Virtual Visits Verification Program
What is the purpose of Ontario Health’s Virtual Visits Verification Program (‘the program’)?
The purpose of the program is to support health service providers to make informed decisions about the virtual care solutions they procure and use by ensuring that verified solutions meet a provincial standard for privacy, security, technology, and functionality. Provincial initiatives may require use of an Ontario Health verified virtual visit solution. Health service providers are required to perform their own due diligence about privacy and security risks and confirm the compliance of their solution with relevant legislation.
Does using a verified solution impact the ability of Ontario physicians to receive remuneration for virtual care services?
Physicians should refer to their contractual requirement under which they receive remuneration to determine the details of remuneration related to virtual care and if verification status is a recommendation or required. Further remuneration questions should be directed to the funder through standard channels, such as the Ministry of Health’s Service Support Contact Centre at 1-800-262-6524.
How do health service providers benefit from using solutions that comply with the provincial standard for virtual care?
The Verified Solutions List is made available to support health service providers in making informed decisions regarding selection and procurement of the most appropriate virtual care solution for their practice. Health service providers using an Ontario Health verified solution will benefit through:
- Confidence in selecting a solution that meets provincial privacy, security, interoperability, and technical requirements and aligns to provincial priorities such as Digital Health Information Exchange standards
- Safeguarding of patient personal health information (PHI)
- Alignment with provincial initiatives in which use of an Ontario Health verified virtual visit solution is a recommendation or a requirement
What is the program’s scope in terms of virtual care modalities?
Program scope is limited to video and secure messaging. Solution providers may submit to become verified for video, secure messaging, or for both video and secure messaging.
Is there a timeframe that solution providers are required to meet to become verified?
No. Solution providers may submit to become verified at any time. However, in cases where solution providers have withdrawn from the program, they may re-submit to become verified no sooner than six months from the date of withdrawal. Solution providers are required to remain compliant to maintain their good standing in the program.
What are the implications of a solution withdrawing from the program?
Solutions in process to withdraw from the program are identified on the Verified Solutions List for 60 days before they are withdrawn in order for health service providers, should they wish, to change to an alternative solution that has been verified by Ontario Health. Once a solution is moved to the Withdrawn Solutions List they are no longer considered an Ontario Health verified solution. Withdrawn solutions remain on the Withdrawn Solutions List for a period of six months.
What is involved for solution providers in the validation phase?
Solutions are required to undergo validation testing and to submit substantiation materials within 12 months of the date they were verified. When ready to initiate validation testing, Ontario Health refers solution providers to our validation partner, OntarioMD. OntarioMD begins with an orientation session and shares information on the validation process with solution providers at that time. Once validated, solution listings are updated to reflect validated status on the Verified Solutions List. Solution providers offering more than one solution will be required to verify each solution independently and each solution will be separately listed on the Verified Solutions List.
If a solution has been successfully verified, can it be procured by any health service provider in the province?
Verification does not replace procurement. Health service providers (buyers) are required to follow the legislative and broader public sector procurement requirements that are applicable to them.
Do solution providers need to notify Ontario Health if changes are made to their software/platform? What sort of changes would warrant such a notification?
It is the solution provider’s responsibility to inform Ontario Health of any change to its solution that may affect its ability to meet all mandatory requirements.
If a virtual care solution being actively used by a health service provider is not on the Verified Solutions List, what should the health service provider do?
Health Service Providers should encourage their solution providers to visit the Ontario Health website at the Virtual Visits Verification Standard where information about participation in the program is published. If you are a health service provider that is participating in an innovative pilot, project or program, you are encouraged to email email@example.com to request a meeting to discuss options available to verify your solution.
Will the requirements within the Virtual Visits Solution Requirements (the “standard”) change?
Yes. Requirements will evolve over time as technologies and virtual care solutions mature. Ontario Health will publish updated versions of the standard on the Virtual Visits Verification Standard. Verified solution providers will be notified of changes made to the requirements to which they have already attested to meeting. Where a requirement has changed and a solution provider is no longer able to meet its compliance obligation, a remediation process will be initiated to ensure that the solution provider has ample notice and sufficient time to comply with the updated version of the requirements.
What program documents should I refer to?
