Our Privacy Commitment
The protection and authorized use of personal health information, which includes private details about an individual’s health, health history and test results, is important to all Ontarians. Ontario Health manages health service needs across Ontario to ensure the quality and sustainability of the Ontario health system, which includes the safeguarding, integrity, and the availability of information in the care and control of Ontario Health, including personal health information and personal information.
Electronic Health Record Plain Language Description and List of Repositories that are Accessible by the Electronic Health Record
The Personal Health Information Protection Act, 2004 (“the Act”) permits organizations to be prescribed so that they can collect, use or disclose personal health information for specific purposes. As such, Ontario Health operates as a prescribed organization in accordance with Part V.1 of the Act and its associated regulation (Ontario Regulation 329/04) to develop and maintain the electronic health record.
The electronic health record contains secure digital record of individuals’ healthcare information, updated in real time and available electronically to authorized healthcare providers so that they can quickly access critical personal health information, thereby improving quality of care. It further enables authorized health information custodians to collect, use, and disclose personal health information. Examples of health information custodians include, health care practitioners (including physicians, nurses), hospitals, long-term care homes, retirement homes, pharmacies, laboratories, ambulance services, medical officers of health of boards of health and the Minister of Health.
As a prescribed organization, Ontario Health:
- Manages and integrates the personal health information it receives from health information custodians;
- Ensures the proper functioning of the electronic health record;
- Ensures the accuracy and quality of the personal health information in the electronic health record; and
- Conducts analyses of the personal health information in the electronic health record in order to provide alerts and reminders to health information custodians for their use in the provision of health care.
The prescribed organization receives personal health information from health information custodians permitted under the Act. In general, health information custodians will only be permitted to access the electronic health record to provide or assist in the provision of health care to an individual or if the health information custodian has reasonable grounds to believe it is necessary to eliminate or reduce a significant risk of harm to a person or group of persons.
The Minister of Health may also direct the disclosure of personal health information for specified purposes, such as research. Prior to directing the disclosure, the Minister must consult with the advisory committee designated under the Act.
Descriptions of types of personal health information (PHI) received
The electronic health record consists of the following repositories which contain personal health information received pursuant to the Act and its regulations.
|Repository||Description of PHI||Type of PHI||Source|
|Acute and Community Clinical Data Repository (acCDR)||Acute clinical information||Patient demographics, emergency Department reports, consultation reports, discharge summaries and long-term care placement details including risk assessments and care plans.||Hospitals and home and community care organizations|
|Diagnostic Imaging- Common Service (DI- CS)||Diagnostic imaging reports and images||Diagnostic imaging reports and images such as X-ray, CT Scan, MRI and ultrasound.||Hospitals, independent health facilities that submitted to the province's three regional Diagnostic Imaging Repositories|
|Digital Health Drug Repository (DHDR)||Drug and prescription information||Drug and prescription information from publicly-funded drug programs, publicly- funded pharmacy services (e.g. MedsCheck Program, Pharmacy Smoking Cessation Program, vaccine administration) and monitored drugs programs (narcotics and controlled substances) regardless of who the payor is.||Ministry of Health|
|Primary Care Clinical Data Repository (pcCDR)||Clinical information submitted via certified electronic medical record systems||Patient demographics, medications, allergies, adverse reactions, current health conditions, past medical and surgical history, immunizations, risk factors, vitals and vitals trends.||Primary care providers such as general practitioners or family physicians|
|Provincial Client Registry (PCR)||Patient demographics and identifiers||Health card numbers, medical record numbers and address information.||Ministry of Health and participating health care organizations|
|Ontario Laboratories Information System (OLIS)||Laboratory information||Lab test requisitions and results.||Hospitals, community labs and public health labs|
Overview of administrative, technical and physical safeguards
Ontario Health has implemented administrative, technical and physical safeguards in place to:
- Protect against theft, loss and unauthorized collection, use or disclosure of the personal health information accessible by means of the electronic health record;
- Protect the personal health information accessible by means of the electronic health record against unauthorized copying, modification or disposal; and
- Protect the integrity, security and confidentiality of the personal health information accessible by means of the electronic health record.
Safeguards include the use of tools (both technological and physical) such as security software and encryption protocols, firewalls, locks and other access controls, including, but not limited to, the following:
- Appointment of a Chief Privacy Officer who has been delegated with accountability for the privacy program;
- Privacy assessments performed on all projects and initiatives to identify and mitigate privacy risks;
- A comprehensive suite of privacy policies outlining Ontario Health’s information handling practices;
- Mandatory privacy and security training completed by all staff upon hiring and annually thereafter,
- Role-based training for individuals who have defined and controlled access to personal health information;
- Agreements with health information custodians that outline the roles, responsibilities and obligations governing their contribution and access to the electronic health record; and
- Access controls to ensure individuals are only granted access to personal health information that is directly proportionate to the time and purpose required to perform their authorized role.
For more information about Ontario Health’s practices as the prescribed organization, please see OH’s EHR Statement of Information Practices.