| Term | Description |
|---|---|
| Agreement* | “Agreement” for the purposes of this guidance means a contract, memorandum of understanding, service level agreement or other legal instrument between an institution and a service provider that processes records or personal information on behalf of the institution. |
| Attestation | A signed agreement between a Solution Provider and Ontario Health. |
| Control* | “Control” over a record or personal information means being accountable for it, including ensuring the protection of privacy, and being able to make decisions about how it is to be managed. Regardless of who has been assigned custody of a record or personal information, it is considered to be under an institution’s control when the institution has the duty and authority to manage it, including restricting, regulating, and administering its use, disclosure, or disposition. |
| Custody* | “Custody” refers to having physical possession of a record or personal information. Custody does not equate to control. A service provider may have custody of a record or personal information, but it does not have control. In the context of an agreement with a service provider, control and responsibility for a record or personal information collected on behalf of an institution must be retained by the institution, even though it is processed or stored by a service provider. |
| Health Service Provider | Health Service Providers may include solo practitioners, clinics, home and community care organizations, hospitals or any other Health Service Provider type that is fully or in part funded by the Ministry of Health. |
| Health Service Provider Innovator | A Health Service Provider Innovator has developed a virtual care solution, independently or in partnership with other Health Service Providers and/or Vendors. |
| Outsourcing* | “Outsourcing” is a means of delegating tasks or activities (including the processing of records or personal information) that an institution might have the capability to do, but outside parties may do better or cheaper. Outsourcing aims can include reducing costs, increasing efficiency or improving quality. |
| Peripheral Solutions | Peripheral solutions are technologies that a Virtual Visit solution integrates into their solution to deliver services that are not related to video or secure messaging functionality. Examples would be email notifications, SMS notifications, technical support. |
| Privacy Impact Assessment* | “Privacy impact assessment” or “PIA” refers to an analytical process involving several activities and deliverables. It is not a single document or end product. A PIA should help you identify, analyze, and address key privacy risks when changing or developing programs or systems, including those involving service providers. Understanding privacy risks can help you take appropriate and timely action to ensure you and your service provider comply with legislation and other requirements. It also can help make informed policy, business, procurement, architecture, and security decisions. |
| Processing* | “Processing” includes the collecting, using, disclosing, retaining, storing, securing, or disposing of records or personal information. |
| Procurement | The Ontario Health process and policy that results in any contractual or commercial arrangement involving the acquisition of a good or service through purchase, rental, lease, or conditional sale. |
| Third-Party Service Provider | A third-party contracted or otherwise engaged to provide services to OH, including Electronic Service Providers. |
| Solution Provider | A Solution Provider may be a Vendor or a Health Service Provider. Single Health Service Providers may develop and offer a virtual care solution or they may partner with other Health Service Providers as a collective. |
| Threat Risk Assessment | A process of identifying system assets and how these assets can be compromised, assessing the level of risk that threats pose to assets, and recommending security measures to mitigate threats. |
| Vendor | A vendor is a private enterprise that offers Health Service Providers a virtual care solution. |
| VPAT®/ACR - Voluntary Product Accessibility Template/Accessibility Conformance Report |
A VPAT or ACR is a document that summarizes the extent to which a digital product, service or technology conforms with the globally recognized Web Content and Accessibility Guidelines (WCAG 2.0). While a VPAT is technically a template used to draft an ACR, the acronym is commonly used in the marketplace to describe a completed ACR A VPAT/ACR may either be completed by the vendor or by a third-party expert or organization specializing in accessibility evaluations. |
| Term | Description |
|---|---|
| Pre-Validated | Solution Provider has not yet tested to substantiate that it meets all mandatory requirements. |
| Under Review | The Solution Provider has agreed to a final remediation timeline that, if not met, will lead to withdrawal from the program. |
| Verified | The Solution Provider's Attestation of meeting all mandatory requirements has been accepted by Ontario Health. |
| Validated | The Solution Provider has successfully demonstrated that all mandatory requirements have been met. |
| Withdrawn | When Solution Providers elect to remove their solutions from the program. |