Under what authority will Ontario Health be collecting data from health service providers (HSPs) as part of the MHA PDS?

Ontario Health (OH) will be collecting this data as a Prescribed Entity under the Personal Health Information Protection Act, 2004 (PHIPA), which is the legislation that applies to the management of personal health information (PHI) in the province. Ontario Health is identified in ss.18(1)5 of Ontario Regulation 329/04 made under PHIPA (the Regulation) as a Prescribed Entity for the purposes of ss.45(1) of the Act.

What is a Prescribed Entity? 

PHIPA is “role-based” legislation, which this means that it identifies and defines a number of roles of “health system actors”. It then sets out the rights and responsibilities of each of the roles as they relate to the management of PHI. As a prescribed entity, Ontario Health collects personal health information for health system management and planning from organizations that are involved in the care and treatment of patients. We use this information to plan, fund and report on the performance of the healthcare system.

Accountability for Ontario Health’s compliance with applicable privacy legislation rests with the Chief Executive Officer (CEO), who delegates accountability for compliance to the Chief Privacy Officer (CPO). The CPO oversees the day-to-day responsibilities of the privacy program, together with Privacy Managers and Privacy Specialists. The CPO is responsible for updating senior leadership and the CEO on material privacy matters.

As a Prescribed Entity, Ontario Health is subject to regulatory oversight by the Information and Privacy Commissioner of Ontario on a triennial basis. Ontario Health must submit a report to the Commissioner that details how our privacy, information security and management practices comply with the requirements mandated in the Manual for the Review and Approval of Prescribed Persons and Prescribed Entities. Ontario Health received its latest approval from the Information and Privacy Commissioner on October 30, 2020.

Ontario Health’s triennial report is publicly available at: 

TriennialPrivacyReportAndAffidavit-2020.pdf (ccohealth.ca)

How will this data be collected?

The data contained in the PDS 1.0 will be collected directly from the HSPs and sent to Ontario Health through a Fast Healthcare Interoperability Resources (FHIR) interface. Vendors will be building new functionality to transmit data (as defined in the PDS 1.0) directly from HSP client management systems to Ontario Health. Data will be transmitted from HSPs to Ontario Health on a nightly basis through a FHIR based Application Programming Interface (API) service that requires the HSP to be authenticated before transmitting data to Ontario Health.

How will this data be used and by whom? 

The data will be used by Ontario Health as a Prescribed Entity for the following purposes:

  • Planning purposes to better understand the quality and volume of data and feasibility to support system performance measurement (e.g. wait times)
  • Generation of provider reports for contributing HSPs to provide insights into service access and utilization, support local service planning efforts and facilitate performance measurement across contributing organizations.

Are there limitations on Ontario Health’s internal access to and sharing of PHI within the agency? 

Access and use is only permitted to those individuals who require access to the PHI as part of their employment or contractual responsibilities. Disclosure of the sectoral data is only permitted in accordance with PHIPA and the Regulation

What privacy and security controls will be applied to protect this data? 

Ontario Health has in place administrative, physical and technical controls to protect the privacy of the sector patients/clients and the confidential and security of their PHI that is provided to Ontario 
Health for the Mental Health and Addictions Centre of Excellence.

Ontario Health’s privacy statement is available at: Privacy | Ontario Health

The Information Privacy Commissioner (IPC) approves the policies that relate to the Prescribed Entity authority. The IPC approves the policies on a triennial basis. Those policies would extend over the mental health sector data.

Will consent directives be applied to this data? 

Consent directives will not apply to the data that is collected by Ontario Health under the authority of a Prescribed Entity if the data is collected for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, the allocation of 
resources to or planning for all or part of the health system, including the delivery of services, if the entity has received the approval of its practices and procedures by the Office of the Information and Privacy Commissioner/Ontario (the “IPC”) [ s.45]

In order to continue receiving PHI from health information custodians (HICs) without consent, Ontario Health as a Prescribed Entity must have its privacy and security practices and procedures (Ps&Ps) reviewed and approved by the IPC every three years.
The Ps&Ps must, at minimum, include those set out in the Manual:

The IPC most recently reviewed and approved OH’s Ps&Ps on October 30, 2020. The IPC’s Approval Letter is posted on its website at: By E-mail (ipc.on.ca) 

PHIPA also contains numerous provisions setting out the circumstances in which a HIC may disclose PHI without consent; examples include: [ss.38-48]

  • In order for the Minister, another HIC, a Local Health Integration Network (LHIN) or OH to determine or provide funding or payment to the HIC for the provision of health care [ss.38(b)]
  • To a prescribed person who compiles or maintains a registry of personal health information for purposes of facilitating or improving the provision of health care or that relates to the storage or donation of body parts or bodily substances [ss.39(1)(c)]
  • If the HIC believes on reasonable grounds that the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons [ss.40(1)]
  • for the purpose of complying with,
    • a summons, order or similar requirement issued in a proceeding by a person having jurisdiction to compel the production of information, or
    • a procedural rule that relates to the production of information in a proceeding [ss.41(1)(d)]
  • For the purpose of determining, assessing or confirming capacity under the Health Care Consent Act, 1996, the Substitute Decisions Act, 1992 or this Act [ss.43(1)(a)]
  • To a College within the meaning of the Regulated Health Professions Act, 1991 for the purpose of the administration or enforcement of the Drug and Pharmacies Regulation Act, the Regulated Health Professions Act, 1991 or an Act named in Schedule 1 to that Act [ss.43(1)(b)]

What is a HIC?

In addition to outlining the authority by which information can be collected, it also outlines the roles and responsibilities of HICs. For instance, community health and mental health services are what are known as HICs, as are other healthcare practitioners, hospitals, and pharmacies 
PHIPA sets out the circumstances in which HICs:

  • Have the authority to collect, use and disclose PHI
  • When they need the consent of the patient/client to do so, and what type of consent is necessary (express, implied, or assumed implied)
  • May use and disclose PHI without the consent of the client/patient to whom the individual relate