eForms Limited Production Release (LPR)

Date of PIA Report: April 23, 2025

Date PIA Summary Last Reviewed and Updated: May 30, 2025

The following is a combined summary of two privacy impact assessments (PIAs):

1. The original PIA conducted for the eForms solution, and
2. A Delta PIA evaluating the integration of eForms with Electronic Medical Record (EMR) vendors.

The following is a summary of the above-referenced PIA, including a brief background, key findings, and risks and recommendations as applicable. See our Contact Us page to find information on how to contact the Ontario Health Privacy Office should you have any questions

Background

Across Ontario’s health system, primary care providers face significant administrative burdens that reduce the time available for patient care. Among the most time-consuming of these tasks is the manual handling of administrative forms, which remain largely paper-based and inefficient. This inefficiency has prompted multiple collaborative efforts aimed at digitizing and standardizing form processes to improve provider workflows and system performance. To address these challenges, the Ministry of Health (MOH) and the Ontario Medical Association (OMA) established a forms governance structure under OMA supervision, aimed at developing a standardized collection of forms.

With the digitization opportunity offered by the Patients before Paperwork (Pb4P) initiative, there are now further opportunities to standardize the creation, completion, and dissemination of administrative forms. The OMA/MOH Joint Forms Working Group identified twelve (12) high-impact forms contributing to provider workload, including the Ministry of Long-Term Care (MLTC) Health Assessment Form (HAF). The HAF is critical in the long-term care eligibility assessment process and is currently managed via a paper-based, fax-dependent workflow.

Ontario Health has developed a digital solution to enable primary care providers to fill out and electronically distribute (to their intended destinations) administrative forms. This solution will integrate with Electronic Medical Records (EMRs) and the ONE Health Portal (future release date to be determined). The initial Limited Production Release (LPR) of the eForms platform will focus on digitizing the HAF, allowing clinicians to seamlessly access and submit forms directly from their EMRs. The service offered via EMR will enhance efficiency through guided navigation, pre- populated patient and clinician data, and a secure digital submission process, eliminating the need for faxing paper forms. This will ensure legibility, completeness, and reduce delays caused by lost or incomplete paperwork.

OntarioMD (OMD) serves as the Ontario Health delivery partner and will lead EMR vendor engagement to identify interested certified EMR vendors to pilot the new eForms solution in an LPR. OMD will work with EMR vendors on deployment of eForms contextually launched services. Clinicians using certified EMRs will gain access to eForms once their EMR vendor completes the necessary integration with the eForms solution. OMD will contribute expertise and clinical feedback on the eForms LPR and work with OH to expand the eForms solution to include additional priority forms identified by MOH following completion of LPR with an objective for provincial roll out.

Key Findings

For the eForms solution the initial privacy analysis of the initiative identified eighteen privacy-related risks, including, as per our risk exposure matrix: four high risks, four medium - high, nine moderate risks and one low risk. The Delta PIA for eForms identified nine privacy-related risks, including four medium - high, four moderate risks and one low risk. Most of these risks have been addressed and resolved, those that remain open are outlined below along with corresponding recommendations.

In accordance with Ontario Health’s Privacy Risk Management policy and procedures, the Chief Privacy Officer (CPO) approves and endorses the results of the PIA and risk management process, and should there be a risk or risks that cannot be mitigated to an acceptable risk tolerance of minor, the designated business or portfolio owner must:

• Review and sign off the Risk Acceptance Form;
• Prepare a supporting documentation (briefing note) addressing possible consequences as a result of accepting the risk(s) and not implementing the recommendation(s) provided by Strategy, Planning, Privacy, Analytics and Risk; and
• Submit the Risk Acceptance Form and supporting documentation to the Executive Lead for the applicable portfolio and to the Executive Lead for Strategy, Planning, Privacy, Analytics and Risk for review and approval.

Ontario Health’s PIA standard recommends that all high and moderate risks be mitigated to an acceptable level (low) prior to a project going live.

Risks & Recommendations

The eForms PIAs outline the following risks and recommendations:

Risk 1: Data in the Provincial Client Registry (PCR) cannot be used for non- Electronic Health Record (EHR) purposes unless the Minister directs the disclosure pursuant to a request made to the MOH Advisory Committee by a researcher, for a Prescribed Person or Prescribed Entity purpose - this is not permitted for a Health Information Network Provider (HINP) purpose or eForms or other HINP solution.

