Digital Health Identifier Policy and Procedure for Collecting Personal Health Information

Policy Level Approval: Chief Executive Officer
Policy Category: Enterprise Policy
Policy Number:
Policy Sponsor (or Sponsors): Chief, Strategy, Planning, Privacy & Analytics
Original Date of Approval: April 9, 2026
Version Approval Date: April 9, 2026

1.1 Purpose

This Policy and its procedures, in respect of PHI collected by Ontario Health for the purposes of carrying out digital health identifier (DHI) activities, identifies:

• the purpose for which Digital Health Identifier Records will be collected;
• the nature of the Digital Health Identifier Records that will be collected;
• from whom the Digital Health Identifier Records will typically be collected;
• the secure manner in which Digital Health Identifier Records will be collected; and
• the process for creating, reviewing, amending and approving the descriptions of types of Digital Health Identifier Records collected.

1.2 Objectives

This Policy and its procedures are intended to:

• enable Ontario Health to meet its obligations under the Personal Health Information Protection Act, 2004 (PHIPA);
• enable Ontario Health to meet its obligations under any applicable manual for prescribed organizations as may be published from time to time by the Information and Privacy Commissioner of Ontario (IPC); and
• protect the privacy of individuals and the confidentiality of their PHI.

1.3 Scope

1.3.1 This Policy applies to Ontario Health when it acts under its authority as a prescribed organization for the purposes of Part V.2 of PHIPA.

1.3.2 This Policy applies to all Employees, people leaders, board members, secondees, consultants, and other Ontario Health Agents.

1.4 Compliance, Audit and Enforcement

1.4.1 Compliance with this Policy in its entirety is mandatory unless an exception to a specific section is approved by the Chief Privacy Officer (CPO) or delegate in writing. Failure to comply with the requirements of this Policy, without a written exception, may result in disciplinary action up to and including revocation of appointment, termination of employment or termination of contract without notice or compensation.

1.4.2 Compliance will be audited in accordance with and as per the frequency outlined in the Privacy Audit and Compliance Policy.

1.4.3 At the first reasonable opportunity upon identifying or becoming aware of a breach of this Policy, Employees and other Ontario Health Agents, must notify Ontario Health’s Privacy Office by reporting the breach to the Enterprise Service Desk by Phone: 1-866-250-1554; or Email: oh-servicedesk@ontariohealth.ca

1.4.4 Breaches of this Policy will be managed in accordance with the Privacy Incident Management Policy and Procedure.

1.4.5 Compliance will be enforced in accordance with the Progressive Discipline Policy.

1.5 Terminology

1.5.1 The words “include” and “including” when used are not intended to be exclusive and mean, respectively, “include, without limitation,” and “including, but not limited to”.

1.5.2 Capitalized terms in this Policy have the meanings are set out in the Definition and Acronyms section (Section 5). Acronyms are defined in-text, in parentheses, following their first use.

1.5.3 The terms “collect”, “disclose”, “health information custodian”, “health number”, “prescribed organization”, and “use” have the meanings given to them in PHIPA.

2.1 Purpose, Nature and Source of Digital Health Identifier Records

2.1.1 Ontario Health collects PHI for the purposes of carrying out DHI activities in accordance with Part V.2 of PHIPA.

2.1.2 Ontario Health obtains the express consent of the individual to whom the PHI relates, in accordance with the Digital Health Identifier Consent Policy and Procedure, to collect their Digital Health Identifier Records.

2.1.3 Ontario Health collects PHI directly from the individual and automatically through an individual’s use of their My Ontario Account for Health.

2.1.4 Ontario Health collects the following types of Digital Health Identifier Records directly from individuals:

• name as it appears on an individual’s Ontario photo health card;
• email address;
• date of birth;
• photos of Ontario photo health card (front and back), including health number; and
• images of individuals (portrait “selfies”) and video and sound recordings.

