Government Institution
Veterans Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Kim Andrews
A/Director General, Service Delivery and Program Management
Head of the government institution / Delegate for section 10 of the Privacy Act
Crystal Garrett-Baird
Director, Privacy and Information Management
Name of Program or Activity of the Government Institution
Federal Health Claims Processing Service (FHCPS)
Description of Program or Activity:
Veterans Affairs Canada (VAC), the Canadian Armed Forces (CAF) and the Royal Canadian Mounted Police (RCMP) provide a wide range of health benefits and services to eligible members/clients, Veterans and other persons, as specified under their respective legislation. VAC, RCMP and CAF have partnered to manage the claims processing and related services for these health benefits and services by using the Federal Health Claims Processing Service (FHCPS). This service is provided through a third party contract with Medavie Blue Cross (MBC) that was awarded in January 2014, followed by an 18 month development period. The operation phase began on August 1, 2015 and will run for an initial 7 year period. VAC is the project authority for the three partner Departments.
FHCPS includes services and systems used to:
- Process VAC, CAF and RCMP health claims;
- Support clients and providers with the processing and settlement of their claims; and
- Ensure compliance with VAC, RCMP and CAF policies and processes, including audit, reporting and financial control practices.
The determination of a client’s eligibility is the responsibility of the each partner Department. The FHCPS enables the management, monitoring, reporting and electronic processing of claims based on client eligibility and is accessible by authorized MBC, VAC, CAF and RCMP personnel. Service providers and members/clients can also access specific information to which they are entitled on a self-service on-line portal. Claims payments are made to health care providers, or through reimbursement to clients and authorized third parties. Providers who register with the Contractor meet the applicable registration criteria.
VAC has four programs that use FHCPS as part of its program delivery: Treatment Benefits, Veterans Independence Program, Intermediate and Long-Term Care and Rehabilitation Services and Vocational Assistance Program. Services provided by MBC using the FHCPS include the following:
- Medical, surgical, psychological and dental examinations and treatment provided by health professionals;
- Surgical or prosthetic devices and aids, and their maintenance;
- Home adaptations to accommodate the use of the foregoing devices and aids;
- Preventive health care and supplies;
- Prescribed drugs;
- Medical and Psychosocial services and associated travel expenses;
- Health-related travel and rehabilitation related expenses;
- Veterans Independence Program; and
- Long Term Care.
Description of the Class of Record and Personal Information Bank
Classes of Records:
- Federal Health Claims Processing System Administration (VAC MVA 690)
- Health Care Benefits (VAC MVA 860)
- Intermediate and Long-Term Care Program (VAC MVA 880)
- Rehabilitation (VAC MVA 830)
- Veterans Independence Program (VAC MVA 855)
The following Classes of Records are also affected, as eligibility for these programs provides a gateway for eligibility to other benefits and services including Health Care Benefits and Services:
- Disability Awards Program (VAC MVA 875)
- Disability Pension Program (VAC MVA 820)
- War Veterans Allowance (VAC MVA 680)
Personal Information Banks:
- Health Care Benefits and Services (VAC PPU 295)
- Rehabilitation Services and Vocational Assistance (VAC PPU 300)
- Veterans Independence Program - Home Care Benefits and Services (VAC PPU 616)
- Veterans Independence Program - Other Services (VAC PPU 617)
- Non-departmental Institutions - Veterans Independence Program (VIP) (VAC PPU 618)
- Non-departmental Institutions - Long Term Care (LTC) (VAC PPU 619)
- Disability Pensions (VAC PPU 601)
- Disability Awards (VAC PPU 603)
- War Veterans Allowance (VAC PPU 040)
This information can be reviewed at: VAC's Info Source Chapter
Legal Authority for Program or Activity - VAC
As this initiative affects multiple VAC programs and services, there are multiple legal authorities:
- Department of Veterans Affairs Act (Section 4)
- Canadian Forces Members and Veterans Re-establishment and Compensation Act
- Canadian Forces Members and Veterans Re-establishment and Compensation Regulations
- Veterans Health Care Regulations
- Royal Canadian Mounted Police Superannuation Act
- Royal Canadian Mounted Police Pension Continuation Act
- Pension Act
- War Veterans Allowance Act
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
1) Type of Program or Activity
Administration of Programs / Activity and Services
Level of risk to privacy – 2
2) Type of Personal Information Involved and Context
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy – 3
3) Program or Activity Partners and Private Sector Involvement
Private sector organizations or international organizations or foreign governments
Level of risk to privacy – 4
4) Duration of the Program or Activity
Long-term program.
Level of risk to privacy – 3
5) Program Population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
6) Technology & Privacy
a) Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy –No
b) Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy –Yes
c) Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy –No
d) Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy –No
e) Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy –Yes
7) Personal Information Transmission
The personal information is used in a system that has connections to at least one other system.
The personal information is transferred to a portable device or is printed.
The personal information is transmitted using wireless technologies.
Level of risk to privacy – 2, 3 & 4
8) Risk Impact to the Institution
Managerial harm; organizational harm; financial harm; and reputational harm, embarrassment, loss of credibility.
Level of risk to privacy – 1, 2, 3 & 4
9) Risk Impact to the Individual or Employee
Inconvenience; reputational harm, embarrassment; and financial harm.
Level of risk to privacy – 1, 2 & 3