Digital Health Drug Repository (DHDR) PIA Summary

Date PIA Summary Last Reviewed and Updated: December 2, 2025 (Rebranding)

The following is a summary of the above-referenced privacy impact assessment (PIA), including a brief background, key findings, and risks and recommendations as applicable. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

eHealth Ontario, in collaboration with the Ministry of Health and Long-Term Care (MOHLTC), has built a repository of dispensed drug history events known as the Digital Health Drug Repository (DHDR). DHDR will initially be made available to a limited number of clinical users in the South West Ontario region through the ClinicalConnect viewer with ongoing expansion to additional users in the region commencing in late 2016. Access will be expanded through the ConnectingOntario viewer and other eHealth Ontario assets in 2017.

At first, DHDR will include a history of drug products dispensed under the Ontario Drug Benefit program. Later phases of the project will expand DHDR to include narcotics and controlled drugs.

Key Findings

The PIA recommends measures to ensure that the data received and utilized by eHealth Ontario, for the purposes of the DHDR, complies with PHIPA as well as eHealth Ontario policies, procedures and privacy best practices. A risk treatment plan has been established with associated mitigation activities.

As the DHDR matures and integrates with other eHealth Ontario Electronic Health Record (EHR) assets, such as the provincial registries and the EHR monitoring and consent solutions, the privacy posture of the program will continue to be strengthened.

Risks and Recommendations

The PIA provides a number of recommendations associated with the DHDR, as summarized below:

  1. The MOHLTC and eHealth Ontario should execute amendments to their data sharing and agent agreements to support the collection, use and disclosure of DHDR data.
  2. A health care provider guide should be developed to educate health information custodians and their authorized end users on specific DHDR privacy requirements to ensure compliance with the Personal Health Information Protection Act, 2004 PHIPA and applicable policies. An associated site support guide should be developed for service providers. Both guides should supplement and complement existing training for the EHR.
  3. A privacy breach management protocol should be finalized for the DHDR to ensure privacy incidents and/or breaches will be managed appropriately with due regard to containment and notification procedures.
  4. The DHDR program should leverage the Connecting Privacy Committee or similar governance body to ensure the project is in a position to harmonize its consent policy and operational processes with other EHR assets. Consideration should also be given to integration with a consent management solution that supports the levels of consent granularity that are currently outlined in the EHR Consent Management Policy developed in consultation with MOHLTC and the Information and Privacy Commissioner’s Office.
  5. Drug Utilization Review codes generated as a result of an interaction between one or more data elements subject to a record level block should be subject to consent directives.
  6. An agreement that includes roles and responsibilities for Service Ontario and eHealth Ontario as agents of MOHLTC should be completed and the associated operational procedures should be documented and confirmed with appropriate service levels.
  7. A retention and destruction protocol should be established for DHDR data, including the repository, the staging environment, audit logs and associated audit reports.
  8. In support of data accuracy, patient and provider information should be directly validated against a source of truth such as a client and provider registry.
  9. Roles and responsibilities for data quality assurance activities should be confirmed and documented between MOHLTC and eHealth Ontario to ensure a clear understanding of how data quality issues for the DHDR will be handled.
  10. A Security Threat and Risk Assessment should be completed to identify and manage threats to DHDR information security.
  11. The DHDR should be integrated with a tool that actively monitors access to personal health information to provide system wide monitoring and detection of inappropriate activity.
  12. The DHDR reporting function, including a secure method of transfer and storage of reports, should be fully developed and tested to support incident management, auditing requirements and patient rights under PHIPA.
  13. Public facing website and communication materials should be made available to educate Ontarians on the DHDR and the safeguards in place to protect DHDR data.

eHealth Ontario and MOHLTC are in the process of implementing each of the recommendations identified in the PIA in accordance with the risk treatment plan.

More Like This

Last Updated: March 11, 2026

The information on this website is intended for informational purposes only and is not a substitute for medical advice. Always consult your health care provider if you have questions or concerns. The use of the information on this website does not create a physician-patient relationship between Ontario Health and you.
Ontario Health is committed to ensuring accessible services and communications to individuals with disabilities. To receive any information on this website in an alternate format, please contact Ontario Health’s Communications Department at: 1-877-280-8538, TTY 1-800-855-0511, or by email at info@ontariohealth.ca.

The province of Ontario Logo
© Ontario Health 2025