2.1.5 Ontario Health collects DHI Activity Records automatically through an individual’s use of their My Ontario Account for Health:

• records relating to a change in the identifying information used in the creation or maintenance of an individual’s My Ontario Account for Health;
• records of consents that have been given or withdrawn in relation to an individual’s My Ontario Account for Health;
• records relating to an individual’s use of the Validation and Verification Services; and
• records of the date on which an individual used the My Ontario Account for Health to access a Digital Health Tool (including My Health Record).

2.1.6 The My Ontario Account for Health Privacy Statement, which describes the types of PHI that are collected by Ontario Health and the source of such information, is made available to individuals who register for a My Ontario Account for Health and provide Ontario Health with information for the purpose of receiving Account Management Services, Authentication Services, and Validation and Verification Services, and to the public through the Ontario Health website. The Digital Health Identifier Description of Activities is also made available through these means.

2.2 Limiting the Collection of Digital Health Identifier Records

2.2.1 In carrying out the DHI activities, Ontario Health takes reasonable steps to ensure that:

• it does not collect PHI if other information, namely de-identified and/or aggregate information, will serve the purpose of the collection;
• it does not collect more PHI than is reasonably necessary for the purpose for which it is collected; and
• it only collects PHI if it is reasonably necessary for carrying out the DHI activities, in accordance with PHIPA or as may be permitted in O. Reg. 329/04.

2.2.2 Where a change is proposed to the nature of PHI collected by Ontario Health, Ontario Health conducts a privacy assessment in accordance with the PIA Standard to ensure that the PHI Ontario Health collects is limited to that which is reasonably necessary for carrying out the DHI activities.

2.3 Secure Collection, Handling and Disposal of Digital Health Identifier Records

2.3.1 The electronic collection of PHI occurs through authenticated and encrypted channels.

2.3.2 Records of PHI collected by Ontario Health are retained in a secure manner in compliance with the Personal Health Information Handling Procedure.

2.3.3 Records of PHI that have been collected by Ontario Health are securely disposed of following the retention period set out in the Digital Health Identifier Retention Standard and in accordance with the Media and Data Destruction, Sanitization and Disposal Standard and related procedures.

3.1 Identifying Proposed Changes to Digital Health Identifier Records that Ontario Health Collects

3.1.1 Where a change to the nature of PHI collected by Ontario Health is proposed, the Director of the relevant business unit (program area or project team) is responsible for ensuring that the Privacy Office is engaged by completing and submitting a Privacy Intake Form.

3.2 Reviewing Proposed Changes to Digital Health Identifier Records that Ontario Health Collects

3.2.1 When a Privacy Intake Form is received by the Privacy Office, in accordance with the PIA Standard, the Designated Privacy Specialist is responsible for reviewing the new or proposed changes to the PHI that Ontario Health collects. The Designated Privacy Specialist determines if a privacy impact assessment (PIA) is required in accordance with the PIA Standard.

3.2.2 Where the Designated Privacy Specialist determines that a PIA is required, a PIA will be conducted in accordance with the PIA Standard.

3.2.3 In conducting the PIA, in addition to the considerations set out in the PIA Standard, the Designated Privacy Specialist will give consideration to:

• whether Ontario Health has the authority under PHIPA to collect the PHI for the purposes of carrying out the DHI activities;
• whether any and all conditions or restrictions set out in PHIPA and its regulations or by the Minister have been satisfied, including requirements to obtain express consent from individuals to collect PHI;
• whether reasonable controls are in place to protect the PHI that Ontario Health will collect;
• whether it will be necessary to notify individuals who are ongoing users of the DHI Services and/or obtain additional consent from such individuals in respect of the proposed change to the nature of PHI collected by Ontario Health; and
• whether the My Ontario Account for Health Privacy Statement or Digital Health Identifier Description of Activities requires updating to reflect changed or new PHI collected by Ontario Health.

3.2.4 The results of the Designated Privacy Specialist’s review will be documented in the PIA, including any risks identified with respect to privacy.

