Virtual Visits Verification: Frequently Asked Questions

The purpose of the program is to support health service providers to make informed decisions about the virtual care solutions they procure and use by ensuring that verified solutions meet a provincial standard for privacy, security, technology, accessibility and functionality. Provincial initiatives may require use of an Ontario Health verified virtual visit solution. Health service providers are required to perform their own due diligence about privacy and security risks and confirm the compliance of their solution with relevant legislation.

Physicians should refer to their contractual requirement under which they receive remuneration to determine the details of remuneration related to virtual care and if verification status is a recommendation or required. Further remuneration questions should be directed to the funder through standard channels, such as the Ministry of Health’s Service Support Contact Centre at 1-800-262-6524.

The Verified Solutions List is made available to support health service providers in making informed decisions regarding selection and procurement of the most appropriate virtual care solution for their practice. Health service providers using an Ontario Health verified solution will benefit through:

• Confidence in selecting a solution that meets provincial privacy, security, interoperability, and accessibility requirements and aligns to provincial priorities such as Digital Health Information Exchange standards
• Safeguarding of patient personal health information (PHI)
• Alignment with provincial initiatives in which use of an Ontario Health verified virtual visit solution is a recommendation or a requirement

Program scope is limited to video and secure messaging. Solution providers may submit to become verified for video, secure messaging, or for both video and secure messaging.

No. Solution providers may submit to become verified at any time. However, in cases where solution providers have withdrawn from the program, they may re-submit to become verified no sooner than six months from the date of withdrawal. Solution providers are required to remain compliant to maintain their good standing in the program.

Solutions in the process of withdrawing from the program are identified on the Verified Solutions List for 60 days before they are withdrawn in order for health service providers, should they wish, to change to an alternative solution that has been verified by Ontario Health. Once a solution is moved to the Withdrawn Solutions List they are no longer considered an Ontario Health verified solution. Withdrawn solutions remain on the Withdrawn Solutions List for a period of six months.

Solutions are required to undergo validation testing and to submit substantiation materials in order to meet program requirements. OntarioMD performs the validation testing function which begins with an orientation session and sharing of information on the validation process. Validation involves the testing of functionalities and collection of documentation as may be required (i.e. certifications, audit logs, data tables, etc.). Solution providers offering more than one solution will be required to validate each solution independently and each solution will be separately listed on the Verified Solutions List.

Verification does not replace procurement. Health service providers (buyers) are required to follow the legislative and broader public sector procurement requirements that are applicable to them.

It is the solution provider’s responsibility to inform Ontario Health of any change to its solution that may affect its ability to meet all mandatory requirements.

Health Service Providers should encourage their solution providers to visit the Ontario Health website at the Virtual Visits Verification Standard where information about the program is published. If you are a health service provider that is participating in an innovative pilot, project or program, you are encouraged to email verification@ontariohealth.ca to request a meeting to discuss options available to verify your solution.

Yes. Requirements will evolve over time. Ontario Health will publish updated versions of the standard on the Virtual Visits Verification Standard. Verified solution providers will be notified of changes made to the requirements to which they have already attested to meeting. Where a requirement has changed and a solution provider is no longer able to meet its compliance obligation, a remediation process will be initiated to ensure that the solution provider has ample notice and sufficient time to comply with the updated version of the requirements.

The Virtual Visits Verification Program Terms and Conditions govern the overarching relationship between Ontario Health and solution providers.

The Virtual Visits Verification Standard outlines a framework and mandatory requirements that virtual visit solutions must demonstrate to be verified by Ontario Health’s Virtual Visits Verification Program.

Solution Providers that are interested in becoming verified are required to request from Ontario Health a submission package via email at verification@ontariohealth.ca. The submission package includes:

1. Attestation Letter;
2. Schedule A: Solution Provider and Solution Information;
3. Schedule B: Verified Solution Requirements;
4. Schedule C: Privacy Impact Assessment (PIA) Summary; and
5. Schedule D: Threat Risk Assessment (TRA) Summary or SOC 2 Type 2 Audit and Software Supply Chain Management Procurement Questionnaire.

Additional information regarding the program and submission criteria are described at Virtual Visits Verification Standard

To become verified, solution providers must meet all mandatory requirements as specified in the standard, and all program requirements as specified in the Virtual Visits Verification Program Terms and Conditions.

Submissions are processed on a first-come, first-served basis. While turnaround times are dependent upon the volume of submissions received, Ontario Health is generally able to return to solution providers with a Notice of Verification, or a Notice of Remediation, within five working days. Submissions that are found to be complete and in good order and that have successfully validated are published on the Verified Solutions List at the time of the Notice of Verification. Remediations can vary from minor to significant and as such can range in timeline from immediate term corrections to major remediations that can take months.

It depends on the risk level. High risks must be mitigated by the date of submission, medium risks must be mitigated within six months of the date of the privacy and security assessments respectively and low risks may be mitigated at the solution provider’s discretion.

The Privacy Impact Assessment (PIA) and Threat and Risk Assessment (TRA) date is the effective date of the PIA and TRA respectively. Ontario Health applies this date for risk monitoring and compliance scheduling. The date of submission is the date the vendor submits its application to become verified. The PIA and TRA must reflect the current solution being submitted to the program for consideration.

A key program objective is to enable health service providers with choice in selecting virtual care solutions that meet provincial standards in privacy, security, technology, accessibility and functionality. In support of that objective, an open market approach has been taken.

