For a full list of available versions, see the Directory of published versions

3.1. Implementer Responsibility

3.1.1. Privacy and Security

Prior to implementing this guide, an organization shall complete security and privacy risk assessments and address the recommendations of those assessments. Care should be taken to ensure the confidentiality, security and integrity of Personal Health Information in transit and at rest is maintained in accordance with the Personal Health Information Protection Act, 2004.

Under PHIPA, Ontario Health (OH) is a Prescribed Organization (PO) with the power and duty to develop and maintain the electronic health record. In doing so, OH manages and integrates personal health information (PHI) it receives from HICs and enables HICs to collect, use and disclose personal health information by means of the EHR.

HICs who contribute records of PHI to OH as a PO are not considered to be disclosing said records to OH, nor is OH as PO considered to be collecting same from the HIC. Despite this, HICs have responsibilities related to this contribution of PHI and are required to complete onboarding processes, comply with OH privacy and security policies, procedures, and standards, and contribute PHI in accordance with interoperability specifications established by OH. These and other requirements are set forth in the EHR Contributor Agreement (ECA) and other OH agreements as applicable, which OH executes with contributing HICs. For greater certainty, nothing within this interoperability specification relieves a HIC of its obligation to comply with any provisions of PHIPA and its regulations.

The information which adopters receive when contributing and querying data to miCDR is considered Personal Information (PI) and Personal Health Information (PHI) within the meaning of PHIPA. As a result, access to this information must be provisioned in accordance with PHIPA and applicable agreements. Access to personal health information must be restricted to the Health Information Custodian (HIC) or an agent acting on behalf of the HIC and collected, used or disclosed on a need-to-know basis, as specified in data sharing agreements and legislation, including PHIPA.​ Furthermore, the HIC or the agent acting on behalf of the HIC must consider if PHI is necessary for the purposes of exchanging data with the miCDR solution. If PHI is necessary, the HIC or the agent acting on behalf of the HIC must consider how much PHI is reasonably necessary for the purpose. Under PHIPA, the HIC or an agent acting on behalf of the HIC must not collect, use or disclose PHI if other information will serve the identified purpose or collect, use or disclose more PHI than that is reasonably necessary to meet the purpose, among other requirements.

3.1.2. User Credentials

To support all instances where personal health information is collected used and disclosed, user credential information SHALL be included in each data transfer between the source and target systems for audit and logging purposes and also for the miCDR messages to identify the user who initiated the request, when that request was initiated by an actual user (as opposed to when performed by a system with no PHI disclosure to an individual user). Refer to the Connectivity section for further details.

3.1.3. System Responsibility for User Authorization and Authentication

A "system" level integration is when a Point of Service (PoS) system representing many users, registers for access to miCDR, instead of registering individual users. In this case, access to the miCDR is granted to the PoS System and all access PoS are treated equally. The responsibility to authenticate and authorize individual access is delegated from the miCDR to the HIC that will access miCDR via the given PoS. The HIC must ensure individual users access the miCDR as required by Ontario Health’s privacy policies.

The HIC that will access miCDR via the given PoS is responsible for ensuring the accuracy of the identity of the individual requester specified in the message. User identities must be tied to authenticated user accounts.

3.1.4. Auditing

The PoS system must audit user-initiated activities such as HTTP GET or POST requests. Audit logs are maintained by the PoS System to audit PHI disclosure to their end users. PoS Systems must audit PHI disclosure to their end users.

3.1.5. Logging

The PoS System must log all user-initiated or system-initiated activities such as HTTP GET or POST requests.

• Application logs are tracked by the PoS System for activities performed by the system. PHI must not be stored in application log files.
• Access logs are tracked by the PoS System when the user accesses the PoS System. PI may be stored in access logs.
• Application logs should log the API request/response HTTP responses codes and operational outcome.
• Both sending and receiving systems using miCDR solution MUST log all activity performed via the API.
• When a system submits data to miCDR solution, the system MUST include the requester information in the submission.
• When a system receives data from miCDR solution, it must log the notification of receiving data from miCDR.

All of the above logs are retained in accordance with the HIC’s obligation as defined by and applicable PHIPA agreements or other agreements with Ontario Health.