3.2.5 The PIA will be approved in accordance with the PIA Standard.

3.3 Approval and Consent to Collect the Digital Health Identifier Records

3.3.1 The Vice President, Access Products and Services is responsible for reviewing the PIA and other relevant documentation and determining whether to approve the proposed change to the PHI that Ontario Health collects for the purpose of carrying out DHI activities.

3.3.2 In reviewing and determining whether to approve the collection of PHI, at a minimum, the following criteria require attention:

• whether the collection of PHI is permitted by PHIPA;
• whether any and all conditions or restrictions set out in PHIPA or by the Minister have been satisfied, including requirements to obtain express consent from individuals to collect PHI; and
• whether the PHI proposed to be collected by Ontario Health is limited to that which is reasonably necessary for the purposes of carrying out the DHI activities.

3.3.3 Where the collection of PHI is approved, the Vice President, Access Products and Services, documents their approval in writing through the product management process.

3.3.4 Where the collection of PHI is approved, the process for reviewing and updating the procedure to be followed for obtaining express consent from individuals to collect PHI for the purposes of carrying out the DHI activities is set out in the Digital Health Identifier Consent Policy and Procedure.

3.4 Updating Descriptions of Types of Digital Health Identifier Records

3.4.1 Once all required approvals are obtained, the Designated Privacy Specialist is responsible for updating the My Ontario Account for Health Privacy Statement and the Digital Health Identifier Description of Activities as required, to identify the PHI that Ontario Health will collect for the purposes of carrying out the DHI activities, and the sources from whom Ontario Health typically collects PHI.

• When reviewing and updating the My Ontario Account for Health Privacy Statement and the Digital Health Identifier Description of Activities, consideration will be given to the information documented in the PIA.

3.4.2 The CPO or delegate is responsible for reviewing and approving the My Ontario Account for Health Privacy Statement and the Digital Health Identifier Description of Activities and all revisions made to them.

3.4.3 The Designated Privacy Specialist will work with the Ontario Health Communications team to ensure the updated My Ontario Account for Health Privacy Statement and Digital Health Identifier Description of Activities are posted on the Ontario Health website.

3.4.4 The My Ontario Account for Health Privacy Statement and the Digital Health Identifier Description of Activities requires CPO or delegate review on a regular basis, and at a minimum once every three years in accordance with the Privacy Audit and Compliance Policy and/or when a PIA is conducted in respect of the DHI activities.

3.4.5 In reviewing and/or in amending the My Ontario Account for Health Privacy Statement and the Digital Health Identifier Description of Activities, the CPO or delegate consults with the Director of the relevant Business Unit that is responsible for overseeing management of the DHI activities.

3.4.6 The My Ontario Account for Health Privacy Statement and the Digital Health Identifier Description of Activities are reviewed in accordance with the review process for privacy policies as set out in the Privacy Audit and Compliance Policy. At a minimum, they will be reviewed once every three years and when a new collection of PHI, or a change to the nature of the PHI that Ontario Health collects, is proposed.

4.1 Chief Privacy Officer

4.1.1 Ensures compliance with PHIPA and ensures relevant Ontario Health policies and procedures are put in place.

4.1.2 Responsible for the overall accountability and the day-to-day operations of the privacy program.

4.1.3 Approves PIAs, the My Ontario Account for Health Privacy Statement, the Digital Health Identifier Description of Activities and any revisions made to them.

4.2 Privacy Office

4.2.1 Authors and maintains this Policy.

4.2.2 Determines if a PIA is required in accordance with this Policy and the PIA Standard.

4.2.3 Conducts the PIA and communicates the results to the Director of the relevant Business Unit and to the Vice President, Access Products and Services.

4.2.4 Conducts PIA reviews in accordance with the PIA Standard.

4.2.5 Reviews, periodically, the types of PHI collected to ensure they are still necessary for the purposes of carrying out DHI activities.

