Ontario Health Statement of Information Practices

Authority to Collect, Use and Disclose Personal Information and Personal Health Information

Ontario Health generally derives its authority to collect, use, and disclose personal health information and personal information from privacy laws, including the Personal Health Information Protection Act, 2004 (PHIPA), the Freedom of Information and Protection of Privacy Act, 1990 (FIPPA), the Connecting Care Act, Gift of Life Act (GOLA), as well as agreements with the Ministry of Health. 

PHIPA is a provincial health privacy law that establishes rules for the management of personal health information and the protection of the confidentiality of that information, while facilitating the effective delivery of healthcare services. 

FIPPA is a provincial privacy law that establishes rules for the management of personal information and the protection of the confidentiality of that information, while providing a right of access to information under the control of institutions. 

Connecting Care Act is a provincial law that established a new model of integrated public health care, including the creation of Ontario Health as a single provincial agency to ensure best-in-class clinical guidance and approaches to care.

GOLA is a provincial law that establishes the rules for transplants. Ontario Health is permitted under GOLA to collect, use and disclose personal information, including personal health information, for a purpose related to organ and tissue donation and transplantation.  

PHIPA Roles

Ontario Health holds multiple roles under PHIPA, including as:

• a prescribed organization,
• prescribed entity,
• prescribed person,
• researcher,
• health information network provider,
• PHIPA agent and
• electronic service provider.

For the three prescribed roles, Ontario Health has specific requirements to implement practices and procedures to protect the privacy of the individuals whose personal health information it handles and to maintain the confidentiality of that information that are designed to be compliant with the IPC's Manual for the Review and Approval of Prescribed Organization as well as the IPC's Manual for the Review and Approval of Prescribed Persons and Prescribed Entities. These information practices must be reviewed and approved every three years by the Information and Privacy Commissioner of Ontario.

Prescribed Organization (PO)

As a prescribed organization, Ontario Health has the power and duty to develop and maintain the provincial electronic health record (EHR) and other prescribed duties. Under PHIPA, Ontario Health is not considered to be collecting personal health information from health information custodians or disclosing personal health information to health information custodians when it receives and makes available personal health information as a prescribed organization. Ontario Health uses personal health information for the purposes of developing and maintaining the EHR, including associated functions, and for other prescribed duties, and may not provide or disclose personal health information that is accessible by means of the EHR, to any person, except as permitted or required by PHIPA.

For a description of the EHR and a summary of the types of personal health information received by Ontario Health to develop and maintain the EHR, see Ontario Health's Plain Language Description of the Electronic Health Record.

Prescribed Entity (PE)

Ontario Health has the status 'prescribed entity' under s. 18(1) of Ontario Regulation 329/04 for the purposes of s. 45 of PHIPA. As a prescribed entity, Ontario Health may collect PHI without individuals' consent from health information custodians and use that information for analysis and compiling with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for all or part of the health system, including the delivery of services.

For a list of the types of personal health information that Ontario Health collects as a prescribed entity see Ontario Health's Data Assets and Statement of Purpose List.

Prescribed Person (PP)

Ontario Health has the status 'prescribed person' under PHIPA with respect to Ontario Health's role in compiling and maintaining prescribed registries:

• Ontario Cancer Screening Registry (OCSR).
• registry of cardiac and vascular services.
• registry of chronic diseases.

This designation grants Ontario Health the authority to compile or maintain a registry of personal health information (‘prescribed registry’) for purposes of facilitating or improving the provision of healthcare under s. 39(1)(c) of PHIPA. Other permitted uses and disclosures are described in Part IV of PHIPA and its regulation.

For a list of the types of personal health information that Ontario Health collects as a prescribed person see Ontario Health's Data Assets and Statement of Purpose List.

Researcher

Ontario Health operates a research program to develop new knowledge through epidemiological, intervention, health services, surveillance, and policy research, as well as knowledge synthesis and dissemination. Ontario Health can conduct research under PHIPA or FIPPA, including use of information collected as a prescribed entity, prescribed person, or under the Gift of Life Act.

Health Information Network Provider (HINP)

Ontario Health provides information systems to Health Information Custodian's to enable them to exchange personal health information with each other. In providing such services, Ontario Health is acting as a Health Information Network Provider and is subject to additional privacy requirements under O. Reg. 329/04.

