Digital Health Identifier Consent Policy and Procedure

Policy Level Approval: Chief Executive Officer
Policy Category: Enterprise Policy
Policy Number:
Policy Sponsor (or Sponsors): Chief, Strategy, Planning, Privacy & Analytics
Original Date of Approval: April 9, 2026
Date of Posting:
Version Approval Date: April 9, 2026

1.1 Purpose

1.1.1 This Policy and its procedures address the process to be followed when Ontario Health obtains express consent from individuals to collect, use, or disclose their PHI for the purposes of carrying out digital health identifier (DHI) activities, as well as the process to be followed by Ontario Health when responding to requests from individuals to withdraw such consent.

1.2 Objectives

1.2.1 This Policy and its procedures support Ontario Health’s management of consent and enable it to:

• meet its obligations under the Personal Health Information Protection Act, 2004 (PHIPA);
• meet its obligations under applicable manual for prescribed organizations as may be published and/or amended from time-to-time by the Information and Privacy Commissioner of Ontario (IPC); and
• protect the privacy of individuals and the confidentiality of their PHI.

1.3 Scope

1.3.1 This Policy applies to Ontario Health when it acts under its authority as a prescribed organization for the purposes of Part V.2 of PHIPA.

1.3.2 This Policy applies to all Employees, people leaders, board members, secondees, consultants, and other Ontario Health Agents.

1.4 Compliance, Audit and Enforcement

1.4.1 Compliance with this Policy in its entirety is mandatory unless an exception to a specific section is approved by the Chief Privacy Officer (CPO) or delegate in writing. Failure to comply with the requirements of this Policy, without a written exception, may result in disciplinary action up to and including revocation of appointment, termination of employment or termination of contract without notice or compensation.

1.4.2 Compliance will be audited in accordance with and as per the frequency outlined in the Privacy Audit and Compliance Policy.

1.4.3 At the first reasonable opportunity upon identifying or becoming aware of a breach of this Policy, Employees and other Ontario Health Agents, must notify Ontario Health’s Privacy Office by reporting the breach to the Enterprise Service Desk by Phone: 1-866-250-1554; or Email: oh-servicedesk@ontariohealth.ca

1.4.4 Breaches of this Policy will be managed in accordance with the Privacy Incident Management Policy and Procedure.

1.4.5 Compliance will be enforced in accordance with the Progressive Discipline Policy.

1.5 Terminology

1.5.1 The words “include” and “including” when used are not intended to be exclusive and mean, respectively, “include, without limitation,” and “including, but not limited to”.

1.5.2 Capitalized terms in this Policy have the meanings are set out in the Definition and Acronyms section (Section 7). Acronyms are defined in-text, in parentheses, following their first use.

1.5.3 The terms “collect”, “disclose”, “health information custodian”, “health number”, “prescribed organization”, and “use” have the meanings given to them in PHIPA.

2.1 General

2.1.1 PHIPA provides that the knowledge and express consent of the individual are required for the collection and use of PHI by Ontario Health for the purpose of carrying out DHI activities and for the disclosure of PHI by Ontario Health to the Minister for the purpose of carrying out validation and verification services.

2.1.2 Ontario Health has a process in place to obtain express consent in accordance with the requirements of PHIPA, so that the consent that is obtained satisfies the following conditions:

• it is a consent of the individual to whom the PHI relates;
• it is knowledgeable, in that the individual understands the purpose of the collection, use and disclosure and knows they can give or withhold consent;
• it relates to the PHI that is being collected, used or disclosed; and
• it is not obtained through deception or coercion.

2.1.3 Ontario Health implements requests to withdraw consent and, if applicable, delete an individual’s My Ontario Account for Health when requested to do so by an individual in accordance with the requirements of PHIPA. Any such withdrawal of consent does not have a retroactive effect.

2.1.4 Ontario Health communicates the following information to the public relating to consent and withdrawal of consent:

• a description of when and how Ontario Health obtains consent to collect and use PHI for the purpose of carrying out DHI activities and to disclose PHI to the Minister for the purpose of carrying out Validation and Verification Services;
• a description of how to make a request to withdraw consent to the foregoing and, if applicable, delete a My Ontario Account for Health and any limitations on an individual’s ability to withdraw consent; and
• notice that a My Ontario Account for Health that has not been used for two years shall be deemed to be inactive and PHI associated with that account will be securely disposed of in accordance with Ontario Health’s Digital Health Identifier Retention Standard.

2.1.5 Ontario Health takes reasonable steps to test to ensure that requests to withdraw consent and, if applicable, delete an individual’s My Ontario Account for Health have been properly implemented.

