Ontario Laboratories Information System (OLIS) - Electronic Medical Record Initiative PIA Summary

Date of PIA Report: October 2011

Date PIA Summary Last Reviewed and Updated: December 2, 2025 (Rebranding)

The following is a summary of the above-referenced privacy impact assessment (PIA), including a brief background, key findings, and risks and recommendations as applicable. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

The Ontario Laboratories Information System (OLIS) is a cornerstone information system that connects hospitals, community laboratories, public health laboratories and practitioners to facilitate the secure electronic exchange of laboratory test orders and results. The ability to electronically share laboratory test information through OLIS supports health care providers in making decisions on patient care and treatment.

An electronic medical record (EMR) is a computer-based medical record that is specific to one health care practitioner, practice or organization. The purpose of the OLIS-EMR initiative is to allow practitioners at physician practices to collect OLIS data through an EMR system that has been certified (“Certified EMR”) according to the OntarioMD (OMD) EMR Specification version 4.0 or future OMD specifications. The EMR vendor that the physician practice has selected configures the Certified EMR interface to access OLIS. OLIS requires EMR systems to use an eHealth Ontario-issued Public Key Infrastructure (PKI) certificate to connect securely to OLIS. The PKI certificate is maintained by the EMR vendor and not by the physician practice. However, the PKI certificate used to connect to OLIS is always linked to a physician practice.

OLIS includes the test results of individuals in Ontario who have had a laboratory test processed at one of the laboratories participating in OLIS. Individuals may withdraw consent to the use and disclosure of their PHI within OLIS. Withdrawal of consent may be applied to all of an individual’s lab information in OLIS, or only to tests on a specific lab order. If an individual’s consent has been withdrawn, only the health care provider(s) identified on the lab order(s) can access the applicable lab test information via a Certified EMR.

In December 2010, the Ministry of Health and Long-Term Care (MOHLTC), a health information custodian (HIC) under the Personal Health Information Protection Act, 2004 (PHIPA) assumed custody and control of patients' laboratory test results in OLIS. The MOHLTC published a notice to inform the public that the MOHLTC was assuming custody and control of OLIS. The notice included information on how individuals can withdraw or reinstate their consent for their personal health information (PHI) in OLIS.

A PIA was already completed on the OLIS initiative. However, because PHI in OLIS is being shared with end user Practitioners, that are collecting via a Certified EMR system, eHealth Ontario policies and O.Reg. 329/04 require that a delta PIA of the initiative be undertaken.

Key Findings

The OLIS-EMR delta PIA considers the OLIS-EMR initiative as of October, 2011. Specifically, the scope of the OLIS-EMR delta PIA includes the delivery of OLIS data to Practitioners, via a Certified EMR, the purposes and processes for sharing the OLIS data with practitioners at the physician practices, and the legislative authority under which eHealth Ontario may share OLIS data with physician practices, via a Certified EMR. The PIA also considers the technical, administrative and physical safeguards which have been put in place to ensure that all flows of PHI occur in a secure and privacy-protective manner, and are in compliance with legislative requirements, relevant agreements, best practices as represented in the Canadian Standards Association Privacy Code and eHealth Ontario’s privacy policies.

The delta PIA concludes that eHealth Ontario has the overall PHIPA authorities for operating and managing OLIS-EMR. Additionally, eHealth Ontario has a robust infrastructure for the processing and sharing of sensitive PHI, with policies and practices to protect the privacy of Ontarians and the security of the information retained by eHealth Ontario.

The Delta PIA recommends several measures to ensure that, for the OLIS-EMR initiative, eHealth Ontario is in compliance with applicable legislation, as well as eHealth Ontario policies, procedures and privacy best practices.

Risks and Recommendations

The Delta PIA provides a number of recommendations associated with the OLIS-EMR initiative, as summarized below:

1. MOHLTC and eHealth Ontario to amend the PHIPA Agent Agreement to permit eHealth to act as a PHIPA Agent of the MOHLTC in respect of the transfer of OLIS data to eHealth Ontario, under s.6.2 for the purpose of OLIS-EMR.
2. eHealth Ontario determine its role, for the flow of OLIS data to Practitioners named on a laboratory order, where there’s a consent directive in place.
3. eHealth to review its agreements with the EMR vendors to ensure terms and conditions are included in the agreement which take into account the role of the vendors under s.6.2, if any, and the role of the vendor in respect of OLIS-EMR generally.
4. eHealth to implement an OLIS enhancement to improve notice to the Practitioners named on a lab order regarding consent directives.
5. eHealth Ontario to implement a process to verify alignment between recorded Physician Practice information in the OLIS permissions table and Practice registration by EMR vendors.
6. eHealth Ontario to address any risks identified in the OLIS Physical PIA, per the established risk treatment plan.

eHealth Ontario is currently in the process of implementing each of the recommendations identified in the 2011 OLIS-EMR delta PIA.