When we take on the role of a health information network provider, we must adhere to the requirements outlined in the regulation that accompanies PHIPA. We have put in place measures to address all the stipulated requirements, some of which include the following:

• providing to each applicable health information custodian a plain language description of the services that Ontario Health provides to the custodians including a general description of the safeguards in place
• public posting of the plain language description of services
• documented protocols, specific to the health information network provider services
• written agreements with each health information custodian organization that participates in the respective health information network provider service

PHIPA Agent

An Agent under PHIPA, is a person that, with the authorization of the health information custodian, acts for or on behalf of the health information custodian in respect of personal health information for the purposes of the health information custodian, and not the Agent's own purposes, whether or not the Agent has the authority to bind the HIC, whether or not the Agent is employed by the health information custodian, and whether or not the Agent is being remunerated. Ontario Health may act as a PHIPA Agent, if Ontario Health is authorized to do so by the health information custodian for purposes, for example, of responding to access and correction requests.

Electronic Service Provider (ESP)

Ontario Health provides information technology services to healthcare providers to enable them to collect, use, modify, disclose, retain or dispose of personal health information, or to exchange personal health information with one another. In providing these services Ontario Health act as an electronic service provider pursuant to PHIPA regulations. This electronic service provider role strictly limits Ontario Health's use of personal health information to only that which support health care providers.

Determining eligibility for funding of healthcare services

Ontario Health also collects personal health information from health information custodians to determine or verify eligibility for reimbursement for healthcare or related goods, services or benefits, as set out under section 39(1)(a) and 49(6) of PHIPA.

Furthermore, Ontario Health has the legal authority as an agency under section 38(1)(b) of PHIPA to collect personal health information from health information custodians to determine or provide funding or payment for the provision of health care. The purpose of such collection must be consistent with Ontario Health's authority under section 38(1)(b).

FIPPA Institution

Ontario Health is an institution as defined in FIPPA and is subject to its requirements. FIPPA governs how we manage and handle personal information and imposes requirements to protect the privacy of individuals.

Ontario Health will only collect personal information where the collection is specifically authorized by law, used for the purposes of law enforcement or necessary for the administration of a lawfully authorized activity. We will only use and disclose personal information as allowed or required by law.

Gift of Life Act (GOLA)

Ontario Health has broad permissions under the Gift of Life Act (GOLA) to support lifesaving and life-enhancing donation for transplantation. Ontario Health is permitted under GOLA to collect, use and disclose personal information, including personal health information, for a purpose related to organ and tissue donation and transplantation. 

Designated facilities as defined and regulated under GOLA – such as Ontario hospitals, transplant programs, laboratories and tissue banks are required to disclose personal information and personal health information to Ontario Health. Ontario Health also has the authority under GOLA to disclose personal information and personal health information with designated facilities and other organizations that Ontario Health has entered into an agreement with. Collection and disclosure are only made if it is necessary for a purpose related to organ and tissue donation and transplantation. 

Collection of Personal Information and Personal Health Information

Ontario Health collects personal information and personal health information from different sources. Most of the personal information and personal health information comes from facilities such as hospitals, clinics, independent healthcare facilities and laboratories.

We also collect personal information and personal health information from other government organizations and data partners such as:

Ministry of Health,

• Ministry of Government Services,
• Pharmaceutical Manufacturers,
• Workplace Safety and Insurance Board,
• Ontario Health at Home,
• Canadian Institute for Health Information and
• Institute for Clinical Evaluative Sciences (ICES),

We also collect personal information directly from individuals, if required, including for example, our cancer screening, patient and family advisor programs, and Out-of-Country Hemodialysis Reimbursement Program.

Use of Personal Information and Personal Health Information

Ontario Health uses personal information and personal health information in the following ways:

• Create and maintain the Electronic Health Record
• Support service provision;
• Plan, administer and evaluate internal programs and services
• Health care system planning and management purposes;
• Facilitate payment for services;
• Conducting data quality and risk management activities;
• To conduct research;
• Activities as permitted or required by law;
• Study and report on the use, effects and patterns of healthcare diagnosis, services and treatment in the province
• Estimate current and future needs for healthcare services
• Study wait times for healthcare services
• Facilitate the delivery of healthcare through the Ontario Cancer Screening Programs
• Determine eligibility for funding of healthcare services
• To engage patient and family members to learn about their experiences with the healthcare system

The following describes the types of personal health information and personal information we collect and how we use it to support Ontario Health programs.