2.1.6 Ontario Health keeps an electronic record of all instances where consent is obtained or withdrawn in accordance with the requirements set out in Appendix “A” and the DHI Retention Standard.

3.1 General

3.1.1 This section establishes the process to be followed by Ontario Health in obtaining express consent from individuals in accordance with section 55.17 of PHIPA and in actioning requests from individuals to withdraw consent.

3.2 When Ontario Health Seeks Consent

3.2.1 Ontario Health obtains express consent for the collection, use or disclosure of PHI at or prior to the time of its collection.

3.2.2 An individual will not, as part of obtaining consent, be required to consent to the use or disclosure of their PHI for purposes that are not necessary for the provision of DHI activities.

3.3 Elements of Express Consent

3.3.1 Ontario Health always obtains express consent to collect or use PHI for the purpose of carrying out DHI activities or to disclose PHI to the Minister for the purpose of carrying out validation and verification services.

3.3.2 Express consent must be a consent of the individual. Ontario Health obtains express consent from the individual directly, in electronic form, when they register for or take other actions in their My Ontario Account for Health.

3.3.3 Express consent must be knowledgeable. Ontario Health provides individuals with information about the purposes of the collection, use and disclosure of their PHI, and informs individuals that they may give or withhold consent, at the time that consent is obtained. This information is made available through the My Ontario Account for Health Privacy Statement.

3.3.4 Express consent must relate to the PHI. Ontario Health identifies the type of PHI that is being collected at the time that consent is obtained.

3.3.5 Express consent must not be obtained through deception or coercion. Ontario Health has in place and complies with a Privacy Transparency Policy.

4.1 Notice of Withdrawal of Consent

4.1.1 Ontario Health provides individuals with the ability to notify Ontario Health of their withdrawal of consent through their My Ontario Account for Health. This information is made available through the My Ontario Account for Health Privacy Statement and through the My Ontario Account for Health account settings page.

4.1.2 An individual may withdraw their consent to:

• the continued use and disclosure of their PHI by Ontario Health for the purpose of carrying out all DHI activities. Such a consent withdrawal results in the deletion of the individual’s My Ontario Account for Health; or
• the continued use and disclosure of their PHI by Ontario Health for the purpose of authenticating the individual’s access to a Digital Health Tool through their My Ontario Account for Health. Such a consent withdrawal means that the individual is no longer able to access the relevant Digital Health Tool through their My Ontario Account for Health.

4.1.3 If an individual is unable to access their My Ontario Account for Health account settings, individuals may notify Ontario Health of their withdrawal of consent by contacting ServiceOntario via telephone at 1-833-411-2680. ServiceOntario receives and implements such requests on behalf of Ontario Health.

4.2 Implementing a Request to Withdraw Consent in respect of all DHI Activities

4.2.1 When an individual withdraws their consent to the continued use and disclosure of their PHI by Ontario Health for the purpose of carrying out DHI activities, Ontario Health implements the request by deleting their My Ontario Account for Health and all associated PHI.

• Account deletion takes effect immediately, if the request is made by the individual through their My Ontario Account for Health account settings.
• Account deletion takes effect within 10 business days, if the request is made by the individual by contacting ServiceOntario.

4.2.2 Ontario Health implements requests to withdraw consent on a prospective basis. An individual’s request to withdraw consent does not have a retroactive effect.

4.2.3 If an individual withdraws their consent to the continued use and disclosure of their PHI by Ontario Health for the purpose of carrying out DHI activities, Ontario Health may, in accordance with O. Reg. 329/04, continue to use such PHI for the purpose of retaining, maintaining, and disposing of the PHI and for incident and breach management activities, including maintenance, auditing and responding to such incidents or breaches.

4.3 Implementing a Request to Withdraw Consent in respect of Linked Digital Health Tools

4.3.1 When an individual withdraws their consent to the continued use and disclosure of their PHI by Ontario Health for the purpose of authenticating the individual’s access to a Digital Health Tool through their My Ontario Account for Health, Ontario Health implements the request by “unlinking” the relevant Digital Health Tool from their My Ontario Account for Health.

4.3.2 Once the consent withdrawal has been implemented, the individual is no longer able to access the relevant Digital Health Tool through their My Ontario Account for Health (i.e., the relevant Digital Health Tool is removed from the individual’s list of linked Digital Health Tools).

4.3.3 The withdrawal of consent does not extend to the continued use and disclosure of the individual’s PHI by the entity that provides the Digital Health Tool, for purposes relating to the provision of that Digital Health Tool, including for the purpose of maintaining the individual’s account or user profile associated with that Digital Health Tool.

