Implementation Guidance > Consumer Responsibility

Consumer Responsibility

Privacy and Security

Prior to implementing PPR interfaces, an organization should appropriately complete security and privacy risk assessments and implement the recommendations of those assessments. Care should be taken to ensure that the confidentiality and integrity of Personal Health Information in transit and at rest can be maintained at a level that is appropriate for the implementing organization.

Information from the Registry Common Services is considered to be Personal Information in the context of an EHR. As a result, access to the health client information must be restricted to only appropriately authorized users and used on a need-to-know basis.

The information which adopters receive when querying Ontario’s EHR services is considered Personal Information . As a result, access to the practitioner and organization information must be restricted to only appropriately authorized users and used on a need-to-know basis as specified in data-sharing agreements and corresponding legislation.

User Credentials

Where the consumer is required to specify user credentials by providing client ID secret and token, the consumer shall reference the OIDC/OAuth 2.0 token within the authorizationToken ID in all HL7 request messages. Refer to the Connectivity section for further details.

Interaction Validations

The consumer shall implement FHIR request interactions that are well-formed and conform to this specification.