4.2.6 Reviews and determines if updates are required to the My Ontario Account for Health Privacy Statement and the Digital Health Identifier Description of Activities in accordance with this Policy, drafts such amendments and provides the amendments to the CPO for review and approval, and requests the Communications team to post the amended My Ontario Account for Health Privacy Statement and Digital Health Identifier Description of Activities to the Ontario Health website.

4.3 Vice President, Access Products and Services

4.3.1 Reviews the PIA and other relevant documentation and determines whether to approve the collection of PHI as proposed for the purposes of carrying out the DHI activities.

4.4 Director, Digital Health Consumer Access Program (DHCAP)

4.4.1 Ensures that DHCAP and supporting teams operate in compliance with this Policy.

4.4.2 Engages the Privacy Office to review any new or proposed change to the nature of PHI collected by Ontario Health.

4.4.3 Approves the PIA and determines if the PHI that is proposed to be collected by Ontario Health is limited to only what is necessary for Ontario Health to carry out the DHI activities.

4.5 Designated Leads within Digital Health Consumer Access Program (DHCAP)

4.5.1 Ensures compliance with the procedures for the secure disposal of records of PHI in accordance with this Policy and the Digital Health Identifier Retention Standard.

4.5.2 Maintains a detailed inventory of Decommissioned Media transferred to Third-Party Service Providers for destruction and oversees secure destruction of electronic records of PHI by such Third-Party Service Providers.

4.6 Communications

4.6.1 Posts the updated My Ontario Account for Health Privacy Statement and Digital Health Identifier Description of Activities on the Ontario Health website.

4.7 Information Security Office

4.7.1 Providing consultation and support from a security perspective.

4.7.2 Providing Security Assessments (e.g., Threat and Risk Assessments) for the solution.

4.7.3 Providing security expertise in the development of information security mitigation plans.

4.8 Employees and other Ontario Health Agents

4.8.1 At the first reasonable opportunity upon identifying or becoming aware of a breach of this Policy, notifies Ontario Health’s Privacy Office.

Account Management Services: The services provided by Ontario Health that:

1. maintain the confidentiality, integrity or availability of an individual’s digital health identifier or related PHI,
2. relate to the maintenance of an individual’s digital health identifier or related PHI,
3. manage the activation, deactivation, reactivation or disposal of an individual’s digital health identifier or related PHI, or
4. are prescribed by O. Reg. 329/04.

Authentication Services: The services provided by Ontario Health that rely upon validation and verification services to establish confidence in an individual’s identity, or any other services prescribed by O. Reg. 329/04.

CPO: Chief Privacy Officer

Decommissioned Media: Has the meaning given to it in the Security Definitions Master Sheet

Designated Privacy Specialist: A member of the Privacy Office or individual acting on behalf of the Privacy Office

DHI: Digital health identifier

DHI Activity Records: Any of the following records:

1. records related to a change in the identifying information used in the creation or maintenance of an individual’s My Ontario Account for Health;
2. records of consents that have been given or withdrawn in relation to an individual’s My Ontario Account for Health;
3. records related to Validation and Verification Services; and records of the date on which an individual used the My Ontario Account for Health to access a Digital Health Tool (including My Health Record).

Digital Health Identifier Records: Records of PHI that are under the custody or control of Ontario Health and are collected or used by Ontario Health under its authority as a prescribed organization for the purposes of Part V.2 of PHIPA.

Digital Health Tool: Any digital platform, provided by either Ontario Health or an authorized health information custodian, that may be accessed by individuals through their My Ontario Account for Health.

Electronic Service Provider: A third-party contracted or otherwise engaged to provide services to Ontario Health for the purpose of enabling the use of electronic means to collect, use, modify, disclose, retain or dispose of records of PHI.

Employee: A person employed and compensated by Ontario Health as an Employee, and is classified as either permanent full-time, permanent part-time, temporary full-time, temporary part-time, paid student or casual, as set out in the Employee Classification Guideline. A consultant or contractor is not an Employee.

