Ontario Health Statement of Information Practices

Authority to Collect, Use and Disclose Personal Information and Personal Health Information

Ontario Health generally derives its authority to collect, use, and disclose personal health information and personal information from privacy laws, including the Personal Health Information Protection Act, 2004 (PHIPA), the Freedom of Information and Protection of Privacy Act, 1990 (FIPPA), the Connecting Care Act, Gift of Life Act (GOLA), as well as agreements with the Ministry of Health. 

PHIPA is a provincial health privacy law that establishes rules for the management of personal health information and the protection of the confidentiality of that information, while facilitating the effective delivery of healthcare services. 

FIPPA is a provincial privacy law that establishes rules for the management of personal information and the protection of the confidentiality of that information, while providing a right of access to information under the control of institutions. 

Connecting Care Act is a provincial law that established a new model of integrated public health care, including the creation of Ontario Health as a single provincial agency to ensure best-in-class clinical guidance and approaches to care.

GOLA is a provincial law that establishes the rules for transplants. Ontario Health is permitted under GOLA to collect, use and disclose personal information, including personal health information, for a purpose related to organ and tissue donation and transplantation.  

PHIPA Roles

Ontario Health holds multiple roles under PHIPA, including as:

• a prescribed organization,
• prescribed entity,
• prescribed person,
• health information network provider,
• PHIPA agent and
• electronic service provider.

For the three prescribed roles, Ontario Health has specific requirements to implement practices and procedures to protect the privacy of the individuals whose personal health information it handles and to maintain the confidentiality of that information that are designed to be compliant with the IPC's Manual for the Review and Approval of Prescribed Organization as well as the IPC's Manual for the Review and Approval of Prescribed Persons and Prescribed Entities. These information practices must be reviewed and approved every 3 years by the Information and Privacy Commissioner of Ontario.

Prescribed Organization (PO)

As a prescribed organization, Ontario Health has the power and duty to develop and maintain the provincial electronic health record (EHR) and other prescribed duties. Under PHIPA, Ontario Health is not considered to be collecting personal health information from health information custodians or disclosing personal health information to health information custodians when it receives and makes available personal health information as a prescribed organization. Ontario Health uses personal health information for the purposes of developing and maintaining the EHR, including associated functions, and for other prescribed duties, and may not provide or disclose personal health information that is accessible by means of the EHR, to any person, except as permitted or required by PHIPA.

For a description of the EHR and a summary of the types of personal health information received by Ontario Health to develop and maintain the EHR, see Ontario Health's Plain Language Description of the Electronic Health Record.

Prescribed Entity (PE)

Ontario Health has the status 'prescribed entity' under s. 18(1) of Ontario Regulation 329/04 for the purposes of s. 45 of PHIPA. As a prescribed entity, Ontario Health may collect PHI without individuals' consent from Health Information Custodians and use that information for analysis and compiling with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for all or part of the health system, including the delivery of services.

For a list of the types of personal health information that Ontario Health collects as a Prescribed Entity see Ontario Health's Data Assets.

Prescribed Person (PP)

Ontario Health also has the status 'prescribed person' under PHIPA with respect to Ontario Health's role in compiling and maintaining prescribed registries:

• Ontario Cancer Screening Registry (OCSR) as part of Ontario's Cancer Screening Program.
• Registry of Cardiac and Vascular Services.

This designation grants Ontario Health the authority to collect, use and disclose personal health information, without consent, for the purpose of facilitating or improving the provision of healthcare under s. 39(1)(c) of PHIPA. Other permitted uses and disclosures are described in Part IV of PHIPA and its regulation.

For a list of the types of personal health information that Ontario Health collects as a prescribed person or prescribed entity see Ontario Health's Data Assets.

Researcher

Ontario Health operates a research program to develop new knowledge through epidemiological, intervention, health services, surveillance, and policy research, as well as knowledge synthesis and dissemination. As a prescribed entity or a prescribed person, Ontario Health can conduct research under PHIPA or FIPPA as a researcher, including use of information collected as a prescribed entity, prescribed person, or under the Gift of Life Act.

Health Information Network Provider (HINP)

Ontario Health provides information systems to Health Information Custodian's to enable them to exchange personal health information with each other. In providing such services, Ontario Health is acting as a Health Information Network Provider and is subject to additional privacy requirements under O. Reg. 329/04.

When we take on the role of a health information network provider, we must adhere to the requirements outlined in the regulation that accompanies PHIPA. We have put in place measures to address all the stipulated requirements, some of which include the following:

• providing to each applicable health information custodian a plain language description of the services that Ontario Health provides to the custodians including a general description of the safeguards in place
• public posting of the plain language description of services
• documented protocols, specific to the health information network provider services
• written agreements with each health information custodian organization that participates in the respective health information network provider service

PHIPA Agent

An Agent under PHIPA, is a person that, with the authorization of the Health Information Custodian, acts for or on behalf of the Health Information Custodian in respect of personal health information for the purposes of the Health Information Custodian, and not the Agent's own purposes, whether or not the Agent has the authority to bind the HIC, whether or not the Agent is employed by the Health Information Custodian, and whether or not the Agent is being remunerated. Ontario Health may act as a PHIPA Agent, if Ontario Health is authorized to do so by the Health Information Custodian for purposes, for example, of responding to access and correction requests.

