Implementer Responsibility
[Complete the implementer responsibility section tailored to the IGs Privacy, Security, Audting, Logging, etc.]Privacy and Security
Prior to implementing this guide, each health information custodian must complete the following, as applicable and specified by Ontario Health: To provide personal health information to Ontario Health as a Prescribed Organization for the purposes of the electronic health record, each health information custodian must:- Complete all EHR onboarding requirements, as specified by Ontario Health;
- Comply with all applicable Ontario Health privacy and security policies, procedures, and standards; and
- Execute the relevant Ontario Health EHR Contributor Agreements.
- Complete all EHR onboarding requirements, as specified by Ontario Health;
- Comply with all applicable Ontario Health privacy and security policies, procedures, and standards; and
- Execute the relevant Ontario Health EHR Services Agreements.
Legal Disclaimer
Pursuant to O. Reg. 329/04, Ontario Health is required to, subject to the review and approval of the Minister, establish, maintain and amend interoperability specifications. The Minister may direct Ontario Health to establish or amend interoperability specifications, and Ontario Health is required to comply with such direction. In accordance with O. Reg. 329/04, Ontario Health makes the interoperability specification most recently approved by the Minister available to the public by posting it on Ontario Health’s website or by such other means as Ontario Health considers advisable.As the Minister may direct Ontario Health to amend the interoperability specifications from time-to-time, Ontario Health advises the public and any other users of information concerning interoperability specifications to regularly review Ontario Health’s website where the interoperability specifications are posted, or such other means Ontario Health considers advisable, in order to confirm that they are accessing the interoperability specifications most recently approved by the Minister.You understand and agree that: (i) This specification is provided “AS IS” without any warranties or representations of any kind, express or implied, in fact or in law; (ii) Ontario Health is not responsible for your use or reliance on the information in this specification or any costs associated with such use or reliance; and (iii) Ontario Health has no liability to any party for that party’s access, use or reliance on this specification or any of the information contained in it.System Responsibility for User Authorization, Authentication
User Credentials
Any requests for Patient Summary documents must be authorized by the Patient Summary repository. Authorization is granted via a trust model where OAuth2 tokens are exchanged.The HIC organization under whose authority the interaction is initiated SHALL be identified in the OAuth token.For any user initiated access to patient summary documents, the individual user must identified by the PoS within the token for auditing purposes within the Patient Summary repository. For system initiated access, where there is no individual user, the user is not required to be identified. Refer to the Connectivity section for further details.Auditing
The PoS must audit user-initiated activities such as GET or POST requests. Audit logs are maintained by the PoS System to audit PHI disclosure to their end users. PoS Systems must audit PHI disclosed to their end users.Logging
PoS Systems must log all activities utilizing the Patient Summary Application Programming Interface (API). The PoS System must log all user-initiated activities such as GET or POST requests.- Application logs are tracked by the PoS System for activities performed by the system. PHI must not be stored in application log files.
- Access logs are tracked by the PoS System when the user accesses the PoS System. PI may be stored in access logs.
- Application logs should log the API request/response HTTP responses codes and operational outcome.