The Virtual Visits Verification Program Terms and Conditions govern the overarching relationship between Ontario Health and solution providers and outline the conditions for submissions, verification and validation.
The Virtual Visits Verification Standard outlines a framework and mandatory requirements that virtual visit solutions must demonstrate to be verified by Ontario Health’s Virtual Visits Verification Program.
Solution Providers that are interested in becoming verified are required to request from Ontario Health a submission package via email at firstname.lastname@example.org. The submission package includes:
- Attestation Letter;
- Schedule A: Solution Provider and Solution Information;
- Schedule B: Verified Solution Requirements;
- Schedule C: Privacy Impact Assessment (PIA) Summary;
- Schedule D: Threat Risk Assessment (TRA) Summary; and
- Schedule E: Ontario Health Communications Protocol.
Additional information regarding the program and submission criteria are described at ontariohealth.ca/verification.
What guides eligibility decisions?
How long will the verification process take?
Submissions are processed on a first-come, first-served basis. While turnaround times are dependent upon the volume of submissions received, Ontario Health is generally able to return to solution providers with a Notice of Verification, or a Notice of Remediation, within five working days. Submissions that are found to be complete and in good order are published on the Verified Solutions List at the time of the Notice of Verification. Remediations can vary from minor to significant and as such can range in timeline from immediate term corrections to major remediations that can take months.
Must all risks identified in the privacy and security assessments be mitigated by the date of submission?
It depends on the risk level. High risks must be mitigated by the date of submission, medium risks must be mitigated within six months of the date of the privacy and security assessments respectively and low risks may be mitigated at the solution provider’s discretion.
The Privacy Impact Assessment (PIA) and Threat and Risk Assessment (TRA) date is the effective date of the PIA and TRA respectively. Ontario Health applies this date for risk monitoring and compliance scheduling. The date of submission is the date the vendor submits its application to become verified. The PIA and TRA must reflect the current solution being submitted to the program for consideration.
Why doesn’t Ontario Health procure one virtual care solution for all of Ontario?
A key program objective is to enable health service providers at large with choice in selecting virtual care solutions that meet provincial standards in privacy, security, technology and functionality. In support of that objective, an open market approach has been taken.
What should solution providers prepare in advance of submitting for verification?
Solution providers are required to sign an Attestation Letter that affirms that their solution meets all mandatory requirements. Up-to-date Privacy Impact (PIA) and Threat Risk (TRA) Assessment Summaries are required to be submitted. Solution providers may submit a SOC 2 Type 2 audit report in place of a TRA. PIA and TRA Summaries must include a table of contents from the full-length assessment, a risk table that classifies risks as high, medium, or low, and a mitigation plan for each risk identified. In order to meet Security Control Objectives (requirement 2.3.11), solution providers are required to submit one of the following documents: a SOC 2 Type 2 audit, HITRUST r2 Certification, ISO 27001, OMD Certification or CHI Certification. If solution providers elect to submit a SOC 2 Type 2 audit, they are not required to submit a TRA separately. In order to meet privacy requirements, the PIA Summary should include (i) a brief description of the solution, (ii) a statement reflecting that the PIA is current, (iii) the role(s) which the organization plays under PHIPA and why they believe that the authority applies, (iv) a summary of risk findings including a likelihood and impact table or risk heat map, (v) a status on any outstanding risks and (vi) the name and contact information of the individual(s) and/or organization(s) who conducted the PIA.
Further information is provided in the submission package that Ontario Health shares with solution providers upon their confirmed interest in participating in the program.
Are there different solution statuses?
Yes. There are four statuses that solutions can fall into:
- Verified: all solutions that have passed Ontario Health’s review of their initial submission package are listed as Verified on the Verified Solutions List.
- Validated: listings of solutions that have passed validation testing at OntarioMD are upgraded to Validated status.
- Under Review: where solutions do not meet one or more mandatory requirement(s) the status on the verified solutions list may change to “Under Review”
- Withdrawn: solutions that fail to remediate, or elect to leave the program, are moved from the Verified Solutions List to the Withdrawn Solutions List after a 60-day period where their solution remains on the Verified Solutions List with a notation that it will be moved to the Withdrawn Solutions List by a specific date. Solutions remain on the Withdrawn Solutions List for a period of six months.
