Privacy FAQs
All Questions
What is the Electronic Health Record?
The Electronic Health Record (EHR) is a secure and private record of an individual’s health history and is available electronically to authorized health care practitioners in Ontario, anywhere, anytime. The EHR contains your EHR data, which consists of lab requisitions and results, prescription drug records, diagnostic imaging reports, and clinical health information from hospitals, family doctors, nurse practitioners, community health centres and other health care providers. Your EHR data is contributed by your health care providers so they can access and share the information they need – when and where they need it – to provide you with the best care experience that is possible.
The Plain Language Description of the Electronic Health Record provides more information about the EHR and the kinds of information that it includes.
What is the role of Ontario Health (Digital Services) role with the Electronic Health Record?
As a result of a transfer order made by the Ministry of Health under the Connecting Care Act, 2019, effective as of December 2, 2019, the assets, rights, obligations and employees of eHealth Ontario were transferred to Ontario Health and the Digital Services business unit of Ontario Health – Ontario Health (Digital Services) – was created to provide the services that had been provided by eHealth Ontario.
Ontario Health (Digital Services) acts as a ‘Prescribed Organization’ under Part V.1 of the Personal Health Information Protection Act, 2004 (PHIPA) in order to develop and maintain the EHR. Acting as a Prescribed Organization involves a number of functions, duties and responsibilities, which include ensuring the proper functioning of the EHR; managing EHR data; making sure that EHR data is of the same level of quality and accuracy as what was submitted to the EHR by health information custodians; and analyzing EHR data to provide alerts and reminders to health care practitioners for their use in the provision of health care to individuals.
For more information on the Prescribed Organization status and associated functions, duties and responsibilities when it comes to the EHR, please refer to the Statement of Information Practices.
Who can see my EHR data?
Authorized members of your health care team may access your EHR data when they provide you health care. The EHR allows your health related information to be shared from one member of your health care team to another so that they may provide you with the best health care experience that is possible. Authorized members of your health care team may include physicians, specialists, family doctors, nurse practitioners, nurses, emergency room clinicians and specialists in clinics, hospitals, public health units, long-term care facilities, and community care. Access to and disclosure of your EHR data is granted in accordance with Ontario’s health privacy law (Personal Health Information Protection Act, 2004).
Your EHR data is also accessible by coroners in relation to an investigation conducted under the Coroners Act, and by the Chief Medical Officer of Health (“CMOH”) of Ontario or a medical officer of health within the meaning of the Health Protection and Promotion Act (“HPPA”) for purposes related to their duties under that act or the Immunization of School Pupils Act.
The Plain Language Description of the Electronic Health Record provides more information on the EHR.
How is my EHR data used?
Your EHR data is used by members of your health care team so that they can quickly look up lab results, prescription drug records digital imaging reports, hospital discharge summaries and more. Health care practitioners across Ontario who provide health care to you use this information to provide you with the best care experience that is possible.
Your EHR data may also be used by coroners in relation to an investigation conducted under the Coroners Act, and by the Chief Medical Officer of Health (“CMOH”) of Ontario or a medical officer of health within the meaning of the Health Protection and Promotion Act (“HPPA”) for purposes related to their duties under that act or the Immunization of School Pupils Act.
The Plain Language Description of the Electronic Health Record provides more information on the EHR.
How can I access my EHR data?
You have a right under the Personal Health Information Protection Act, 2004 (PHIPA) to access your health data. However, patients don’t currently have digital access to their EHR data. Providing patients and their families with this digital access is a priority for Ontario Health and the Ministry of Health, and work is underway to provide patient access electronically in the near future. Until that time, a printed copy of your EHR data can be made available to you. Refer to Accessing your EHR for more information on how to access your EHR data, and questions further down in this FAQ provide more specific information about access requests. And please note that Ontario Health (Digital Services) can only facilitate access requests for information contained in the EHR. For access to information not contained in your electronic health record, contact the health care organization or professional with whom you have a current care relationship (e.g. your hospital or family physician).
