Key Privacy Terms
Personal Information (PI) is any information about an identifiable individual. Used alone, the term PI includes PHI (see below).
Personal Health Information (PHI) is identifying information about an individual in oral or recorded form, if the information:
- Related to the physical or mental health of the individual, including information that consists of the health history of the individual’s family;
- Relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual;
- Is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual;
- Relates to payments or eligibility for health care in respect of the individual;
- Relates to donation by the individual of any body part or bodily substance of the individual or is deriving from testing or examination of any such body part or bodily substance;
- Is the individual’s health number, OR
- Identifies an individual’s substitute decision-maker.
HCAI becomes responsible for the privacy and security of PI and PHI when the data enters the HCAI system, while the data is stored by HCAI, and when HCAI destroys the data.
Health Claims for Auto Insurance Processing (HCAIP) is responsible for the operation of the electronic processing system (HCAI) for automobile insurance claims. This system allows health care facilities and insurers to communicate with each other by facilitating the transmission of Ontario claim forms (OCFs). The aim is to facilitate the claims adjudication process. Data which has all personal identifiers removed (aggregated data) is also used to assess how insurance resources are accommodating the needs of claimants. In order to fulfill our mandate the HCAI system contains sensitive personal health information. Protecting this information is the job of HCAIP, healthcare providers, insurers and the claimants.
Below are the main actions HCAIP will take and the actions we depend on others to take, in order to protect the confidentiality of personal information (PI).
HCAIP commits to:
- maintain appropriate technical and administrative safeguards to protect the data in the HCAI system
- audit the privacy practices of any third parties that HCAI contracts to establish consistency with HCAIP standards
- contact the appropriate organization (insurer or provider facility) in the event we are approached by a claimant for PI. If we are required by law to release information we will, in most cases, advise you of the fact.
- provide training material and update users on the HCAI system
- take prompt action in the instance of a privacy breach
Insurers are asked to:
- ensure your staff has privacy/security training on a regular basis and that changes in the HCAI system are communicated in a timely manner.
- provide access on a role-based model and promptly remove or change access as staff moves or leaves.
- not download claimant data to a hard drive or mobile device unless known to your supervisor
- assist in any investigation should there be a breach involving your organization’s data
Claimants are asked to:
- ensure your healthcare provider has accurate information about your status, your place of residence and your insurer.
- be sure your healthcare provider explains whom they will be sharing your information with in order to both provide treatment and receive payment. You will be asked to sign a consent form to confirm that you understand the process.
If you have any concerns about privacy contact HCAIP’s Chief Privacy Officer via email at firstname.lastname@example.org or by fax at 416-664-3121
Website Usage Data and Cookies
HCAI Processing automatically collects Internet Protocol (IP) addresses and website usage information on all visitors to the website. This information helps in analyzing the traffic and refining and optimizing the site design. Cookies are of the single session type which means users must log in again on return to the site.
Why am I receiving HCAI emails?
Use of the HCAI system is mandated by the Financial Services Commission of Ontario (FSCO)* for the transmission of Ontario Claims Forms (OCFs) by Health Care Facilities and Insurers. As such, HCAI Communications is required to inform each registered and currently active Insurer of any changes to the HCAI system. This may include changes to functionality and/or changes in the regulatory business environment that concern how HCAI is used by Facilities and Insurers.
As a designated contact for an insurer, you accept the responsibilities specific to that role, including giving HCAI consent to contact you. The responsibilities of Contact 1 and Contact 2 include a requirement to share important HCAI information across the insurer organization. To stay informed of critical changes to the system and remain compliant with HCAI, each insurer should designate a Contact 1 and Contact 2 in the insurer management screen.
HCAI is not subject to Canada’s anti-spam legislation (CASL) as users of the HCAI system have a contractual relationship with HCAI. HCAI Processing does not give, sell, or trade lists containing personal information.
*Effective June 8, 2019, the Financial Services Regulatory Authority (FSRA) assumed the regulatory functions of the Financial Services Commission of Ontario (FSCO). Visit www.fsrao.ca for updates.