Solution providers are required to sign an Attestation Letter that affirms that their solution meets all mandatory requirements. Up-to-date Privacy Impact (PIA) and Threat Risk (TRA) Assessment Summaries are required to be submitted. Solution providers may submit a SOC 2 Type 2 audit report in place of a TRA. PIA and TRA Summaries must include a table of contents from the full-length assessment, a risk table that classifies risks as high, medium, or low, and a mitigation plan for each risk identified. In order to meet Security Control Objectives (requirement 2.3.11), solution providers are required to submit one of the following documents: a SOC 2 Type 2 audit, HiTrust Certification, ISO 27001, OMD Certification or CHI Certification. If solution providers elect to submit a SOC 2 Type 2 audit, they are not required to submit a TRA separately. In order to meet privacy requirements, the PIA Summary should include (i) a brief description of the solution, (ii) a statement reflecting that the PIA is current, (iii) the role(s) which the organization plays under PHIPA and why they believe that the authority applies, (iv) a summary of risk findings including a likelihood and impact table or risk heat map, (v) a status on any outstanding risks and (vi) the name and contact information of the individual(s) and/or organization(s) who conducted the PIA.

Further information is provided in the submission package that Ontario Health shares with solution providers upon their confirmed interest in participating in the program.

Yes. There are four statuses that solutions can fall into:

• Verified: solutions that have passed Ontario Health’s review of their initial submission package.
• Validated: solutions that have passed validation testing at OntarioMD.
• Under Review: where solutions do not meet one or more mandatory requirement(s) the status on the verified solutions list may change to “Under Review.”
• Withdrawn: solutions that fail to remediate, or elect to leave the program, are moved from the Verified Solutions List to the Withdrawn Solutions List after a 60-day period where their solution remains on the Verified Solutions List with a notation that it will be moved to the Withdrawn Solutions List by a specific date. Solutions remain on the Withdrawn Solutions List for a period of six months.

If you are no longer able to meet any mandatory requirement(s) the status of your solution listing may change to reflect ‘Under Review’ or may be ‘Withdrawn’ should you be unable or unwilling to remediate identified compliance gaps. A remediation plan will be reviewed, and then if deemed satisfactory to address any gaps, may be accepted by Ontario Health to maintain the solution on the Verified Solutions List on a temporary basis, denoted as ‘Under Review’, until such time that the solution has been successfully verified as meeting all mandatory requirements. A remediation plan is a written summary, submitted by the solution provider to Ontario Health, specifying the requirement(s) where compliance gaps have been identified, the actions the solution provider plans to take to resolve said gaps, and the timeline for resolution.

The purpose of a SOC 2 Type 2 audit is to assess a solution provider’s ability to protect Personal Health Information and customer data based on five Trust Principles of which Security Common Criteria is one. Performed by an accredited auditor (CPAs or CPA firms) as defined by the American Institute of Certified Public Accounts (AICPA) Trust Services Principles and Criteria, SOC 2 Type 2 is a widely accepted security standard and framework that is considered as equivalent to a TRA for the purpose of this program.

Not necessarily. Responsible privacy and security professionals may be employees, contractors, or third-party consultants. The responsible privacy professional must be certified with one of the following credentials obtained through International Association of Privacy Professionals (IAPP): Certified Information Privacy Professional (CIPP/C or CIPP/US); Certified Information Privacy Manager (CIPM); Certified Information Privacy Technologist (CIPT), or in the absence of such IAPP certification, the responsible privacy professional must have a minimum of two years of experience conducting PIAs in healthcare in Ontario and/or Canada. The responsible security professional must have at least five years of direct full-time security experience that includes conducting TRAs or managing security risks and is in possession of an industry recognized security certification (e.g., CISSP, CISM, CISA, CRISC).

Privacy Impact Assessments must be refreshed every three years or when there has been a change in the solution provider’s solution, legislation, policy, or business operations that may have an impact on privacy of health information or to privacy rights.

Threat Risk Assessments must be refreshed every three years or whenever there is a significant change in the design of the solution, policy or applicable business operations that may impact the security posture of the solution.

SOC 2 Type 2 audits must be refreshed annually. ISO 27001 certification is required to be refreshed every three years, OMD Certification every two years and HiTrust Certification every two years.

The verification page at the Virtual Visits Verification Standard provides links to the following program documents:

• The standard
• Program terms and conditions
• Program updates
• Glossary: terms and words related to the program
• Virtual Care Maturity Model: is a self-serve resource developed by Ontario Health to support health care organizations measure and compare their maturity in use of virtual care solutions

Ontario Health encourages health service providers and solution providers to send questions to verification@ontariohealth.ca.

Solution Providers that do not meet all mandatory requirements will be notified and invited to re-submit if/when they are ready and able to comply.

Pricing is part of a commercial relationship between the buyer (health service provider) and the supplier (solution provider). Ontario Health does not collect pricing information.

Yes, EMRs that have been certified by OntarioMD do need to become separately verified by Ontario Health. OntarioMD Certification meets requirement 2.3.11 (Security Control Objectives).

Ontario Health’s Virtual Visits Verification Program is aligned with OntarioMD’s certification program in three respects:

• OntarioMD utilizes its operational expertise in EMR certification in performance of the validation testing function
• OntarioMD certified vendors automatically meet requirement 2.3.11
• the refresh cycle for privacy and security documentation submitted by OntarioMD certified vendors aligns to the timeline of OntarioMD certification