Statement of Information Practices
Ontario Health, the Agency established under the Connecting Care Act, 2019, manages health service needs across Ontario to ensure the quality and sustainability of the Ontario health system, which includes the safeguarding, integrity, and the availability of information in the care and control of Ontario Health, including personal health information (PHI) and personal information (PI). As a result of a transfer order made by the Ministry of Health under the Connecting Care Act, 2019, effective as of December 2, 2019, the assets, rights, obligations and employees of eHealth Ontario were transferred to Ontario Health and the Digital Services business unit of Ontario Health – Ontario Health (Digital Services) – was created to provide the services that had been provided by eHealth Ontario.
Ontario Health (Digital Services) provides digital health services to support the delivery of health care in Ontario through electronic systems and processes, information technology and communication technology. Ontario Health (Digital Services) supports hospitals, clinics and community and primary health care providers by providing secure channels for accessing PHI as well as secure infrastructure, hosting, networks, email and related services for the transmission, processing and storage of PHI. In particular, Ontario Health (Digital Services) develops and maintains the electronic health record (EHR) in Ontario, which provides an electronic means to enable health care practitioners to share PHI with one another for the purpose of providing or assisting in delivering health care.
Ontario Health (Digital Services) derives its authority for the use, collection or disclosure of PI and PHI from privacy law, primarily the Personal Health Information Protection Act, 2004, including enabling regulations (PHIPA), and the Freedom of Information and Protection of Privacy Act, including enabling regulations (FIPPA). PHIPA is the provincial statute regulating the management of PHI and setting the standards to ensure the confidentiality and privacy of that information, while facilitating the effective delivery of health care services.
PHIPA and the accompanying regulation O. Reg. 329/04 impose various obligations on health information custodians, such as primary care providers or family physicians, who collect, use or disclose personal health information. Ontario Health (Digital Services) is not a health information custodian under PHIPA. Rather, it can act in a number of different roles under PHIPA depending on its relationship to the health information custodians involved: as a prescribed organization (PO), as a health information network provider (HINP), as an electronic service provider (ESP), or as an agent to health information custodians. Acting as a prescribed organization under Part V.1 of PHIPA is the legal authority under which Ontario Health (Digital Services) develops and maintains the EHR.
Under Part V.1 of PHIPA a prescribed organization has the power and the duty to develop and maintain the EHR – a secure and private electronic record of an individual’s health history, such as medications, diagnostic imaging reports and lab results, which can be accessed and shared by authorized health information custodians and health care practitioners (e.g. hospitals, doctors, nurses and lab technicians).
Under PHIPA, a prescribed organization neither collects PHI from health information custodians nor discloses PHI to health information custodians. Instead, the prescribed organization develops and maintains the EHR, which in turn provides a secure and private means by which health care organizations and practitioners can share personal health information with one another for the purpose of providing or assisting in the delivery of health care, and with other authorized entities as permitted by applicable law. For more information about the EHR and the types of information it contains, please refer to the Plain Language Description of the Electronic Health Record. The Information and Privacy Commissioner of Ontario (IPC) reviews and approves a prescribed organization’s information practices every three years.
Ontario Health (Digital Services) develops and maintains the EHR in Ontario in accordance with the prescribed organization’s powers, duties and functions as described by PHIPA. In addition to safeguarding the privacy and security of the EHR, the functions of Ontario Health (Digital Services) as a prescribed organization include: ensuring the proper functioning of the EHR; managing EHR data; making sure that EHR data is of the same level of quality and accuracy as what was submitted to the EHR by health information custodians; and analyzing EHR data to provide alerts and reminders to health care practitioners for their use in the provision of health care to individuals. The Privacy FAQ provides more information on how Ontario Health (Digital Services) protects and enhances the privacy of EHR data, including: who can see EHR data; how EHR data is used; and how access to EHR data can be managed.
While it is Ontario Health that is designated as a prescribed organization under PHIPA, only Ontario Health (Digital Services) carries out the role of a prescribed organization. As a result Ontario Health (Digital Services) has developed policies and procedures to ensure it carries out its roles and responsibilities in compliance with the prescribed organization requirements. As such, for the purposes of the EHR, all work, including the management of PHI, is currently being carried out specifically by Ontario Health (Digital Services) and only by Ontario Health (Digital Services) Staff.
Practices and safeguards to protect the confidentiality and security of personal health information
Each initiative Ontario Health (Digital Services) undertakes is reviewed to consider broader privacy implications as well as to ensure that appropriate measures are implemented to identify and mitigate privacy risk. Ontario Health (Digital Services) has implemented strong administrative, physical and technical safeguards, consistent with industry best practices, to protect the personal health information being transferred, processed or stored from theft, loss, unauthorized use, modification, disclosure, destruction or damage. Safeguards include the use of tools (both technological and physical), such as security software and encryption protocols, firewalls, locks and other access controls, including but not limited to the following:
- appointment of a Chief Privacy Officer;
- privacy assessments performed on all projects and initiatives to identify and mitigate privacy risks;
- a comprehensive suite of privacy policies and security standards outlining our information handling practices;
- privacy and security training completed by all staff upon joining and annually thereafter, including role-based training for individuals who have defined and controlled access to personal information or personal health information;
- agreements with health information custodians (health care providers and organizations) that outline the roles, responsibilities and obligations governing their contribution and access to the EHR; and
- access controls to ensure individuals are only granted access to personal information or personal health information that is directly proportionate to the time and purpose required to perform their role.
Your Privacy Rights
Accessing and correcting your records of personal health information
You have a right under PHIPA to access your health data. However, patients do not currently have digital access to their EHR data. Providing patients and their families with digital access to their EHR data is a priority for Ontario Health and the Ministry of Health, who are working together to support this. Until that time, a printed copy of your EHR data can be made available to you. Refer to Accessing your EHR for more information on how to access your EHR data. Please note that Ontario Health (Digital Services) can only facilitate access requests for information contained in the EHR. For access to information not contained in the EHR, contact your health care provider (e.g. family physician).
Withdrawing your consent for access to your personal health information in EHRs
Ontarians can block health care practitioners from accessing their EHR data – this is called a “consent directive.” If you do not want to share your EHR data with members of your health care team, you can restrict access by asking for a consent directive to be added to your record. This means that when a health care practitioner tries to access your EHR data, a notice pops up for them indicating that access to your EHR data is blocked.
In accordance with PHIPA, there are certain circumstances where a health information custodian may access information in the EHR which is subject to a consent directive. This is known as a consent override. The Electronic Health Record Consent Directive and Consent Override Policy outlines the circumstances where an override is permitted. The policy is available here: https://ehealthontario.on.ca/en/shared/ehr-consent-directive-consent-override-policy
Note that in some instances, a health information custodian may not have the technical ability to perform a consent override, and therefore may not be able to access the personal health information while a consent directive is in place, even if there is a significant risk of serious bodily harm to the individual to whom the information relates or to another person or group of persons.
See Managing Access to your EHR for more information on consent directives and managing access to your EHR data.
If you have questions or concerns regarding the privacy practices of Ontario Health (Digital Services), please contact the Ontario Health (Digital Services) Privacy Office.
You have the right to contact the office of the Information and Privacy Commissioner of Ontario if you have a complaint about Ontario Health (Digital Services) privacy policies and information handling practices.