Recommendation: Business to explore other opportunities with guidance from privacy and product management and delivery team under Digital Excellence in Health (DxH) e.g. Robert Wyllie's team.

Status: Open

Risks 2: Privacy team has not been provided agreements or schedules for ONE ID and the ONE Health Portal for review and hence it's unclear what responsibilities, safeguards, and access controls are in place for eForms solution. This makes it difficult to confirm who is responsible for managing user access, how RBAC is being effectively enforced, and whether only authorized Health Information Custodians (HICs) and Personal Health Information Act (PHIPA) Agents can access the solution. Additionally, if the solution does not correctly assign Role Based Access Control (RBAC) levels based on the user's Under Authority Of (UAO) affiliation, there is a risk that users may be given inappropriate access to Personal Health Information (PHI). Poorly implemented access controls and incorrectly assigned UAOs may inadvertently grant unauthorized access.

Recommendation:

To address these risks, all agreements and documentation related to ONE ID, the ONE Health Portal, relevant to the eForms solution must be reviewed and meet security and privacy requirements.

• Since eForms is proposed as a new service on the Network, a formal agreement framework for the eForms service should also be developed to clearly outline roles, responsibilities, and the safeguards in place to protect PHI.
• Implement RBAC to ensure user access to PHI can be managed for the eForms solution including eForm Repository. In addition, user access to be regularly reviewed, and accounts for individuals no longer associated with a HIC must be promptly deactivated and deleted to prevent unauthorized access.

Status: Open

Risk 3: In the absence of agreements and schedules, and accurate and up-to-date plain language description of the eForms portal services, there is a risk that Ontario Health is non-compliant with its HINP requirements under s.6(3) of O.Reg.329/04 as there are no current agreements in place.

Recommendations: Prior to go-live, the business unit should have agreements, schedules, and other relevant material in place. The material should include clear and concise plain language description of the eForms portal services. The material should include a general overview of the safeguards Ontario Health has in place to protect against unauthorized access and disclosure, as well as measures to ensure the integrity of the information.

Status: Open

Risk 4: In the absence of clearly defined disclaimer on the login page, it is possible that over time, end users may have forgotten the initial terms and conditions outlined in the agreements, potentially leading to the unauthorized collection, use, or disclosure of sensitive information, including Personal Information (PI) /PHI. The disclaimer language which would be shown as end-user license agreement (EULA), or Terms of Use (TOU) should outline the role and responsibilities of the end user and acceptance of which should be logged. There is also a risk that the TOU may not adequately and clearly inform its users that their PI is being collected to perform ONEID authentication.

Recommendations: It is recommended that a clear and concise disclaimer be displayed to users upon launching the eForms portal and at the start of each login session. This disclaimer should inform users of their role within the eForms portal and clearly state that their PI is being collected for the purpose of ONE ID authentication. It should also outline the safeguards in place to protect this information. Additionally, the disclaimer must remind users that the collection, use, disclosure, and handling of PI/PHI must comply with PHIPA, including respecting cases where a patient has withdrawn consent. The disclaimer should be written in plain language, available in both English and French, and should help users understand the TOU or EULA. All content should be reviewed and approved by the legal team to ensure compliance and clarity. Since this involves onboarding any new EMR vendors to integrate their systems with the eForms solution, this recommendation may be completed prior to LPR go-live and prior to onboarding any new EMR vendors.

Status: Open

Risk 5: Currently, forms are allowed to be downloaded on the personal computer (PC), and if the device is lost or stolen, there is a risk of unauthorized exposure of PI/PHI. The solution does not have ability to detect if the attachment was downloaded/saved and there is no visibility once the session is refreshed to indicate the attachment was previously selected, reducing oversight and audit capability. With the ability to upload up to ten (10) attachments at a time, there is a high risk of selecting and attaching wrong patient’s PHI (reports, etc.,) and sending it to Ontario Health at Home. Additionally, allowing users to upload, export, save, or print attachments without clear user responsibility defined in agreements increases the likelihood of unauthorized PHI disclosure and limited accountability.