Electronic Service Provider (ESP)

Ontario Health provides information technology services to healthcare providers to enable them to collect, use, modify, disclose, retain or dispose of personal health information, or to exchange personal health information with each other. In providing these services Ontario Health act as an Electronic Service Provider pursuant to PHIPA regulations. This Electronic Service Provider role strictly limits Ontario Health's use of personal health information to only that which support health care providers.

Determining eligibility for funding of healthcare services

Ontario Health also collects personal health information from health information custodians to determine or verify eligibility for reimbursement for healthcare or related goods, services or benefits, as set out under section 39(1)(a) and 49(6) of PHIPA.

Furthermore, Ontario Health has the legal authority as an agency under section 38(1)(b) of PHIPA to collect personal health information from health information custodians to determine or provide funding or payment for the provision of health care. The purpose of such collection must be consistent with CCO's authority under section 38(1)(b).

FIPPA Institution

Ontario Health is an institution as defined in FIPPA and is subject to its requirements. FIPPA governs how we manage and handle personal information and imposes requirements to protect the privacy of individuals.

Ontario Health will only collect personal information where the collection is specifically authorized by law, used for the purposes of law enforcement or necessary for the administration of a lawfully authorized activity. We will only use and disclose personal information as allowed or required by law.

Gift of Life Act (GOLA)

Ontario Health has broad permissions under the Gift of Life Act (GOLA) to support lifesaving and life-enhancing donation for transplantation. Ontario Health is permitted under GOLA to collect, use and disclose personal information, including personal health information, for a purpose related to organ and tissue donation and transplantation. 

Designated facilities as defined and regulated under GOLA – such as Ontario hospitals, transplant programs, laboratories and tissue banks are required to disclose personal information and personal health information to Ontario Health. Ontario Health also has the authority under GOLA to disclose personal information and personal health information with designated facilities and other organizations that Ontario Health has entered into an agreement with. Collection and disclosure are only made if it is necessary for a purpose related to organ and tissue donation and transplantation. 

Collection of Personal Information and Personal Health Information

Ontario Health collects personal information and personal health information from different sources. Most of the personal information and personal health information comes from facilities such as hospitals, clinics, independent healthcare facilities and laboratories.

We also collect personal information and personal health information from other government organizations and data partners, and we collect personal information directly from individuals, if required.

Use of Personal Information and Personal Health Information

Ontario Health uses personal information and personal health information in the following ways:

• Create and maintain the Electronic Health Record
• Support service provision;
• Plan, administer and evaluate internal programs and services
• Health care system planning and management purposes;
• Facilitate payment for services;
• Conducting data quality and risk management activities;
• To conduct research;
• Activities as permitted or required by law;

Disclosure of Personal Information and Personal Health Information

Ontario Health does not disclose personal information or personal health information with identifiers unless the individual consents and it is necessary for a lawful purpose or where it is permitted or required by law.

Safeguards

Ontario Health has physical, administrative and technical safeguards in place to protect PHI against loss, theft, unauthorized access, disclosure, copying, use or modification. For additional information about the safeguards, see our Safeguards page.

Your Privacy Rights

Ontario Health supports individuals in exercising their privacy rights under applicable privacy laws.

Access to and/or Correction of Personal Information and Personal Health Information

You have a right under PHIPA to access your personal health information. You may also request correction of your personal health information. Ontario Health supports “access requests” and “correction requests” from individuals in accordance with the requirements of PHIPA, and its policies and procedures.

Prescribed Organization

To request access to, or correction of, personal health information held in the Electronic Health Record, refer to Accessing your EHR for more information.

FIPPA Institution

You have a right under FIPPA to request access to your personal information. You may also request correction of your personal information. Ontario Health supports access and correction requests from individuals in accordance with the requirements of FIPPA, and its policies and procedures. To make a request under FIPPA, see Freedom of Information Requests.

Consent Management

Where Ontario Health requires your consent for handling of your personal health information, you may withdraw this consent in accordance with PHIPA, applicable agreements, and Ontario Health policies and procedures.

Prescribed Organization

If you choose to withdraw consent to handling of your personal health information for health care purposes by means of the Electronic Health Record, Ontario Health will apply a “consent directive” to your personal health information. When a consent directive is applied to your personal health information, health care providers will be unable to access this information in the Electronic Health Record unless certain circumstances are met.

In accordance with PHIPA, under certain circumstances, a health care provider can perform a “consent override” to access your personal health information. It is important to know that in some instances, a health care provider may not have the technical ability to perform a consent override and therefore may not be able to access your personal health information while a consent directive is in place, even in emergency circumstances.

To withdraw consent for handling of your records for health care purposes by means of the Electronic Health Record, refer to Managing Access to your EHR for more information.

View our Contact Us page form more information on how to reach the Ontario Health Privacy team and the Information and Privacy Commissioner of Ontario.