For a full list of available versions, see the Directory of published versions

3.1. Implementer Responsibility

3.1.1. Privacy and Security

Prior to implementing this guide, each health information custodian (HIC) must complete the following, as applicable and specified by Ontario Health:
To access PHI that is accessible by means of a subscription notification, each HIC must:

• Complete all Pub/Sub onboarding requirements, as specified by Ontario Health;
• Comply with all applicable Ontario Health privacy and security policies, procedures, and standards; and
• Execute the relevant Ontario Pub/Sub Service Agreements.

Overarching Legal Compliance
The subscribing HIC is responsible at all times for ensuring its collection, use, and disclosure of Personal Health Information (PHI) via this service is fully compliant with the Personal Health Information Protection Act, 2004 (PHIPA) and O. Reg 329/04.

Lawful Care Relationship
A subscribing HIC must not create a subscription for a topic related to a patient for whom the subscribing HIC does not have a lawful care relationship.

Group Subscription Integrity
When using a Group resource to define a subscription filter, the subscribing HIC must ensure that every patient included in that Group meets the "lawful care relationship" criterion. The subscribing HIC is solely responsible for managing the membership of such groups to ensure PHIPA compliance.

Enforcement of Consent Directives
Ontario Health operates the Publish/Subscribe (Pub/Sub) service in the role of a Health Information Network Provider (HINP) under PHIPA s. 17. The Pub/Sub Service does not make disclosure decisions. The originating system (Publisher) is the Health Information Custodian responsible for the patient’s personal health information and MUST enforce consent directives and masking prior to submitting event notifications to the Subscription Service.

3.1.2. User Credentials

Any subscription interaction must be authorized by One Access Gateway. Authorization is granted via a trust model where OAuth2 tokens are exchanged.

The HIC organization under whose authority the interaction is initiated SHALL be identified in the OAuth token.

3.1.3. System Responsibility for User Authorization and Authentication

A "system" level integration is when a Point of Service (PoS) system representing many users, registers for access to the Publish/Subscribe service (Pub/Sub), instead of registering individual users. In this case, access to the Pub/Sub is granted to the PoS System and all access PoS are treated equally. The responsibility to authenticate and authorize individual access is delegated to the HIC that will access Pub/Sub via the given PoS. The HIC must ensure individual users access the Pub/Sub as required by Ontario Health’s privacy policies.

The HIC that will access Pub/Sub via the given PoS is responsible for ensuring the accuracy of the identity of the individual requester specified in the message. User identities must be tied to authenticated user accounts.

3.1.4. Auditing

The PoS must audit user-initiated activities such as HTTP GET or POST requests. Audit logs are maintained by the PoS System to audit PHI disclosure to their end users. PoS Systems must audit PHI disclosure to their end users.

3.1.5. Logging

The PoS System must log all user-initiated or system-initiated activities such as HTTP GET or POST requests.

• Application logs are tracked by the PoS System for activities performed by the system. PHI must not be stored in application log files.
• Access logs are tracked by the PoS System when the user accesses the PoS System. PI may be stored in access logs.
• Application logs should log the API request/response HTTP responses codes and operational outcome.

All of the above logs are retained in accordance with the HIC’s obligation as defined by and applicable PHIPA agreements or other agreements with Ontario Health.