Provider Registry PIA Summary

Date of PIA Report: October 2011

Date PIA Summary Last Reviewed and Updated: December 2, 2025 (Rebranding)

The following is a summary of the above-referenced privacy impact assessment (PIA), including a brief background, key findings, and risks and recommendations as applicable. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

The function of the Provider Registry is to be an authoritative repository of health care provider credentials that supports the unique identification of provider persons and provider organizations. The Provider Registry is one of the cornerstone information systems that will support the deployment of a longitudinal electronic health record for people in Ontario.

The Ministry of Health and Long-Term Care (MOHLTC) maintains the corporate provider database (CPDB), a repository of provider person data and provider organization data. The CPDB receives regular updates of provider credentials from the College of Physicians and Surgeons of Ontario (CPSO). It also contains information which uniquely identifies approximately 28,000 service locations (For example, physicians offices, long term care homes and hospitals, etc.) in Ontario. eHealth Ontario receives an ongoing feed of CPDB data from the MOHLTC and retains this information in the provider registry.

eHealth Ontario also receives one-time feeds containing registration data from regulatory colleges in Ontario (the College of Dieticians and College of Nurses) on members of each participating College. The onetime feeds are received by eHealth Ontario through an online encrypted channel. eHealth Ontario is developing a solution which will automate the feeds received from regulatory colleges so data may be received on an ongoing, rather than one-time, basis.

Approved eHealth Ontario systems can make a call to the provider registry. The provider registry does not associate or link a patient to a provider; it only facilitates identification of a provider. An end user must be registered and validated through a face-to-face process prior to receiving access to any of the provider data, related searches and reports. Accurate and timely identification of Providers who use the systems that make-up the electronic health record is essential to ensuring that authorized users are receiving the information they need to provide health care services.

Because the provider registry contains data elements such as gender, data of birth and provider role status, which are defined as personal information (PI) under the Freedom of Information Protection of Privacy Act (FIPPA), eHealth Ontario policies require that a PIA of the provider registry initiative be undertaken.

Key Findings

The scope of the provider registry PIA includes all components of the system up to and including release 2, scheduled for November 2011. The PIA analyzes the legislative authority under which eHealth Ontario receives PI from contributing sources (such as the MOHLTC and regulatory colleges), and flows this information to other eHealth Ontario systems that make a call to the provider registry for PI. The PIA also considers the technical, administrative and physical safeguards which have been put in place to ensure that all flows of PI occur in a secure and privacy-protective manner, and are in compliance with legislative requirements, relevant agreements, best practices as represented in the Canadian Standards Association Privacy Code and eHealth Ontario’s privacy policies, procedures and privacy best practices.

The data flows identified in the PIA do not involve the transfer of personal health information. The data elements transferred from MOHLTC and the colleges to the provider registry are, for the most part, business-related information about providers that will not be used in a personal context. In order to protect the data elements which may constitute PI, as it is defined under FIPPA, eHealth Ontario handles all information in the provider registry as if it is PI, in accordance with relevant agreements, the eHealth Ontario Privacy and Data Protection Policy, Personal Information Privacy Policy and applicable security policies.

The PIA concludes that eHealth Ontario has the overall authorities for operating and managing the Provider Registry under FIPPA and relevant agreements. Additionally, eHealth Ontario has a robust infrastructure for the processing of sensitive PHI, with policies and practices to protect the privacy of Ontarians and the security of the information in the custody of eHealth Ontario.

The PIA recommends several measures to ensure that the data received and utilized by eHealth Ontario, for the purposes of the provider registry, complies with FIPPA as well as eHealth Ontario policies, procedures and privacy best practices.

Risks and Recommendations

The PIA provides a number of recommendations associated with the Provider Registry initiative, as summarized below:

1. eHealth Ontario to document and make information regarding the provider registry as a personal information bank index to ensure compliance with FIPPA. The provider registry should be added to the index of existing entries published by the Ministry of Government Services in the directory of records.
2. eHealth Ontario to develop and implement a data retention policy for data for the provider registry in order to ensure that PI is not retained for longer than necessary to fulfill the identified purpose.
3. eHealth Ontario to review its masking policies to ensure data elements containing PI are not disclosed unless necessary to perform activities and meet objectives of the provider registry.
4. eHealth Ontario to review, and if required, update privacy and security incident management procedures to notify contributing sources For example, MOHLTC and regulatory colleges), of inappropriate access, use, or disclosure of PI in the provider registry.
5. eHealth to develop and implement an automated solution for receiving ongoing feeds from the regulatory colleges to populate the provider registry.