Ontario’s cancer screening programs as part of the Ontario Cancer Screening Registry

Ontario Health collects personal information and personal health information to support the planning and management of cancer services in Ontario or for Ontario residents

• Information related to expenditures for clinics or services
• Clinical information, including images, that support diagnosis, treatment or services provided
• Screening information related to the early detection of cancer or the risks of developing cancer
• Patient-reported outcomes, satisfaction and experience to facilitate conversations with healthcare providers and increase patient involvement in care

We also collect personal health information for the purposes of the cancer screening programs, and use this information to send letters to eligible individuals to:

• invite them to participate in screening
• inform them of their screening test results
• inform them of what to do if they have an abnormal test result
• connect patients without family doctors to a doctor if more tests are required
• generate reports for primary care physicians to inform them of their cancer screening rates, their patients’ test results and follow-up needs

More information on the Ontario Health’s Ontario Cancer Screening Registry is available at Personal Health Information Frequently Asked Questions

Registry of Cardiac and Vascular Services

Ontario Health collects personal health information from health information custodians – hospitals and health care providers, for the purposes of maintaining the Cardiac and Vascular Registry. Ontario Health also collects personal health information from the Ministry of Health’s Enterprise Master Patient Index (EMPI) to ensure that all personal health information about an individual is grouped under the correct patient’s record within the Cardiac and Vascular Registry.

Ontario Health helps to plan, coordinate, implement, and evaluate cardiovascular care and is responsible for the Cardiac and Vascular Registry. The personal health information collected in the Cardiac and Vascular Registry includes wait time information, as well as specific clinical details. The Cardiac and Vascular Registry uses cloud-based technology, and all activities are guided by Ontario Health's Privacy and Security Policies.

More information on the Ontario Health’s Ontario Cancer Screening Registry is available at Privacy Brochure

Registry of Chronic Diseases

Ontario Health collects personal health information from health information custodians such as hospitals, Ministry of Health, physicians and laboratories to operate the registry of chronic diseases. Chronic diseases are long-lasting and may be caused by many factors, such as behaviour and lifestyle, genetics, physiology, social determinants of health and the environment. The chronic diseases that are the leading cause of death and disability in Ontario include cardiovascular disease (e.g., myocardial infarction or stroke), cancer, chronic respiratory disease (e.g., chronic obstructive pulmonary disease and asthma) and diabetes.

Ontario Health uses personal health information maintained in the registry of chronic diseases to facilitate contact with eligible individuals for the Abdominal Aortic Aneurysm Screening Program (OAAASP) in the same manner Ontario Health does for the existing cancer screening programs.

OAAASP is a population-based screening program that detects Abdominal Aortic Aneurysm and reduces avoidable Abdominal Aortic Aneurysm ruptures and deaths. Like the cancer screening programs, the OAAASP sends screening invitation letters to eligible participants based on their age and encourages participants to be screened by way of an ultrasound.

Ontario Health also uses personal health information in the registry of chronic diseases to carry out quality improvement activities. This includes analyzing information collected from hospitals and clinicians to evaluate how health services are being delivered, to identify gaps in care and to support initiatives that improves care outcomes.

As part of these quality improvement efforts, Ontario Health produces reports on areas such as surgical oncology and colonoscopy/colposcopy that identify outlier performance on key quality indicators. Ontario Health may disclose linked, patient level PHI to qualifying hospitals and clinicians identified as outliers in these reports, enabling them to conduct comprehensive analysis and implement targeted quality improvement interventions to enhance patient care and safety.

Access to Care Information

Ontario Health collects personal health information relating to initiatives to reduce wait times and improve patients’ access to healthcare services for the following areas:

• Surgery Wait Times and Efficiencies – measure, manage and publicly report on surgical wait times for almost 3,300 surgeons across 121 healthcare sites: help capture and report on data about surgical efficiency in 850 operating rooms across Ontario
• Diagnostic Imaging Wait Times and Efficiencies – measure, manage and publicly report on magnetic resonance imaging (MRI) and computerized tomography (CT) wait times and efficiencies for 107 healthcare sites
• Emergency Room Information – use the National Ambulatory Care Reporting System (NACRS) to measure, manage and publicly report on emergency room performance at 126 sites
• Alternate Level of Care Information – measure, manage and report on patients occupying a hospital bed who do not need the intensity of resources or services provided in that care setting, across 186 healthcare sites
• Electronic Canadian Triage and Acuity Scale (eCTAS) – improve patient safety and quality of care by creating an electronic decision-support tool to standardize the way the scale is used

Ontario Renal Network Information

The Ontario Renal Network is a division of Ontario Health that advises the Ontario government on chronic kidney disease. For the purposes of the Ontario Renal Network, Ontario Health collects personal health information for the management and coordination of the Provincial Chronic Kidney Disease program. We use renal personal health information to effectively organize and manage the delivery of renal services in Ontario. The aim is to reduce the burden of this disease on Ontarians and the healthcare system. The Ontario Renal Network provides evidence-based decisions and advice to government to help them effectively plan, program and fund services to support a continuously improving kidney care system in Ontario.

Ontario Health provides reports based on the analysis of renal personal health information collected from chronic kidney disease. Reports are disclosed to the kidney disease community, which includes the Ministry of Health, nephrologists, and dialysis centres.

Ontario Palliative Care Network Repository

Ontario Health routinely links health administrative data to better understand the patient experience throughout the end-of-life phase of care. This data allows the Ontario Palliative Care Network team to review concepts related to health system use, disease identification, significant health events, treatments and other important health information.

Orthopedic Information

Ontario Health collects patient-reported outcomes data on orthopedic services from hospitals that provide those services. The information helps local quality improvement and research initiatives evaluate the appropriateness and effectiveness of orthopedic surgery.

Patient and Family Advisor Information

Ontario Health collects personal information directly from  patient and family advisors who provide valuable perspectives by sharing their experiences within the Ontario Healthcare System. The information gathered through these engagements offers important insights into the current healthcare landscape, including the challenges patients and caregivers face from a “user perspective. Ontario Health utilizes this enhanced understanding of the Ontario Healthcare System to inform recommendations for improvements. As part of the Patient Family Advisor requirement process, Ontario Health collects personal information from individuals interested in participating in Ontario Health engagements for the following purposes:

• Determining if they have relevant experience to participate in a particular engagement.
• Ensuring that engagements have participants that are representative of the diversity of Ontario’s population.
• Scheduling engagement meetings.

Reimbursement Program Operation

Ontario Health collects personal information and personal health information related to eligibility for reimbursement for healthcare or related goods, services or benefits in Ontario. Ontario Health’s Reimbursement Programs include:

• New Drug Funding Program
• Evidence Building Program
• Case-by-Case Review Program
• Brachytherapy Program
• Out-of-Country Program
• Chimeric Antigen Receptor (CAR) T-Cell Therapy
• Home Hemodialysis Utility Grant
• Out-of-Country Hemodialysis Reimbursement Program
• Special Access Program
• High-Cost Therapy Funding Program

Ontario Health uses the information gathered under these programs to determine or verify eligibility for reimbursement for healthcare services provided to patients and to provide recommendations on eligibility to the Ministry of Health.

Health Research Support

Ontario Health collects high-quality data from healthcare facilities, patients and health system partners for research, and health system management and planning. Along with partners across the healthcare system, Ontario Health’s team of experts use the data to help healthcare providers, health system administrators, policy-makers and researchers to improve Ontario’s health systems by delivering high-quality clinical care. We produce:

• evidence-based guidance, tools and advice on health services
• reports on cancer, renal and other health system topics
• information for health system planning to ensure Ontario can meet the growing demand for greater accountability, better outcomes and improved patient experiences.

Who at Ontario Health can Access Personal Information and Personal Health Information

Only a limited number of staff have access to personal information and personal health information within Ontario Health. A data steward assigned to each holding is responsible for authorizing access to the data holding. Access is limited to those staff who need it to carry out their jobs at Ontario Health, such as analysts and information technology support staff. Access permissions are reviewed regularly to ensure they remain appropriate.

Disclosure of Personal Information and Personal Health Information

Ontario Health does not disclose personal information or personal health information with identifiers unless the individual consents and it is necessary for a lawful purpose or where it is permitted or required by law.

