Our Privacy Commitment

Statement of Information Practices

Health Ontario was created in September 2008 as a crown agency with the mandate to

• provide eHealth Services to support health care in Ontario;
• develop an eHealth Services strategy; and
• protect the privacy of individuals whose personal health information may be handled by the agency.

Our Role

Under the Development Corporations Act, Ontario Regulation 43/02, eHealth Ontario was established to provide eHealth Services to promote the delivery of health care services in Ontario that use electronic systems and processes, information technology and communication technology to facilitate electronic availability and exchange of information related to health matters, including personal information and personal health information, by and among patients, health care providers and other permitted users.

Under Ontario Regulation (O. Reg.) 329/04 to the Personal Health Information Protection Act, 2004 (PHIPA), eHealth Ontario provides electronic means to enable health care practitioners to share personal health information with one another for the purpose of providing or assisting in providing health care to individuals. Specifically, eHealth Ontario supports hospitals, clinics and health care practitioners by providing controlled access channels to personal health information and secure infrastructure, hosting, networks, email and related services for secure transmission, processing and storage of personal health information.

Electronic Health Records

Our mandate includes supporting the creation or maintenance of EHRs in Ontario. We are involved in a number of electronic system programs and services including ConnectingOntario, diagnostic imaging common services, Ontario laboratories information system and ONE Mail.

An EHR is a secure electronic record of an individual’s critical health history, such as medications, X-rays and lab results, which can be accessed and shared by authorized health care practitioners (e.g., doctors, nurses and lab technicians). For more information on what is contained in the EHR, refer to EHRs Explained.

Legislative Authority

PHIPA is the provincial statute regulating the management of PHI and the protection of the confidentiality and privacy of that information, while facilitating the effective delivery of health care services.

PHIPA imposes various obligations on health information custodians, such as primary care providers or family physicians, who collect, use and disclose personal health information. eHealth Ontario may act in a number of capacities, as described in PHIPA and O.Reg. 329/04: as an agent to a health information custodian, a health information network provider, or an electronic service provider. In addition, section 6.2 of O.Reg. 329/04 to PHIPA was amended on June 30, 2011 to clarify that eHealth Ontario can create or maintain EHRs as a service for health information custodians. Each role pertains to eHealth Ontario’s relationship to one or more health information custodians. The health information custodians remain fully accountable to the individuals receiving health care and for the privacy practices associated with PHI. eHealth Ontario does not collect, use or disclose personal health information for its own purposes, therefore is not a health information custodian, and does not make any independent decisions with respect to the handling of personal health information. Rather, we comply with the privacy practices of the health information custodians on whose behalf we acts as an agent or provide other services under sections 6.1 and 6.2 of O.Reg 329/04.

Practices and safeguards to protect the confidentiality and security of personal health information

Each initiative we undertake is reviewed to consider broader privacy implications and ensure the appropriate measures are implemented to reduce or eliminate any privacy risk. We have implemented strong administrative, physical and technical safeguards, consistent with industry best practices, to protect the personal health information being transferred, processed or stored from theft, loss, unauthorized use, modification, disclosure, destruction and/or damage. These safeguards include security software and encryption protocols, firewalls, locks and other access controls, privacy impact assessments, staff training and confidentiality agreements. Privacy safeguards include:

• Appointment of a Chief Privacy Officer
• Privacy assessments to identify privacy risks performed on all projects and initiatives
• A comprehensive suite of privacy policies, reviewed at least every two years, which outline our information handling practices
• All staff completes privacy and security training upon joining and annually thereafter to understand their obligations in their day-to-day work, including undergoing role-based training where there is access to personal information or personal health information
• Access controls to ensure individuals are granted access for the time and purpose required to perform their role

For more information on the privacy assessments conducted by eHealth Ontario, refer to Privacy Impact Assessments.