Federal Health Claims Processing Service (FHCPS)

Government Institution
Department of National Defence (DND)

Government official responsible for the PIA
Col Natasha Singh
Director, Health Services Delivery

Head of the government institution or Delegate for section 10 of the Privacy Act
Anne Bank, Executive Director
Directorate Access to Information and Privacy

Standard or Institution Specific Class of Record:
DND SGB 496
Health and Benefit Claims Processing

Standard or Institution Specific Personal Information Bank:
DND PPU 819
Federal Health Claims Processing Service (FHCPS)

Background

DND/CAF provides a wide range of health benefits and services to its members. This includes coverage of medical, dental and other treatments provided by health professionals. It also includes preventive health care and supplies, prescribed drugs, health-related travel and rehabilitation related expenses, and long-term care. While health care services are provided to serving members primarily through CAF clinics, health care is sometimes provided through provincial health care systems, institutions, and private practitioners.

In 2014, to help support the management of health services claims, DND/CAF – in partnership with Veterans Affairs Canada (VAC) and the Royal Canadian Mounted Police (RCMP) – entered into a contract (the ‘FHCPS Contract’) with a third-party to manage all claims processing (the ‘Claims Administrator’). The Claims Administrator owns and operates a Federal Health Claims Processing Services Solution (the ‘FHCPS Solution’), which includes an on-line portal for users. It allows for the secure receipt, processing, and settlement of all member health claims. The FHCPS Solution also provides the means to monitor and ensure compliance with departmental policies, including audit, reporting, and financial requirements.

Although VAC is the project authority for the FHCPS, DND/CAF is responsible for member eligibility determinations. Once a CAF Health Services Centre or dental unit has assessed a client’s status and eligibility, and the requirement to refer to a client to a civilian healthcare provider, the FHCPS assumes responsibility for the management, monitoring, reporting and electronic processing of the health claim. Clients or their health care providers submit claims for services through an on-line portal which are received and reviewed by the Claims Administrator. The Claims Administrator processes the claim in accordance with terms and conditions of the client’s benefit plan and approves the claim for settlement. Settlements can be paid to the health care provider directly, or to member clients as reimbursements.

Rationale for Conducting PIA

The first contract for FHCPS was awarded by the Government of Canada in 1989. Since 1999, DND/CAF, VAC, and the RCMP have partnered to manage health authorization and claims processing services to serving members, Veterans, and their families, using a single FHCPS Contract. The current FHCPS Contract, awarded to Medavie Blue Cross in 2014, ends in September 2026.

Although the current FHCPS Contract is expected to be in place for several more years, Public Service Procurement Canada (PSPC), in conjunction with Treasury Board of Canada Secretariat (TBS), DND/CAF, VAC, and the RCMP, have initiated a process to ensure that there is a new competitively awarded FHCPS Contract in place for October 2026. The establishment of service requirements related to the new FHCPS Contract are now underway, with PSPC leading presentations to the Government of Canada’s Enterprise Architecture Review Board for the endorsement of the conceptual architecture for the new FHCPS Solution. That endorsement will, in turn, be used to support the development of a formal tender or Request for Proposal and Treasury Board Submission.

As part of the FHCPS Contract, the successful Contractor and Claims Administrator will be required to support the development of a new FHCPS Solution. The new FHCPS Solution is expected to provide DND/CAF, VAC and the RCMP with an opportunity to enhance existing Service and Solution capabilities. Over the years, the quality and consistency of the FHCPS has suffered as the technology upon which the FHCPS Solution was built becomes further dated. As previously stated, the current FHCPS Solution was developed in 2013/14. It and its supporting systems now require manual interventions to operate as desired and have been the subject of some criticism from users of late for failing to deliver a modern user experience. The current Service also relies heavily on paper processing and manual data entry, which in turn results in a risk to data quality and integrity. Most importantly, the current FHCPS Solution lacks modern authentication technologies critical to improving its security stance and data protection capabilities.

Whereas the needs of DND/CAF and the FHCPS do not currently exist within the Government of Canada (GC), and whereas departmental partners (DND/CAF, VAC, RCMP) do not have the organizational expertise to develop a claims processing system themselves, a full procurement process is planned to solicit contractors to build the new system and to provide supporting business expertise services. The new FHCPS Solution will be required to comply with best practices in data management, governance, and security. The new Solution will also need to be designed in such a way as to support the data handling requirements of the Privacy Act and its related policies.

Scope of PIA

The purpose of the FHCPS PIA was to ensure that privacy risks specific to CAF clients are identified early in the new FHCPS Solution’s design, and to reflect on privacy risks associated with the current FHCPS Contract and Service. The present PIA, led by CFHS, fulfills DND/CAF’s commitment to ensure that PIAs are conducted in relation to core administrative activities, as per the TBS Directive on Privacy Impact Assessments.

The PIA process centered on the review of the on-going outsourcing of FHCPS claims and proposals for claims processing under the new FHCPS Contract and Solution. It included a review of the new Solution’s conceptual design and development plans, and the planned Statement of Requirements (SOR) and Statement of Work developed in support of its procurement. The PIA also included a review of privacy management plans and programming initiated by the CFHS in support of the new FHCPS Contract and Solution.

Summary Results

Based on the results of the PIA, privacy risks arising from CAPSSA are expected to be moderate.  Potential impacts on the privacy of complainants are being properly managed however by DND/CAF through legal, policy and technical measures geared at the protection of personal information. Recommendations included in the PIA are expected to reduce program risks to a low (or acceptable) level.  

Risk Area Identification and Categorization

Type of Program or Activity Risk Level
A program or activity that does involve a decision about an identifiable individual. 4
Type of Personal Information Involved and Context Risk Level
Sensitive personal information, including biometric, DNA, genetic, health, or financial information, which may be particularly sensitive in certain contexts. 5
Program or Activity Partners and Private Sector Involvement Risk Level
Program partners may include private sector organizations. 4
Duration of the Program or Activity Risk Level
The program is of a long duration (5-10 years). 4
Program Population Risk Level
The program's use of personal information is for external administrative purposes but only affects certain individuals. 4
Technology and Privacy Risk Level
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information? Yes
Does the new or modified program or activity require substantial modifications to IT legacy systems and / or services? No
The new or modified program or activity involves the implementation of potentially privacy invasive technologies? No
Personal Information Transmission Risk Level
The personal information is used in a system that has connections to at least one other system. 4
The personal information may be transmitted using wireless technologies.
Risk Impact to the Individual or Employee Risk Level
Inconvenience. 5
Reputational harm.
Psychological harm.
Physical security.
Risk Impact to the Department Risk Level
The embarrassment of public officials. 5
A short-term loss of institutional credibility.
Financial harm.
Legal action.
A lasting decrease in public confidence in the institution, or the need for organizational restructuring or reform.

Page details

Date modified: