Digital Health Identifier Request for Access to Personal Health Information Policy and Procedure

Policy Level Approval: Chief Executive Officer
Policy Category: Enterprise Policy
Policy Number:
Policy Sponsor (or Sponsors): Chief, Strategy, Planning, Privacy & Analytics
Original Date of Approval: April 9, 2026
Date of Posting:
Version Approval Date: April 9, 2026

1.1 Purpose

1.1.1 This Policy and its procedures outline Ontario Health’s practices for responding to access requests made by individuals under Part V of the Personal Health Information Protection Act, 2004 (PHIPA) in respect of PHI that is collected, used or disclosed by Ontario Health for the purposes of carrying out digital health identifier (DHI) activities.

1.2 Objectives

1.2.1 This Policy and its procedures are intended to:

• Enable Ontario Health to meet its obligations under PHIPA;
• Enable Ontario Health to meet its obligations under any applicable manual for prescribed organizations as may be published from time to time by the Information and Privacy Commissioner of Ontario (IPC); and
• Uphold the privacy rights of individuals.

1.3 Scope

1.3.1 This Policy applies to Ontario Health when it acts under its authority as a prescribed organization for the purposes of Part V.2 of PHIPA.

1.3.2 This Policy applies to all Employees, people leaders, board members, secondees, consultants, and other Ontario Health Agents.

1.3.3 This Policy applies to access requests related to records of PHI that are under the custody or control of Ontario Health and are collected or used by Ontario Health under its authority as a prescribed organization for the purposes of Part V.2 of PHIPA.

1.3.4 This Policy does not apply to access requests relating to PHI that is accessible by means of the Electronic Health Record, which are handled in accordance with the EHR Request for Access to PHI Policy and Procedure.

1.4 Compliance, Audit and Enforcement

1.4.1 Compliance with this Policy in its entirety is mandatory unless an exception to a specific section is approved by the Ontario Health Chief Privacy Officer (CPO) or delegate in writing. Failure to comply with the requirements of this Policy, without a written exception, may result in disciplinary action up to and including revocation of appointment, termination of employment or termination of contract without notice or compensation.

1.4.2 Compliance will be audited in accordance with and as per the frequency outlined in the Privacy Audit and Compliance Policy.

1.4.3 At the first reasonable opportunity upon identifying or becoming aware of a breach of this Policy, Employees and other Ontario Health Agents, must notify Ontario Health’s Privacy Office by reporting the breach to the Enterprise Service Desk by Phone: 1-866-250-1554; or Email: oh-servicedesk@ontariohealth.ca

1.4.4 Breaches of this Policy will be managed in accordance with the Privacy Incident Management Policy and Procedure.

1.4.5 Compliance will be enforced in accordance with the Progressive Discipline Policy.

1.5 Terminology

1.5.1 The words “include” and “including” when used are not intended to be exclusive and mean, respectively, “include, without limitation,” and “including, but not limited to”.

1.5.2 Capitalized terms in this Policy have the meanings are set out in the Definition and Acronyms section (Section 7). Acronyms are defined in-text, in parentheses, following their first use.

1.5.3 The terms “collect”, “disclose”, “health information custodian”, “health number”, “prescribed organization”, and “use” have the meanings given to them in PHIPA.

2.1 Right of Access

2.1.1 Individuals have a right to access the following records of PHI that are in the custody or under the control of Ontario Health and that are collected, used or disclosed for the purposes of DHI activities:

• records related to a change in the identifying information used in the creation or maintenance of an individual’s My Ontario Account for Health;
• records of consents that have been given or withdrawn in relation to an individual’s My Ontario Account for Health;
• records related to Validation and Verification Services; and
• records of the date on which an individual used the My Ontario Account for Health to access a Digital Health Tool (including My Health Record)(collectively, DHI Activity Records)

2.1.2 Individuals may direct complaints related to access requests to the IPC as follows:

Mail:
Registrar
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8

Email: info@ipc.on.ca

Telephone: Toronto Area: 416-326-3333 Toll Free: 1-800-387-0073 TDD/TTY: 416-325-7539

2.2 Notice to the Public

2.2.1 Ontario Health provides the public with information about the right of individuals to access DHI Activity Records. This Policy is made available to the public on the Ontario Health Website. Individuals may also contact Ontario Health’s Privacy Office by telephone, mail or email to obtain information about this Policy and Ontario Health’s practices related to access requests.

2.2.2 Instructions for making access requests are provided in the My Ontario Account for Health Privacy Statement and the My Ontario Account for Health Frequently Asked Questions, which are available on the Ontario Health Website.

2.3 Access to DHI Activity Records

2.3.1 Ontario Health makes DHI Activity Records available to individuals, in electronic format, through their My Ontario Account for Health.

2.3.2 Ontario Health also makes DHI Activity Records available to individuals, in hard copy or electronic format, through an alternative means of access.

2.3.3 In providing individuals with access to their DHI Activity Records, Ontario Health complies with the obligations under Part V of PHIPA, as though it is a HIC, including the following obligations:

• Ontario Health offers assistance to an individual making an access request.
• Ontario Health considers whether an exception to the right of access applies.
• Ontario Health responds to the individual within 30 calendar days of receiving the access request, unless an extension to this time limit is permitted under PHIPA.

2.3.4 Ontario Health will determine whether to provide an individual with access to their DHI Activity Records in accordance with the procedures set out below.

2.4 Tracking and logging of access requests

2.4.1 Ontario Health maintains a log of all requests for access to DHI Activity Records. Refer to “Appendix A: Digital Health Identifier Log of Access Requests” for details that are captured in the log. Members of the Product Team are responsible for updating and maintaining the log and providing the log and related reports to the Privacy Office upon request.

2.4.2 Ontario Health meets its annual reporting requirements by providing the IPC with an annual report that includes, among other things:

• the number of requests Ontario Health has received in the previous calendar year for access to DHI Activity Records; and
• the number of refusals by Ontario Health to disclose DHI Activity Records, the provisions of PHIPA under which disclosure was refused, and the number of occasions on which each provision was invoked.

2.5 Retention of access request documentation

2.5.1 Ontario Health retains relevant access request documentation accordance with the Digital Health Identifier Record Retention Standard.

3.1 Accessing records through My Ontario Account for Health

3.1.1 An individual may access their DHI Activity Records, in electronic format, through their My Ontario Account for Health.

3.1.2 Pursuant to the My Ontario Account for Health Terms of Use, individuals who create a My Ontario Account for Health agree that access to their DHI Activity Records will be provided to them in electronic format via their My Ontario Account for Health.

4.1 Making an access request

4.1.1 An individual may request access to their DHI Activity Records held by Ontario Health by making request for access, via telephone, to ServiceOntario:

Service Ontario INFO line
Monday to Friday 7:00 am - 7:00 pm, excluding holidays

Telephone:
Toll-free:1-833-411-2680
Toll-free TTY:1-833-411-2680

4.1.2 ServiceOntario acts on behalf of Ontario Health to receive requests for access to DHI Activity Records made via telephone.

4.1.3 The request must contain sufficient detail to enable a member of the MOAH Product Team to identify and locate the record with reasonable efforts.

4.1.4 If the request does not contain sufficient detail to enable a member of the MOAH Product Team to identify and locate the record with reasonable efforts, ServiceOntario will offer assistance to the requester in reformulating the request such that it does contain the required detail.

4.1.5 ServiceOntario will take reasonable steps to be satisfied of the individual’s identity before making an individual’s DHI Activity Records available to them in accordance with this procedure.

4.2 Intake of access request

4.2.1 Upon receipt of an access request from an individual, a member of the ServiceOntario team advises the requester that their DHI Activity Records are available in electronic format through their My Ontario Account for Health and offers the requester assistance in accessing such records through their My Ontario Account for Health.

4.2.2 If the individual still cannot or does not wish to access their DHI Activity Records through their My Ontario Account for Health, the member of the Service Ontario team collects the following information from the requester to fulfill their access request:

• First and last name
• Phone number
• Date of birth
• Email address associated with their My Ontario Account for Health
• Mailing address
• Preferred delivery method

4.2.3 The member of the Service Ontario Team initiates tracking and logging of the access request (see Appendix A: Digital Health Identifier Log of Access Requests) and ensures the information associated with the access request is retained in a secure manner, as applicable.

4.2.4 Based on the intake information collected by ServiceOntario, a member of the MOAH Product Team locates and retrieves the responsive records.

4.3 Assessing exceptions to the right of access

4.3.1 An individual has a right to access their DHI Activity Records that are in the custody or the control of Ontario Health, subject to certain exceptions specified in PHIPA.

4.3.2 The member of the MOAH Product Team reviews the responsive records to determine whether any of the following exceptions to the right of access apply:

• the record or the information in the record is subject to a legal privilege that restricts disclosure of the record or the information, as the case may be, to the individual;
• another Act of the Legislature of Ontario, an Act of Canada, or a court order prohibits disclosure to the individual of the record or the information in the record in the circumstances; or
• granting access could reasonably be expected to result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person (provided that before deciding to refuse to grant an individual access for this reason, Ontario Health may consult with a member of the College of Physicians and Surgeons of Ontario or a member of the College of Psychologists of Ontario).

4.4 Severing records

4.4.1 Where part of DHI Activity Records which are exempt from access under Section 4.3.2 can reasonably be severed from the part of the record that contains the information described in Section 4.3.2, that severed part shall be subject to access by the individual. In such circumstances, a member of the MOAH Product Team will appropriately sever the records.

4.5 Response to access request

4.5.1 In response to an access request, Ontario Health will provide one of the following four responses to the individual:

• Ontario Health will provide a copy of the requested DHI Activity Records to the individual, via their preferred delivery method, and if reasonably practical, an explanation of any term, code or abbreviation used in the record;
• Ontario Health will give a written notice to the individual stating that, after a reasonable search, Ontario Health has concluded that the requested DHI Activity Records do not exist or cannot be found, if that is the case;
• if Ontario Health is entitled to refuse the request, in whole or in part, because the record is subject to a legal privilege or because disclosure is prohibited by law, Ontario Health will give a written notice to the individual stating that Ontario Health is refusing the request, in whole or in part. The notice will provide a reason for the refusal and will state that the individual is entitled to make a complaint about the refusal to the IPC; or
• if Ontario Health is entitled to refuse the request, in whole or in part, because granting access could reasonably be expected to result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person, Ontario Health will give a written notice to the individual stating that Ontario Health is refusing the request. The notice will provide a reason for the refusal or state that Ontario Health is refusing to confirm or deny the existence of any record, as applicable, and will inform the individual that they are entitled to make a complaint about the refusal to the IPC.

4.5.2 Ontario Health will provide a written response to the individual via email or courier, depending on the individual’s preferred delivery method.

4.5.3 All DHI Activity Records released to a requester will contain a watermark indicating record provenance.

4.5.4 Where Ontario Health believes on reasonable grounds that a request for access to DHI Activity Records is frivolous or vexatious or is made in bad faith, Ontario Health may refuse to grant the individual access to the requested record. Ontario Health Privacy and Ontario Health Legal will be consulted prior to refusing an individual’s request for access to their DHI Activity Records on this basis.

4.6 Format and delivery of records

4.6.1 Ontario Health will provide the individual with a copy of their DHI Activity Records in either hard copy or in PDF, at the individual’s option.

• For PDFs, Ontario Health will deliver a password-protected PDF to the individual via email. Ontario Health will send the password via courier to the individual’s mailing address on file with the Ministry of Health.
• For hard copies, Ontario Health will deliver a copy of the records via courier to the individual’s mailing address on file with the Ministry of Health.

4.6.2 Ontario Health will not release DHI Activity Records verbally.

5.1 Chief Privacy Officer

5.1.1 Ensures compliance with PHIPA and ensures relevant Ontario Health policies and procedures are put in place.

5.1.2 Responsible for the overall accountability and the day-to-day operations of the privacy program.

5.2 Privacy Office

5.2.1 Authors and maintains this Policy.

5.2.2 Responds to inquiries and complaints regarding access requests for DHI Activity Records.

5.2.3 Fulfills annual reporting requirements to the IPC.

5.2.4 Consults on exceptions to the right of access and reviewing refusals to provide access based on permitted exceptions.

5.3 Vice President, Access Products and Services

5.3.1 Ensures that access requests are responded to in accordance with this Policy, through the My Ontario Account for Health and through alternative means of access.

5.4 Director, Digital Health Consumer Access Program (DHCAP)

5.4.1 Ensures that DHCAP and supporting teams operate in compliance with this Policy.

5.4.2 Coordinates response to requests for DHI Activity Records across DHCAP and supporting teams.

5.5 Designated Leads within Digital Health Consumer Access Program (DHCAP)

5.5.1 Retrieves responsive records, reviews and makes an access decision, and fulfills requests for access to DHI Activity Records via email or courier.

5.5.2 Logs access requests in the Digital Health Identifier Log of Access Requests.

5.6 Legal

5.6.1 Providing consultation and support on exceptions to the right of access and reviewing refusals to provide access based on permitted exceptions.

5.7 Employees and other Ontario Health Agents

5.7.1 Immediately forwards any requests for DHI Activity Records to DHCAP.

5.7.2 At the first reasonable opportunity upon identifying or becoming aware of a breach of this Policy, notifies Ontario Health’s Privacy Office.

CPO: Chief Privacy Officer

DHI Activity Records: Any of the following records:

1. records related to a change in the identifying information used in the creation or maintenance of an individual’s My Ontario Account for Health;
2. records of consents that have been given or withdrawn in relation to an individual’s My Ontario Account for Health;
3. records related to Validation and Verification Services; and
4. records of the date on which an individual used the My Ontario Account for Health to access a Digital Health Tool (including My Health Record).

Digital Health Identifier Records: Records of PHI that are under the custody or control of Ontario Health and are collected or used by Ontario Health under its authority as a prescribed organization for the purposes of Part V.2 of PHIPA.

Digital Health Tool: Any digital platform, provided by either Ontario Health or an authorized health information custodian, that may be accessed by individuals through their My Ontario Account for Health.

Electronic Service Provider: A third-party contracted or otherwise engaged to provide services to Ontario Health for the purpose of enabling the use of electronic means to collect, use, modify, disclose, retain or dispose of records of PHI.

Employee: A person employed and compensated by Ontario Health as an Employee, and is classified as either permanent full-time, permanent part-time, temporary full-time, temporary part-time, paid student or casual, as set out in the Employee Classification Guideline. A consultant or contractor is not an Employee.

IPC: Information and Privacy Commissioner of Ontario

My Health Record: A Digital Health Tool provided by Ontario Health that provides individuals who have a My Ontario Account for Health with digital access to certain of their health records that are contained in the Ontario Laboratories Information System and the Digital Health Drug Repository, which are held in the provincial Electronic Health Record maintained by Ontario Health.

My Ontario Account for Health: The application through which an individual may validate and verify their identity and authenticate themselves to access Digital Health Tools

O. Reg. 329/04: Ontario Regulation 329/04 made under PHIPA

Ontario Health: The agency of the Government of Ontario to which this Policy applies.

