Integration of Consent Management Technology Asset with Ontario Laboratories Information System PIA Summary

Date of PIA Report: June 26, 2018

Date PIA Summary Last Reviewed and Updated: December 2, 2025 (Rebranding)

The following is a summary of the above-referenced privacy impact assessment (PIA), including a brief background, key findings, and risks and recommendations as applicable. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

The Consent Management Technology Asset (CMTA) solution provides the technology and support to business processes for the collection, storage and management of consent directives. It supports eHealth Ontario to centralize the management of consent directives and to standardize consent management functionality and processes across eHealth Ontario clinical domains. CMTA ensures access to an individual's personal health information (PHI) occurs in accordance with consent directives provided by the individual.

Specifically, CMTA supports eHealth Ontario's clinical domains by enabling the following:

• A user interface by which consent directives can be recorded or modified;
• The technology and business processes to standardize the types of consent directives that an individual will be able to implement across eHealth Ontario clinical domains;
• The functionality to support eHealth Ontario in aligning with provincial consent management requirements;
• The logging of transactions for the purpose of auditing and reporting. These transactions would include, for instance, the viewing, collection and modification of an individual's consent directives;
• Decisions on access to an individual's PHI in accordance with the individual's consent directives and consent overrides; and
• The collection and storing of information on consent directive overrides from eHealth Ontario clinical domain applications for the purposes of auditing, reporting and alerting.

The objective of this project is to integrate the Ontario Laboratories Information System (OLIS) with CMTA in order to make CMTA the single point of truth for consent directives within the Electronic Health Record (EHR). This initiative will leverage the existing CMTA solution and integrate OLIS by building new integration components to synchronize block all consent directives (patient level blocks) from CMTA to OLIS. This integration supports eHealth Ontario’s readiness in transitioning to Prescribed Organization status.

Key Findings

The PIA concludes that when eHealth Ontario processes consent directives for OLIS it does so as a PHIPA Agent to the Ministry of Health and Long-Term Care (MOHLTC) under section 17 of the Personal Health Information Protection Act, 2004 (PHIPA) .In this PIA, consideration has been given to administrative, technical and physical safeguards which will facilitate eHealth Ontario’s compliance with legislation and best practices to protect PHI while it is being handled and transferred by eHealth Ontario. This PIA assesses the privacy posture of the integration and the changes to the application of OLIS Consent Directives. This PIA has identified two risks and recommendations related to accountability and consent. eHealth Ontario has addressed and resolved both issues prior to go-live.

Risks and Recommendations

The recommendations are summarized below:

1. eHealth Ontario and MOHLTC to amend its data sharing agreement to permit eHealth Ontario to use the CMTA Solution with respect to OLIS consent management.
2. eHealth Ontario to update its operational guides related to OLIS consent management to include procedures for applying and processing consent directives via CMTA prior to integration with OLIS.

eHealth Ontario has implemented all of the above noted recommendations.