Hosting Services PIA Summary

Date of PIA Report: September 2013

Date PIA Summary Last Reviewed and Updated: December 2, 2025 (Rebranding)

The following is a summary of the above-referenced privacy impact assessment (PIA), including a brief background, key findings, and risks and recommendations as applicable. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

This PIA identifies privacy requirements, risks, and recommendations for hosting services permitting eHealth Ontario to build a privacy-compliant solution using sound risk management principles.

Hosting is the installation and upkeep of information technology infrastructure in a physically secure environment. It is a technical environment where health care data and information technology applications reside. Hosting services may or may not include client applications which contain personal or personal health information.

Three types of hosting services are offered:

Core Hosting:

Provides a highly secure physical environment, a highly available supporting infrastructure and managed connectivity services, while clients maintain ownership, administration and control of their solution, including security controls.

Managed Hosting:

Is a fully managed service incorporating all the features of core hosting, plus a suite of infrastructure components and services that can be leveraged based on client needs including server / system management, customized security management, database, project and registration services.

Third-Party Managed Hosting:

Enables clients to have their applications hosted at a third-party data centre through a managed service agreement, while maintaining ownership, administration and control of their equipment and data. The agreement allows for varying levels of service that reflect clients’ needs and the capabilities of the hosting location.

Key Findings

The PIA analyzes eHealth Ontario’s legislative authority for hosting services and assesses the technical, administrative and physical safeguards in place. It ensures that hosting services are in compliance with its privacy policies, procedures and best practices, relevant agreements, and the Canadian Standards Association privacy code.

The PIA concludes that in providing hosting services:

• eHealth Ontario does not collect, use or disclose personal/personal health information;
• eHealth Ontario’s role is to be an Electronic Service Provider as defined by the Personal Health Information Protection Act, 2004 (PHIPA); and
• eHealth Ontario is able to provide the necessary technical processes and safeguards (For example, access logs) for clients who are Health Information Network Providers as defined by PHIPA.

Risks and Recommendations

Two potential risks were identified:

1. A lack of documented procedures around formal agreements with clients, and operational or service management agreements, pose potential risks of non-compliance with PHIPA.
2. There is a risk of non-compliance with eHealth Ontario’s master service agreement since there is no evidence that updated privacy policies have been shared with Hewlett Packard, the third-party hosting provider.

The PIA makes three recommendations:

1. Develop processes requiring all clients to enter formal agreements with eHealth Ontario for hosting services; and internal signoff procedures for operational level agreements.
2. Conduct a privacy threshold assessment for new clients to determine what type of:
   • PHIPA role eHealth Ontario will play; and
   • privacy clauses should be added to client agreements.
3. Share privacy policies with third-party service providers (e.g. Hewlett Packard) for hosting services.

eHealth Ontario is currently implementing these recommendations.