Ontario Health Agent: A person that acts for or on behalf of Ontario Health for the purposes of Ontario Health, and not for the person’s own purposes, whether or not the person has the authority to bind Ontario Health, whether or not the person is an Employee, and whether or not the person is being remunerated.

PHI or Personal Health Information: Has the meaning set out in section 4 of PHIPA. Specifically, it is “identifying information” in oral or recorded form about an individual that:

• Relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family;
• Relates to the provision of health care to the individual, including the identification of a person as a provider of health care to the individual;
• Is a plan that sets out the home and community care services for the individual to be provided by a health service provider or Ontario Health Team pursuant to funding under section 21 of the Connecting Care Act, 2019;
• Relates to payments or eligibility for health care or eligibility for coverage for health care in respect of the individual;
• Relates to the donation by the individual of any body part or bodily substance of the individual or that is derived from the testing or examination of any such body part or bodily substance;
• Is the individual’s health number; and/or
• Identifies an individual’s substitute decision-maker.

PHI also includes identifying information about an individual that is not PHI listed above but that is contained in a record that includes PHI listed above.

Information is “identifying” when it identifies an individual or when it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual.

PHIPA: Personal Health Information Protection Act, 2004.

References to PHIPA include O. Reg. 329/04, as may be amended or replaced from time to time.

Prescribed Organization or PO: The organization prescribed in Ontario Regulation 329/04 as the organization for the purposes of Part V.1 of PHIPA. The Prescribed Organization has the power and the duty to develop and maintain the EHR in accordance with Part V.1 of PHIPA and the regulations made thereunder.

Third-Party Service Provider: A third-party contracted or otherwise engaged to provide services to Ontario Health, including Electronic Service Providers.

Validation and Verification Services: Services provided by Ontario Health that:

1. validate the health number and additional PHI from the health card provided by an individual, including by relying on a database for health cards maintained by the Minister,
2. verify that an individual who is providing the health number or additional PHI, and such other identifying information as may be requested by Ontario Health, is the individual to whom the health number or PHI relates,
3. rely upon the services described in clauses (a) and (b), or such other services as may be prescribed by O. Reg. 329/04, to create or renew an individual’s digital health identifier, or
4. are prescribed by O. Reg. 329/04.

This Policy is to be reviewed by Ontario Health at least within 3 years of its effective date or earlier if required in accordance with the Privacy Audit and Compliance Policy.

• PHIPA and O. Reg. 329/04
• Digital Health Identifier Description of Activities
• Privacy Audit and Compliance Policy
• Privacy Incident Management Policy and Procedure
• Electronic Health Record Request for Access and Correction to Personal Health Information Policy and Procedure
• Digital Health Identifier Log of Access Requests

• Appendix A: Digital Health Identifier Log of Access Requests

The following were consulted in the development of this Policy:

• Staff from the Privacy Office and other Ontario Health Agents responsible for drafting, maintaining and/or reviewing the privacy policies in reference to Ontario Health’s privacy requirements.

April 2026: The policy was approved on April 9, 2026, by the Ontario Health Chief Executive Officer.

Note: This log is maintained by Ontario Health and its Third-Party Service Providers and contains information that relates to Ontario Health’s responsibilities as the prescribed organization for the purposes of Part V.2 in responding to access requests for DHI Activity Records.

Where Ontario Health responds to a request for access from an individual in respect of their DHI Activity Records, the log includes the following, to the extent known to Ontario Health:

• The date the request was received;
• The name and contact information of the individual making the request;
• The type of request (i.e., access request);
• A description of the request;
• A description of the DHI Activity Records that are the subject of the request;
• The Employee(s) or other person(s) that received and reviewed the request;
• If the time limit for responding was extended, the reason for the extension, and the length of the extension;
• The decision made (i.e., whether the request was granted, granted in part, or refused);
• The reason for the refusal, where applicable;
• The Employee responsible for communicating the decision to the individual; and
• The date the decision was communicated to the individual.