If you are no longer able to meet any mandatory requirement(s) the status of your solution listing may change to reflect ‘Under Review’ or may be ‘Withdrawn’ should you be unable or unwilling to remediate identified compliance gaps. A remediation plan will be reviewed, and then if deemed satisfactory to address any gaps, may be accepted by Ontario Health to maintain the solution on the Verified Solutions List on a temporary basis, denoted as ‘‘Under Review’, until such time that the solution has been successfully verified as meeting all mandatory requirements. A remediation plan is a written summary, submitted by the solution provider to Ontario Health, specifying the requirement(s) where compliance gaps have been identified, the actions the solution provider plans to take to resolve said gaps, and the timeline for resolution.
Why is Ontario Health accepting SOC 2 Type 2 audits as an alternative to the requirement that solution providers perform Threat Risk Assessments (TRAs)?
The purpose of a SOC 2 Type 2 audit is to assess a solution provider’s ability to protect Personal Health Information and customer data based on five Trust Principles of which Security Common Criteria is one. Performed by an accredited auditor (CPAs or CPA firms) as defined by the American Institute of Certified Public Accounts (AICPA) Trust Services Principles and Criteria, SOC 2 Type 2 is a widely accepted security standard and framework that is considered as equivalent to a TRA for the purpose of this program.
Do the privacy and security professionals that support the solution provider to become Ontario Health verified need to be employees of the solution provider?
Not necessarily. Responsible privacy and security professionals may be employees, contractors, or third-party consultants. The responsible privacy professional must be certified with one of the following credentials obtained through International Association of Privacy Professionals (IAPP): Certified Information Privacy Professional (CIPP/C or CIPP/US); Certified Information Privacy Manager (CIPM); Certified Information Privacy Technologist (CIPT), or in the absence of such IAPP certification, the responsible privacy professional must have a minimum of two years of experience conducting PIAs in healthcare in Ontario and/or Canada. The responsible security professional must have at least five years of direct full-time security experience that includes conducting TRAs or managing security risks and is in possession of an industry recognized security certification (e.g., CISSP, CISM, CISA, CRISC).
How often must privacy and security documentation be refreshed by the solution provider?
Privacy Impact Assessments must be refreshed every three years or when there has been a change in the solution provider’s solution, legislation, policy, or business operations that may have an impact on privacy of health information or to privacy rights.
Threat and Risk Assessments must be refreshed every two years or whenever there is a significant change in the design of the solution, policy or applicable business operations that may impact the security posture of the solution.
SOC 2 Type 2 audits must be refreshed annually. ISO 27001 certification is required to be refreshed every three years, OMD Certification every two years and HiTrust Certification every two years.
Where do I find documentation about the program?
The verification page at the Virtual Visits Verification Standard provides links to the following program documents:
- The standard
- Program terms and conditions
- Program updates
- Glossary: terms and words related to the program
- Virtual Care Maturity Model: is a self-serve resource developed by Ontario Health to support health care organizations measure and compare their maturity in use of virtual care solutions
How can I ask questions about the program?
Ontario Health encourages health service providers and solution providers to send questions to email@example.com.
Solution Selection and Procurement
What happens if a solution provider’s solution is not approved?
Solution Providers that do not meet all mandatory requirements will be notified and invited to re-submit if/when they are ready and able to comply.
Why isn’t any pricing information included in solution listings?
Pricing is part of a commercial relationship between the buyer (health service provider) and the supplier (solution provider). Ontario Health does not collect pricing information.
Do OntarioMD-certified Electronic Medical Records (EMRs) need to be verified by Ontario Health in order to be listed on the Verified Solutions List?
Yes, EMRs that have been certified by OntarioMD do need to become separately verified by Ontario Health. OntarioMD Certification meets requirement 2.3.11 (Security Control Objectives).
Ontario Health’s Virtual Visits Verification Program is aligned with OntarioMD’s certification program in three respects:
- OntarioMD utilizes its operational expertise in EMR certification in performance of the validation testing function
- OntarioMD certified vendors automatically meet requirement 2.3.11
- the refresh cycle for privacy and security documentation submitted by OntarioMD certified vendors aligns to the timeline of OntarioMD certification