What can I do if I think there’s a mistake in my EHR data?
You have a right under the Personal Health Information Protection Act, 2004 (PHIPA) to request corrections to your EHR data if you think it is inaccurate, out-of-date or incomplete. If you would like to request corrections to your EHR data, contact the health care practitioner who provided you care. Or, if you are unsure of who to contact, please contact the Ontario Health (Digital Services) Privacy Office.
Can I stop a health care practitioner from accessing my EHR data?
You are able to block health care practitioners from accessing your EHR data – this is called a “consent directive.” If you do not want to share your EHR data with members of your health care team, you can restrict access by asking for a consent directive to be added to your record. This means when a health care practitioner tries to access your EHR data, a notice pops up indicating that access to your EHR data is blocked and can only be accessed by that practitioner under a limited set of conditions. This is called a consent override. Your healthcare provider will inform you when a consent override occurs.
Consent Overrides
In accordance with PHIPA, there are certain circumstances where a health information custodian may access information in the EHR which is subject to a consent directive. This is known as a consent override. The Electronic Health Record Consent Directive and Consent Override Policy outlines the circumstances where an override is permitted. The policy is available here: https://ehealthontario.on.ca/en/shared/ehr-consent-directive-consent-override-policy
Note that in some instances, a health information custodian may not have the technical ability to perform a consent override, and therefore may not be able to access the personal health information while a consent directive is in place, even if there is a significant risk of serious bodily harm to the individual to whom the information relates or to another person or group of persons.
See Managing access to your EHR for more information on consent directives and managing access to your EHR data.
Who do I contact if I think there has been inappropriate activity involving my EHR data?
As part of maintaining the privacy and security of the EHR and of your EHR data, access is continually monitored and reviewed. If you have concerns about access to your EHR data or suspect someone has inappropriately accessed your EHR data, please contact your health care provider, your health care provider’s organization, or the Information and Privacy Commissioner of Ontario.
How does Ontario Health (Digital Services) protect my EHR data?
To protect the privacy and security of your EHR data, Ontario Health (Digital Services) adheres to requirements set out in law, regulation and by the Information and Privacy Commissioner of Ontario (IPC), and a broad set of safeguards, consistent with industry best practices has been implemented. Ontario Health (Digital Services) has three kinds of safeguards that work together to protect your EHR data. Ontario Health (Digital Services) establishes how the privacy and security of the EHR and your EHR data must be maintained and managed across Ontario Health, which includes a comprehensive set of privacy and security policies and mandatory staff training in privacy and security (‘administrative safeguards’). Ontario Health (Digital Services) has special hardware, software, and computer systems designed to protect the privacy and security of the EHR and your EHR data, including encryption protocols, firewalls, intrusion detection systems, and anti-virus programs (‘technical safeguards’). And Ontario Health (Digital Services) has physical protections in place to protect your EHR data, including locked offices and computers, and secure document shredding (‘physical safeguards’).
Ontario Health (Digital Services) continually reviews and assesses these security and privacy safeguards to make sure they remain effective and appropriate for protecting the EHR and your EHR data. Our Safeguards page provides more information on the safeguards we have in place.
How does Ontario Health (Digital Services) manage the privacy of my EHR data?
In order to oversee, manage and promote trust in the privacy of your EHR data, the privacy office at Ontario Health (Digital Services) has established a privacy program, including privacy policies and information handling practices that apply throughout Ontario Health (Digital Services). The focus of this privacy program is to follow the relevant legislation and regulation, including the Personal Health Information Protection Act, 2004 (PHIPA), and to embed protection of your EHR data in all of the products, services, policies, procedures and processes developed.
The Ontario Health (Digital Services) Statement of Information Practices provides more information on the information practices, legislative authorities, and roles of Ontario Health (Digital Services) when it comes to personal health information and personal information. The Privacy Program page is where you can find copies of privacy policies and more information about the Ontario Health (Digital Services) privacy program.