Recommendations: To prevent uploading wrong information, it is recommended training material be developed for users that includes verification/validation steps and a checklist process prior to attaching files.

It is recommended adding language to the HINP Agreement or eForms Schedule under User Obligations and, clearly indicating the following:

• Any content exported or transferred from eForms portal becomes the responsibility of the user (and/or the associated member (HIC)) who exported/transferred it.
• Users must ensure that any PHI exported or transferred from eForms portal is managed in accordance with their organizations’ privacy policies and PHIPA.
• Users must follow their organization’s privacy breach management procedures in the event exported/transferred PHI is lost, stolen, or otherwise used or disclosed without authority.

Status: Open

Risk 6: In the absence of publicly available information such as a description of the eForms portal services, applicable policies, user guidelines, and measures to safeguard sensitive information within eForms, there is a risk that the portal may not comply with its HINP obligations under section 6(3) of O. Reg. 329/04.

Recommendations: Prior to go-live, the plain language description for the eForms solution/platform should be developed and shared with the HICs. This should include a description of eForms portal and service as well as the purpose for which members and users may use the portal and relevant policies and guidelines as well as a high-level description of safeguards as required by O. Reg 329/04, s. 6(3)(2)(3). This will enable HICs to obtain consent from the patients. In addition, Ontario Health should also post a plain language description for patients and families on its public websites.

Status: Open

Risk 7: By retaining the submitted eForms and attachments on behalf of the HICs (Data Enterers), there is a risk that eForms Repository may retain PHI and other confidential information for longer than is reasonably required to fulfil the intended purpose.

Recommendations: Ontario Health should consider implementing a defined retention period for the forms and attachments in the eForms Repository. The retention period should be based on HIC’s clear retention guidelines and direction to the business unit as well as business requirements and incorporated into applicable agreements. Attachments may also be deleted at the express request of the relevant HIC(s).

Status: Open

Risk 8: In the absence of clearly defined processes, there is a risk that outdated forms may be utilized. It is unknown how often and when digitized eForms will be updated and the changes communicated to HICs.

Also, it is unclear, when outdated forms will be removed from the library and be replaced with the new forms that have been approved by the form owner(s). In addition, allowing excessive amount of free text in digitized form can pose security risks such as exposing the solution to malware introduction.

Recommendations: The project team should maintain an inventory of eForms and implement a process to regularly verify and validate them. Outdated forms must be removed to ensure the inventory remains current. Additionally, the team should establish a clear procedure for managing the forms inventory, including tracking, updating, and retiring forms, to maintain consistency and accuracy throughout the project lifecycle.

It is recommended that the solution restrict free-text fields to only what is necessary, in accordance with organizational requirements and policies. This aligns with the principle of Limiting Collection and ensuring data collection is minimized to what is essential for the identified purposes.

Status: Open

Risk 9: As per the Business Required Documents (BRD), Data Enterers must be able to have multiple windows open displaying eForms data for different patients. That is, changes in patient selected within the EMR are not reflected or broadcast to any windows already open showing eForms data.

Having multiple windows open can result in inadvertently referencing unintended patient information. In such scenarios or potential scenarios, the user must be informed of this potential risk.

Recommendations: It is recommended that HICs implement controls and develop applicable user training to prevent having multiple browser windows open and controls that prevent such potential risks. EMR Offering must notify the user in situations where subsequent or Viewlet browser windows may be simultaneously opened. HIC obligations to be outlined in legal agreements for use of the solution.

Status: Open

Risk 10: While doing our review, we identified discrepancies between the BRD and Threat Risk Assessment (TRA) regarding the project scope for LPR which raises concerns about the completeness of the risk assessment. Inconsistencies in the scope provided to privacy and security teams could lead to misalignment in risk mitigation strategies. For e.g. the TRA mentions EMR launcher, Context Management System (CMS) as out of scope.

Recommendations: Align the BRD and TRA by reconciling scope discrepancies to ensure all risks related to the eForms and EMR vendor integration are addressed. Ensure privacy and security teams receive consistent scope details and conduct regular cross-team reviews to address all risks.

Status: Open