Our Privacy Commitment
The protection and authorized use of personal health information, which includes private details about an individual’s health, health history and test results, is important to all Ontarians. Ontario Health manages health service needs across Ontario to ensure the quality and sustainability of the Ontario health system, which includes the safeguarding, integrity, and the availability of information in the care and control of Ontario Health, including personal health information and personal information.
Electronic Health Record Plain Language Description and List of Repositories that are Accessible by the Electronic Health Record
The Personal Health Information Protection Act, 2004 (“the Act”) is a privacy law which primarily governs the collection, use and disclosure of personal health information and sets requirements for persons and organizations who manage personal health information to protect individuals’ privacy and their rights. The Act permits organizations to be prescribed so that they can collect, use or disclose personal health information for specific purposes. Ontario Health is prescribed as the organization which develops and maintains the electronic health record, (“the Prescribed Organization”) in accordance with Part V.1 of the Act and its associated regulation (Ontario Regulation 329/04).
The electronic health record contains a secure digital record of individuals’ personal health information contributed by authorized health information custodians. It is updated in near real time and available electronically to authorized health information custodians so that they can quickly collect, use, and disclose critical personal health information, thereby improving quality of care. Examples of health information custodians include: health care practitioners (including physicians, nurses), hospitals, long-term care homes, retirement homes, pharmacies, laboratories, ambulance services, medical officers of health of boards of health and the Minister of Health.
As a prescribed organization, Ontario Health:
- Manages and integrates the personal health information it receives from health information custodians;
- Ensures the proper functioning of the electronic health record;
- Ensures the accuracy and quality of the personal health information in the electronic health record;
- Conducts analyses of the personal health information in the electronic health record in order to provide alerts and reminders to health information custodians for their use in the provision of health care; and
- Carries out other powers, duties or functions as prescribed.
In general, health information custodians will only be permitted to access the electronic health record to provide or assist in the provision of health care to an individual or if the health information custodian has reasonable grounds to believe it is necessary to eliminate or reduce a significant risk of harm to a person or group of persons.
Ontario Health may also provide personal health information that is held within the electronic health record to a coroner, the Chief Medical Officer of Health (CMOH), or a medical officer of health for purposes related to their duties under applicable laws. The Minister of Health may also direct Ontario Health as the Prescribed Organization to disclose personal health information for specified purposes, such as research, and OH must do so in accordance with the conditions of the Act. Ontario Health also supports individuals who seek access or wish to make a consent directive in respect to their records of personal health information held in the electronic health record.
Descriptions of types of personal health information (PHI) received
The electronic health record consists of the following repositories which contain personal health information received by health information custodians pursuant to the Act and its regulations.
| Repository | Description of PHI | Type of PHI | Source |
|---|---|---|---|
| Acute and Community Clinical Data Repository (acCDR) | Acute and community care clinical information | Patient demographics, emergency Department reports, consultation reports, discharge summaries, cardiovascular results, mental health reports, as well as home and community care records including long-term care placement details, risk assessments, and care plans. | Hospitals and home and community care organizations |
| Diagnostic Imaging- Common Service (DI- CS) | Diagnostic imaging information | Diagnostic imaging reports and image manifests for X-ray, CT Scan, MRI, ultrasound, and others. | Hospitals and integrated community health service centres |
| Digital Health Drug Repository (DHDR)* | Medication and pharmacy service information | Records of medications prepared and pharmacy services provided at community pharmacies and medications administered at hospitals. | Ministry of Health, community pharmacies, and hospitals |
| Patient Summary Clinical Data Repository (psCDR)* | Primary care clinical information | Patient demographics, medication summary, allergies and intolerances, problem list, immunizations, history of procedures, past history of illness, and other care details. | Primary care providers such as general practitioners or family physicians, nurse practitioners |
| Ontario Laboratories Information System (OLIS) | Laboratory information | Laboratory test orders and results for biochemistry, hematology, pathology, blood bank, microbiology, and genetics testing. | Ministry of Health, hospitals, community labs, and public health labs |
| Provincial Client Registry (PCR) | Patient demographics and identity information | Health card numbers, medical record numbers, name, date of birth, address information, and other identifiers. | Ministry of Health, acute care hospitals, community care, and participating health care organizations |
| Primary Care Clinical Data Repository (pcCDR)* | Pilot Project Clinical information submitted via certified electronic medical record systems | Patient demographics, medications, allergies, adverse reactions, current health conditions, past medical and surgical history, immunizations, risk factors, vitals and vitals trends. | Primary care providers such as general practitioners or family physicians |
| *Some PHI within this repository may not be accessible by means of the EHR | |||
Overview of administrative, technical and physical safeguards
Ontario Health has implemented administrative, technical and physical safeguards to:
- Protect against theft, loss and unauthorized collection, use or disclosure of the personal health information accessible by means of the electronic health record;
- Protect the personal health information accessible by means of the electronic health record against unauthorized copying, modification or disposal; and
- Protect the integrity, security and confidentiality of the personal health information accessible by means of the electronic health record.
Safeguards include the use of tools (both technological and physical) such as security software and encryption protocols, firewalls, locks and other access controls, and administrative processes including, but not limited to, the following:
- Appointment of a Chief Privacy Officer who has been delegated with accountability for the privacy program;
- Privacy assessments performed on all projects and initiatives to identify and mitigate privacy risks;
- A comprehensive suite of privacy policies reviewed and approved by the Information and Privacy Commissioner (IPC) outlining Ontario Health’s information handling practices;
- Mandatory privacy and security training completed by all staff upon hiring and annually thereafter;
- Role-based training for individuals who have defined and controlled access to personal health information;
- Agreements with health information custodians that outline the roles, responsibilities and obligations governing their contribution and access to the electronic health record; and
- Access controls to ensure individuals are only granted access to personal health information that is directly proportionate to the time and purpose required to perform their authorized role.
For more information about Ontario Health’s practices as the prescribed organization, please see OH’s EHR Statement of Information Practices.