Virtual health care visits are a boon for a health care system under severe strain due to the ongoing pandemic. With the increased need for virtual health care visits across Ontario, there has been a lot of focus on privacy requirements related to facilitating appointments and ongoing care. The ability to offer virtual care across the province aligns with Ontario’s Digital First for Health strategy, an initiative announced in late 2019 that was very timely because in-person health care visits were cut-back in 2020 due to COVID-19. For health care providers, service providers, patients, and other stakeholders, it is especially important to be aware of provincial privacy and data security requirements to continue promoting virtual health care in Ontario as a viable method to share health-related data to provide and receive care.

The Personal Health Information Protection Act and Virtual Health Care in Ontario

The legislation governing virtual health care visits and sharing personal health information in Ontario includes the Personal Health Information Protection Act (PHIPA) and Ontario Regulation 329/04/. Personal health information (PHI) is defined as an individual’s information in relation to health care services. PHI includes, but is not limited to, the following:

  • Name
  • Address
  • Telephone number
  • Health card number
  • Health care provider’s name
  • Reason for the appointment referral
  • Examination results

One of the first initiatives under Digital First for Health strategy in Ontario is to modernize PHIPA and clearly define how individuals and organizations use PHI. In collaboration with the Ministry of Health, Ontario Health and OntarioMD, province-wide standards have been developed to ensure that front-line health care providers can offer secure, confidential virtual appointments through two modalities, video, and secure messaging.

Some Basic Principles to Comply with PHIPA

1. Keep health records updated

All clinical and administrative data must be kept up to date. Any individual request to correct a record must be done within 30 days. If any clinical or administrative change has been made to patient records, then the same information must also be disclosed to the individual concerned as well. Virtual health solutions with capability to modify, update or notify providers of requested changes automatically follow this compliance guideline.

2. Keep health records secure

All PHI must be protected from theft, loss, and unauthorized use. This can be done by following proper procedures while ascertaining the type and location of the data centre. A SOC 2 data centre is considered a good practice because it follows a set of predefined benchmarks for privacy, security, confidentiality, and availability.

3. Store records for appropriate time frames

For any records requested by an individual or authorities, the records must be kept unchanged until all procedural matters are resolved related to any query/complaint. In this context, designating a privacy contact person is particularly important to oversee stored records’ compliance.

Standards for virtual visit solutions are intended to ensure care services are delivered using safe, secure, and interoperable platforms. These standards were developed in collaboration with health care organizations and clinicians across Ontario. The process to obtain recognition as a Virtual Visits Solution Standard is detailed here; all verified solutions will be posted here on OTN’s website in the future.