Key Privacy Terms
Personal Information (PI) is any information about an identifiable individual. Used alone, the term PI includes PHI (see below).
Personal Health Information (PHI) is identifying information about an individual in oral or recorded form, if the information:
- Related to the physical or mental health of the individual, including information that consists of the health history of the individual’s family;
- Relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual;
- Is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual;
- Relates to payments or eligibility for health care in respect of the individual;
- Relates to donation by the individual of any body part or bodily substance of the individual or is deriving from testing or examination of any such body part or bodily substance;
- Is the individual’s health number, OR
- Identifies an individual’s substitute decision-maker.
HCAI becomes responsible for the privacy and security of PI and PHI when the data enters the HCAI system, while the data is stored by HCAI, and when HCAI destroys the data.
Any data held outside of HCAI is the Insurer’s responsibility. Read the Storing and Sharing Information page for more information on best practices.
Health Claims for Auto Insurance Processing (HCAIP) is responsible for the operation of the electronic processing system (HCAI) for automobile insurance claims for rehabilitation post-accident. This system allows health care facilities and insurers to communicate with each other by facilitating the transmission of Ontario claim forms (OCFs). The aim is to facilitate the claims adjudication process. Data which has all personal identifiers removed (aggregated data) is also used to assess how insurance resources are accommodating the needs of claimants. In order to fulfill our mandate the HCAI system contains sensitive personal health information. Protecting this information is the job of HCAIP, healthcare providers, insurers and the claimants.
Below are the main actions HCAIP will take and the actions we depend on others to take, in order to protect the confidentiality of personal information (PI).
HCAIP commits to:
- maintain appropriate technical and administrative safeguards to protect the data in the HCAI system
- audit the privacy practices of any third parties that HCAI contracts to establish consistency with HCAIP standards
- contact the appropriate organization (insurer or provider facility) in the event we are approached by a claimant for PI. If we are required by law to release information we will, in most cases, advise you of the fact.
- provide training material and update users on the HCAI system
- take prompt action in the instance of a privacy breach
Insurers are asked to:
- be aware of your responsibility to protect the Personal Information of your clients as detailed in your organization’s policies and applicable privacy law.
- provide access on a role-based model and promptly remove or change access as staff moves or leaves.
- assist in any investigation should there be a breach involving your organization’s data
If you have any concerns about privacy contact your organization’s Privacy Office or HCAIP’s Privacy Office via email at firstname.lastname@example.org or by fax at 416-664-3121.
Why am I receiving HCAI emails?
Use of the HCAI system is mandated by the Financial Services Regulatory Authority of Ontario (FSRA)* for the transmission of Ontario Claims Forms (OCFs) by Health Care Facilities and Insurers. As such, HCAI Communications is required to inform each registered and currently active Insurer of any changes to the HCAI system. This may include changes to functionality and/or changes in the regulatory business environment that concern how HCAI is used by Facilities and Insurers.
As a designated contact for an insurer, you accept the responsibilities specific to that role, including giving HCAI consent to contact you. The responsibilities of Contact 1 and Contact 2 include a requirement to share important HCAI information across the insurer organization. To stay informed of critical changes to the system and remain compliant with HCAI, each insurer should designate a Contact 1 and Contact 2 in the insurer management screen. These emails are authorized under Canada’s anti-spam legislation (CASL) as users of the HCAI system have a contractual relationship with HCAI. HCAI Processing does not give, sell, or trade lists containing personal information.
*Effective June 8, 2019, the Financial Services Regulatory Authority (FSRA) assumed the regulatory functions of the Financial Services Commission of Ontario (FSCO). Visit www.fsrao.ca for updates.