IPC: Information and Privacy Commissioner of Ontario

Minister: Minister of Health

My Health Record: A Digital Health Tool provided by Ontario Health that provides individuals who have a My Ontario Account for Health with digital access to certain of their health records that are contained in the Ontario Laboratories Information System and the Digital Health Drug Repository, which are held in the provincial Electronic Health Record maintained by Ontario Health.

My Ontario Account for Health: The application through which an individual may validate and verify their identity and authenticate themselves to access Digital Health Tools

O.329/04: Ontario Regulation 329/04 made under PHIPA

Ontario Health: The agency of the Government of Ontario to which this Policy applies.

Ontario Health Agent: A person that acts for or on behalf of Ontario Health for the purposes of Ontario Health, and not for the person’s own purposes, whether or not the person has the authority to bind Ontario Health, whether or not the person is an Employee, and whether or not the person is being remunerated.

PHI or Personal Health Information: Has the meaning set out in section 4 of PHIPA. Specifically, it is “identifying information” in oral or recorded form about an individual that:

• Relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family;
• Relates to the provision of health care to the individual, including the identification of a person as a provider of health care to the individual;
• Is a plan that sets out the home and community care services for the individual to be provided by a health service provider or Ontario Health Team pursuant to funding under section 21 of the Connecting Care Act, 2019;
• Relates to payments or eligibility for health care or eligibility for coverage for health care in respect of the individual;
• Relates to the donation by the individual of any body part or bodily substance of the individual or that is derived from the testing or examination of any such body part or bodily substance;
• Is the individual’s health number; and/or
• Identifies an individual’s substitute decision-maker.

PHI also includes identifying information about an individual that is not PHI listed above but that is contained in a record that includes PHI listed above.

Information is “identifying” when it identifies an individual or when it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual.

PHIPA: Personal Health Information Protection Act, 2004.

References to PHIPA include O. Reg. 329/04, as may be amended or replaced from time to time.

PIA: Privacy Impact Assessment

Prescribed Organization or PO: The organization prescribed in Ontario Regulation 329/04 as the organization for the purposes of Part V.1 of PHIPA. The Prescribed Organization has the power and the duty to develop and maintain the EHR in accordance with Part V.1 of PHIPA and the regulations made thereunder.

Third-Party Service Provider: A third-party contracted or otherwise engaged to provide services to Ontario Health, including Electronic Service Providers.

Validation and Verification Services: Services provided by Ontario Health that:

1. validate the health number and additional PHI from the health card provided by an individual, including by relying on a database for health cards maintained by the Minister,
2. verify that an individual who is providing the health number or additional PHI, and such other identifying information as may be requested by Ontario Health, is the individual to whom the health number or PHI relates,
3. rely upon the services described in clauses (a) and (b), or such other services as may be prescribed by O. Reg. 329/04, to create or renew an individual’s digital health identifier, or
4. are prescribed by O. Reg. 329/04.

This Policy is to be reviewed by Ontario Health at least within 3 years of its effective date or earlier if required in accordance with the Privacy Audit and Compliance Policy.

• PHIPA and O. Reg. 329/04
• Personal Health Information Handling Standard
• PIA Standard
• My Ontario Account for Health Privacy Statement
• Digital Health Identifier Description of Activities
• Digital Health Identifier Consent Policy and Procedure
• Digital Health Identifier Retention Standard
• Privacy Audit and Compliance Policy
• Privacy Incident Management Policy and Procedure
• Privacy Intake Form
• Media Destruction, Sanitization and Disposal Standard

None

The following were consulted in the development of this Policy:

Staff from the Privacy Office and other Ontario Health Agents responsible for drafting, maintaining and/or reviewing the privacy policies in reference to Ontario Health’s privacy requirements.

April 2026: The policy was approved on April 9, 2026, by the Ontario Health Chief Executive Officer.