For Example:

• We may also disclose personal health information that we collected for the purposes of a prescribed entity or prescribed person to:
  • researchers who comply with the research requirements set out in PHIPA, and if the research meets our scientific standards and is consistent with our mission and objectives
  • other prescribed entities, prescribed persons or certain organizations or government agencies as permitted under PHIPA
• In operating Ontario’s screening programs, Ontario Health discloses your personal information and personal health information to:
  • determine if you need to be screened
  • send letters inviting or reminding you to be screened or informing you of the results
  • ensure your doctor knows whether or not you have been screened or need more tests
  • connect you with a doctor if you don’t have one and need to get more tests done
• For the Reimbursement Programs, Ontario Health may also disclose your personal health information to organizations such as the Ministry of Health, the Kidney Foundation of Canada and requesting physicians to determine eligibility for reimbursement.
• Ontario Health may also disclose information about you to a care provider or organization that currently or has previously provided you with care, to facilitate quality improvement of health care services.

Safeguards

Ontario Health has physical, administrative and technical safeguards in place to protect PHI against loss, theft, unauthorized access, disclosure, copying, use or modification. The types of safeguards correspond to the sensitivity, amount, distribution and format of the information. The following describes some of the safeguards Ontario Health program implements to protect information.

Physical safeguards

• We have in place controls to secure physical premises, including controlled access to Ontario Health program offices.
• Some operational areas that process personal information and personal health information require restricted access with a secondary level of access controls.
• Employees are given appropriate identification.
• Visitors are appropriately screened and are authorized to be on the premises.
• Video surveillance is used for forensic purposes

Administrative safeguards

• We use policies, agreements, and a privacy and security training and awareness program to reinforce employee and third-party understanding of the responsibility to protect personal information and personal health information.
• We do not use personal information or personal health information we have access to in the course of providing information technology services, except as necessary to provide the services.
• We have in place a privacy breach management program to identify, contain, investigate and report on privacy breaches. We notify the applicable health information custodian or data partner of any privacy breach at the first reasonable opportunity.
• We have a comprehensive privacy assessment and risk management program to ensure privacy risks are identified, mitigated and responsibly managed.

 Technical safeguards

• We adopt industry standards and tests our systems to ensure the security of:
  • personal information and personal health information in our custody
  • the equipment and communication systems we use
• Data is encrypted during transmission to Ontario Health and is stored on secured servers.
• We test and back-up systems regularly, and we have an active Disaster Recovery Plan.
• We put in place a logging, monitoring and auditing system to record when personal health information is accessed or transferred.

Your Privacy Rights

Ontario Health supports individuals in exercising their privacy rights under applicable privacy laws.

Access to and/or Correction of Personal Information and Personal Health Information

You have a right under PHIPA to access your personal health information. You may also request correction of your personal health information. Ontario Health supports “access requests” and “correction requests” from individuals in accordance with the requirements of PHIPA, and its policies and procedures.

Prescribed Organization

To request access to, or correction of, personal health information held in the Electronic Health Record, refer to Accessing your EHR for more information.

FIPPA Access Requests

You have a right under FIPPA to request access to your personal information. You may also request correction of your personal information. Ontario Health supports access and correction requests from individuals in accordance with the requirements of FIPPA, and its policies and procedures. To make a request under FIPPA, see Freedom of Information Requests.

Consent Management

Where Ontario Health requires your consent for handling of your personal health information, you may withdraw this consent in accordance with PHIPA, applicable agreements, and Ontario Health policies and procedures.

Prescribed Organization

If you choose to withdraw consent to handling of your personal health information for health care purposes by means of the Electronic Health Record, Ontario Health will apply a “consent directive” to your personal health information. When a consent directive is applied to your personal health information, health care providers will be unable to access this information in the Electronic Health Record unless certain circumstances are met.

In accordance with PHIPA, under certain circumstances, a health care provider can perform a “consent override” to access your personal health information. It is important to know that in some instances, a health care provider may not have the technical ability to perform a consent override and therefore may not be able to access your personal health information while a consent directive is in place, even in emergency circumstances.

To withdraw consent for handling of your records for health care purposes by means of the Electronic Health Record, refer to Managing Access to your EHR for more information.

View our Contact Us page form more information on how to reach the Ontario Health Privacy team and the Information and Privacy Commissioner of Ontario.