Implementation Guidance > Implementer Responsibility
Implementer Responsibility
Privacy and Security
Prior to implementing this guide, an organization shall complete security and privacy risk assessments and address the recommendations of those assessments. Care should be taken to ensure the confidentiality and integrity of Personal Health Information in transit and at rest can be maintained at an appropriate level.
The information which adopters receive when submitting Mental Health and Addictions Provincial Data Set information is considered Personal Information (PI) and Personal Health Information (PHI). As a result, access to the data (PHI) must be restricted as specified in data-sharing agreements and corresponding legislation.
In accordance with section 30 of O. Reg. 329/04, the health information custodian is responsible for ensuring that every digital health asset that it selects, develops or uses complies with every applicable interoperability specification, as it may be amended from time to time, and within the time period set out in the specification. In addition to complying with the requirements set out in each applicable interoperability specification, the health information custodian is responsible for complying with PHIPA and its regulations, including but not limited to the health information custodian’s obligations related to ensuring accuracy (section 11(1) of PHIPA), security (section 12 of PHIPA), and the handling of records (section 13 of PHIPA).
System Responsibility for User Authorization, Authentication
Contributions to the Mental Health and Addictions Provincial Data Set (MHA PDS) Repository are done under a “system” level integration whereby a Point of Service (PoS) system contributes Mental Health information without any direct end user action. As such there is no end user identity tied to a given contribution message.
User Credentials
As MHA PDS contributions are performed by systems with no individual identified, only the HIC organization under whose authority the information is submitted SHALL be identified in the OAuth token. Refer to the Connectivity section for further details.
An MHA PDS resource submitted to Ontario Health SHALL be well-formed and conform to this specification.