How does Ontario Health (Digital Services) identify and manage any risks to my EHR data?
To help protect your EHR data, Ontario Health (Digital Services) is committed to identifying and managing privacy and security risks ahead of time. This involves conducting privacy and security assessments to evaluate the impacts and potential risks of any new system, project or initiative that involves your EHR data, in order to determine how it could affect your privacy and the appropriate safeguards that need to be in place.
More information on the privacy impact assessments performed by Ontario Health (Digital Services) can be found here.
More information on the Ontario Health (Digital Services) Security program can be found here.
Who can I contact to learn more about the privacy program and information practices of Ontario Health (Digital Services)?
More information about these privacy or information practices can be found here. If you have further questions, please contact the Ontario Health (Digital Services) Privacy Office. For questions not about the privacy practices of Ontario Health (Digital Services) but related to the Ontario Laboratory Information System (OLIS) and Drug and Pharmacy Service Information (DHDR), please contact ServiceOntario at:
Toll Free: 1-800-291-1405
TTY: 1-800-387-5559
Who do I contact if I have a concern or complaint about the privacy practices of Ontario Health (Digital Services)?
If you have any concerns or complaints about these privacy practices, please contact the Ontario Health (Digital Services) Privacy Office.
You have the right to contact the office of the Information and Privacy Commissioner of Ontario if you have a complaint about these privacy policies and information handling practices. The Information and Privacy Commissioner of Ontario’s website can be found at https://ipc.on.ca
For inquiries or complaints not about the privacy practices of Ontario Health (Digital Services) but related to the Ontario Laboratory Information System (OLIS) and Drug and Pharmacy Service Information (DHDR), please contact ServiceOntario at:
Toll Free: 1-800-291-1405
TTY: 1-800-387-5559
I have sent my completed Access Request Form to your office. However, I have not received my medical records yet. Can I please get an update?
Ontario Health (Digital Services) assists health care providers in responding to your access requests for EHR data, however any medical records will be provided to you by the health care provider(s) who contributed the records to the EHR and not by Ontario Health (Digital Services). You will receive a response from these health care providers no later than 30 days from the date Ontario Health (Digital Services) received your completed access request. If additional time is needed to fulfill your access request, you will be notified by these health care providers who will advise you that they require an extension.
I have received a response to an Access Request I submitted to Ontario Health (Digital Services) and no records were found. What does this mean?
Ontario Health (Digital Services) can only assist with access requests for medical records that are in the EHR. EHR data does not include all your medical records. Not all health care organizations and health care providers contribute to the EHR, and contributors to the EHR do not necessarily provide all their medical records to the EHR. If no records were found by Ontario Health (Digital Services), then it means the records you were looking for do not exist in the EHR. If you wish to obtain any medical records that do not exist in the EHR, please contact your health care provider directly.
What health care organizations and providers view or contribute medical records via the ConnectingOntario viewer?
Information on contributing and viewing organizations and data types can be found here.
What is a substitute decision-maker (SDM)?
A substitute decision-maker in relation to an individual means, unless the context requires otherwise, a person who is authorized under the Personal Health Information Protection Act, 2004 (PHIPA) to consent on behalf of the individual to the collection, use or disclosure of personal health information about the individual.
How can I obtain a copy of my medical claims history?
A Personal Claims History (PCH) is a computer record of claims paid by the Ontario Health Insurance Plan (OHIP) under an individual health card number. To obtain a copy of your Personal Claims History, please contact the Ministry of Health.
How can I obtain my medical records from a retired doctor?
Please contact the College of Physicians and Surgeons of Ontario (CPSO) to seek assistance in locating such records.
I have a new health care provider. Can Ontario Health (Digital Services) transfer my medical records from my former health care provider to my new health care provider?
No. Please contact either your new or former health care providers.