4.3.4 Ontario Health implements such a request to withdraw consent on a prospective basis. An individual’s request to withdraw consent does not have a retroactive effect.

4.4 Testing Withdrawal of Consent

4.4.1 Ontario Health takes reasonable steps to test to ensure that requests to withdraw consent have been properly implemented in an individual’s My Ontario Account for Health through a daily verification process.

4.5 Confirmation (Notice of Consent Withdrawal)

4.5.1 When an individual withdraws their consent to the continued use and disclosure of their PHI by Ontario Health for the purpose of carrying out DHI activities, Ontario Health notifies the individual that the request has been implemented by sending an email confirmation of account deletion.

4.5.2 When an individual withdraws their consent to the continued use and disclosure of their PHI by Ontario Health for the purpose of authenticating the individual’s access to a Digital Health Tool through their My Ontario Account for Health, Ontario Health notifies the individual that the request has been implemented via a pop-up notice in their My Ontario Account for Health.

5.1 Logging

5.1.1 Ontario Health maintains logs of the following, in accordance with the detailed requirements listed in Appendix “A”:

• all instances where express consent is obtained by Ontario Health to collect or use PHI for the purpose of carrying out DHI activities and to disclose PHI to the Minister for the purpose of carrying out Validation and Verification Services;
• all instances where an individual makes a request to withdraw their consent to the foregoing; and
• all instances where an individual makes a request to withdraw their consent to the continued use and disclosure of their PHI by Ontario Health for the purpose of authenticating the individual’s access to a Digital Health Tool through their My Ontario Account for Health.

5.1.2 The VP, Access Products and Services is responsible for ensuring that Ontario Health maintains the logs identified in section 5.1.1 of this Policy and for providing such information to the CPO or their delegate, upon request, in order to respond to DHI Privacy Inquiries or DHI Privacy Complaints.

6.1 Chief Privacy Officer

6.1.1 Ensures compliance with PHIPA and ensures relevant Ontario Health policies and procedures are put in place.

6.1.2 Responsible for the overall accountability and the day-to-day operations of the privacy program.

6.1.3 Oversees Ontario Health’s processes for obtaining consent, actioning requests to withdraw consent, and deleting an individual’s My Ontario Account for Health.

6.2 Vice President, Access Products and Services

6.2.1 Maintains and ensures continuity of service of the systems that enable obtaining consent and consent withdrawal (including deletion of a My Ontario Account for Health).

6.3 Director, Digital Health Consumer Access Program (DHCAP)

6.3.1 Ensures that DHCAP and supporting teams operate in compliance with this Policy.

6.4 Designated Leads within the Digital Health Consumer Access Program (DHCAP)

6.4.1 Prepares and provides logs and reports of consents obtained and requests to withdraw consent in accordance with this Policy and its procedures (or oversees third party service providers that prepare such logs and reports).

6.4.2 Generates reports in accordance with this Policy (or oversees third party service providers that generate such reports).

6.5 Employees and other Ontario Health Agents

6.5.1 Immediately forwards any requests for withdrawal of consent and deletion of an individual’s My Ontario Account for Health to ServiceOntario.

6.5.2 At the first reasonable opportunity upon identifying or becoming aware of a breach of this Policy, notifies Ontario Health’s Privacy Office.

CPO: Chief Privacy Officer

Digital Health Identifier Records: Records of PHI that are under the custody or control of Ontario Health and are collected or used by Ontario Health under its authority as a prescribed organization for the purposes of Part V.2 of PHIPA.

DHI: Digital health identifier

DHI Privacy Complaint: Concerns or complaints related to:

1. Ontario Health’s collection, use, or disclosure of PHI for the purpose of carrying out DHI activities; or
2. Ontario Health’s compliance with PHIPA or with the privacy policies, procedures, and practices implemented by Ontario Health in relation to its DHI activities.
3. DHI Privacy Inquiry: Inquiries related to:
4. Ontario Health’s collection, use, or disclosure of PHI for the purpose of carrying out DHI activities; or
5. Ontario Health’s compliance with PHIPA or with the privacy policies, procedures, and practices implemented by Ontario Health in relation to its DHI activities.

Digital Health Tool: Any digital platform, provided by either Ontario Health or an authorized health information custodian, that may be accessed by individuals through their My Ontario Account for Health.

Employee: A person employed and compensated by Ontario Health as an Employee, and is classified as either permanent full-time, permanent part-time, temporary full-time, temporary part-time, paid student or casual, as set out in the Employee Classification Guideline. A consultant or contractor is not an Employee.

