Privacy and Security Privacy and Security FAQs
- How does eHealth Ontario protect privacy with appropriate security measures?
- What is Personal Health Information (PHI)?
- What isn't PHI?
- What are the limits on collection, use and disclosure of PHI?
- What are the conditions for the use of PHI?
- Who are Health Information Custodians (HICs)?
- What is a PIA?
- When is a PIA needed?
- What is a TRA?
- What guidelines are used for TRAs?
- What is FIPPA?
- What kind of information may be requested?
- How do I make a request for information under FIPPA?
How does eHealth Ontario protect privacy with appropriate security measures?
The main tools for privacy and security are:
In addition to this, eHealth Ontario has a comprehensive “security in depth” program, which includes among others:
- continuously monitoring our networks and systems against potential intruders
- deploying Anti-Virus software to email systems and all laptop and desktop computers
- applying security patches
- encrypting sensitive information in traffic
- providing privacy and security training and awareness to all staff
Personal Health Information
What is Personal Health Information (PHI)?
Your PHI is any identifying information about you in oral or recorded form, relating to:
- Your physical or mental health
- Provision of health care to you
- Payments or eligibility for health care
- Donation, testing or examination of any body part or bodily substance
PHI also includes your health number, any information identifying your substitute decision maker.
What isn't PHI?
PHI does not include:
- Information that is non-identifying. For example, if names, addresses and other personal identifiers are removed and no connections can be made to the original records
- Identifying information that relates primarily to the employees of Health Information Custodians and not the individual
What are the limits on collection, use and disclosure of PHI?
The Personal Health Information Protection Act (PHIPA) places limits on the collection, use and disclosure of PHI. A custodian must not collect, use or disclose your PHI unless:
- They have your consent and the information is necessary for a lawful purpose or
- The collection, use and disclosure is permitted or required by PHIPA and
- There is no other information that could serve the purpose of the collection, use and disclosure
What are the conditions for the use of PHI?
PHI can be used for:
- The provision of healthcare
- Planning or delivering programs or services
- Reimbursement and claims administration
- Risk management, error management and quality assurance purposes
- Research conducted by the custodian
Who are Health Information Custodians (HICs)?
A HIC is a person or organization involved in the delivery of healthcare services such as physicians, long-term care service providers, community care access centres, hospitals, pharmacies, laboratories, or the Ministry of Health and Long Terms Care. eHealth Ontario is not a HIC.
Privacy Impact Assessments (PIAs)
What is a PIA?
A Privacy Impact Assessment (PIA) evaluates the impact of a new system or initiative to determine its actual and potential impact to individual privacy.
PIAs measure technical compliance with privacy legislation and broader implications. A PIA addresses all technological components, business processes, flows of personal information, information management controls and human resource processes associated with a system or program initiative.
When is a PIA needed?
A PIA is needed for every eHealth Ontario system or program initiative that involves personal information.
Threat and Risk Assessments (TRAs)
What is a TRA?
A TRA addresses all technological components, business processes and human resource processes associated with a system or initiative. It:
- identifies sensitive system assets and existing safeguards;
- identifies how assets can be compromised by threats;
- assesses the level of risk; and
- recommends how to reduce risk
What guidelines are used for TRAs?
The Vice President, Privacy and Security establishes guidelines based on:
- The Communications Security Establishment’s A Guide to Risk Management for Information Technology Systems;
- The Communications Security Establishment’s Threat and Risk Assessment Working Guide; and
- The Royal Canadian Mounted Police’s Security Information Publication 5: Guide to Threat and Risk Assessment for Information Technology.
Freedom of Information and Protection of Privacy Act (FIPPA) and Access to Information
What is FIPPA?
FIPPA, Ontario legislation which applies to eHealth Ontario, provides members of the public with a way to access government information held by institutions, while at the same time creating a privacy protection framework that institutions must follow.
FIPPA applies to all records created, accumulated and used by eHealth Ontario, although we do not always have custody or control over certain records, including those that may contain personal health information.
What kind of information may be requested?
FIPPA gives a right to request access to most recorded information held by government organizations, including eHealth Ontario. FIPPA also provides the right to request access to and correction of government-held personal information.
How do I make a request for information under FIPPA?
To make a request, you must write a letter indicating that you are requesting information under FIPPA. You need to send the completed letter and a $5 application fee payable to the Minister of Finance, to:
FIPPA Coordinator
eHealth Ontario
P.O. Box 148
777 Bay Street,
Suite 701
Toronto, ON M5B 2E7
For questions, contact our FIPPA officer at Wes.Roberts@ehealthontario.on.ca