered by the user. For example, “Mary Mary quite contrary, how does your garden grow?” could be translated into a password that reads “MmQ1hDyGg?”

When it comes time to change your password, consider changing a few characters or advancing the numeral by 1.

Computer Security

Take special precautions when accessing HCAI via a laptop or home computer. Do not share your office laptop with friends and family at home and avoid letting others see your screen. Clear your cache after using public computer.

Never download claimant data to a hard drive or mobile device unless known to your supervisor.

Never open suspicious emails from an unexpected contact or written in poor English. If you do not know who is sending the e-mail do not open it to investigate. Banks will never email to ask for your password for identity verification or because your account has been compromised.

Avoid clicking links in an email or opening attachments. Type the URL and check carefully to make sure it is valid. Fake URLs can look surprisingly real.