IPC: Information and Privacy Commissioner of Ontario

Minister: Minister of Health

My Ontario Account for Health: The application through which an individual may validate and verify their identity and authenticate themselves to access Digital Health Tools

O. Reg. 329/04: Ontario Regulation 329/04 made under PHIPA

Ontario Health: The agency of the Government of Ontario to which this Policy applies.

Ontario Health Agent: A person that acts for or on behalf of Ontario Health for the purposes of Ontario Health, and not for the person’s own purposes, whether or not the person has the authority to bind Ontario Health, whether or not the person is an Employee, and whether or not the person is being remunerated.

PHI or Personal Health Information: Has the meaning set out in section 4 of PHIPA. Specifically, it is “identifying information” in oral or recorded form about an individual that:

• Relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family;
• Relates to the provision of health care to the individual, including the identification of a person as a provider of health care to the individual;
• Is a plan that sets out the home and community care services for the individual to be provided by a health service provider or Ontario Health Team pursuant to funding under section 21 of the Connecting Care Act, 2019;
• Relates to payments or eligibility for health care or eligibility for coverage for health care in respect of the individual;
• Relates to the donation by the individual of any body part or bodily substance of the individual or that is derived from the testing or examination of any such body part or bodily substance;
• Is the individual’s health number; and/or
• Identifies an individual’s substitute decision-maker.

PHI also includes identifying information about an individual that is not PHI listed above but that is contained in a record that includes PHI listed above.

Information is “identifying” when it identifies an individual or when it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual.

PHIPA: Personal Health Information Protection Act, 2004.

References to PHIPA include O. Reg. 329/04, as may be amended or replaced from time to time.

Prescribed Organization or PO: The organization prescribed in Ontario Regulation 329/04 as the organization for the purposes of Part V.1 of PHIPA. The Prescribed Organization has the power and the duty to develop and maintain the EHR in accordance with Part V.1 of PHIPA and the regulations made thereunder.

Validation and Verification Services: Services provided by Ontario Health that:

1. validate the health number and additional PHI from the health card provided by an individual, including by relying on a database for health cards maintained by the Minister,
2. verify that an individual who is providing the health number or additional PHI, and such other identifying information as may be requested by Ontario Health, is the individual to whom the health number or PHI relates,
3. rely upon the services described in clauses (a) and (b), or such other services as may be prescribed by O. Reg. 329/04, to create or renew an individual’s digital health identifier, or
4. are prescribed by O. Reg. 329/04.

This Policy is to be reviewed by Ontario Health at least within 3 years of its effective date or earlier if required in accordance with the Privacy Audit and Compliance Policy.

•  PHIPA and O. Reg. 329/04
•  Digital Health Identifier Retention Standard
•  Privacy Audit and Compliance Policy
•  Privacy Incident Management Policy and Procedure

• Appendix A: Contents of Logging

The following were consulted in the development of this Policy:

• Staff from the Privacy Office and other Ontario Health Agents responsible for drafting, maintaining and/or reviewing the privacy policies in reference to Ontario Health’s privacy requirements.

April 2026: The policy was approved on April 9, 2026, by the Ontario Health Chief Executive Officer.

Ontario Health, or an Ontario Health Agent acting on its behalf, keeps an electronic record of all instances where Ontario Health obtains express consent to (1) collect or use PHI for the purpose of carrying out DHI activities and to disclose PHI to the Minister for the purpose of carrying out validation and verification activities, and (2) use and disclose PHI for the purpose of authenticating the individual’s access to a Digital Health Tool through their My Ontario Account for Health.

The electronic record identifies:

• the individual who provided consent;
• the nature of the consent provided, including the type of PHI at issue and the purpose for its collection, use, or disclosure; and
• the date and time that the consent was provided.

Keeping an Electronic Record of Consent Withdrawal

Ontario Health, or an Ontario Health Agent acting on its behalf, keeps an electronic record of all instances where an individual requests to withdraw their consent to (1) the collection or use of their PHI for the purpose of carrying out DHI activities and to the disclosure of their PHI to the Minister for the purpose of carrying out validation and verification activities, and (2) the use and disclosure of their PHI for the purpose of authenticating the individual’s access to a Digital Health Tool through their My Ontario Account for Health.

The electronic record identifies:

• the individual who withdrew consent;
• the date the request was received; and
• the date and time that the request was actioned and, as applicable, the individual’s My Ontario Account for Health was deleted or the Digital Health Tool was unlinked from their My Ontario Account for Health.