Virtual care is integral to Ontario’s health system, particularly now amid efforts to slow the spread of COVID-19. To support the safe and secure use of virtual care, the Information and Privacy Commissioner of Ontario has released new guidelines for the health care sector: Privacy and Security Considerations for Virtual Health Care Visits (PDF) (the “Guidelines”). Relatedly, Ontario Health, the province’s super-agency for health, has developed a provincial standard for virtual visit solutions (the “Standard”) and a verification process for telehealth platform vendors that meet the privacy and security criteria laid out in the Standard.
Both health care providers and telehealth platform vendors should consider how the new Guidelines and the province’s verification process will impact the way they provide virtual care services in Ontario.
Guidelines from the Information and Privacy Commissioner of Ontario
The Guidelines provide practical advice for health care providers to mitigate the unique privacy and cybersecurity risks posed by virtual care and to meet their obligations under Ontario’s Personal Health Information Protection Act (“PHIPA”). PHIPA applies to all health information custodians, whether they provide care in-person or virtually. The Guidelines also remind custodians that other statutory rules or professional duties may apply to them with respect to virtual health care delivery, in addition to PHIPA.
Enhancing Privacy and Security Accountability
The Privacy Commissioner expects custodians to take the following steps to enhance privacy and security when providing virtual health care:
- conduct privacy impact assessments to identify and manage specific privacy and information security risks associated with providing virtual care;
- develop and implement virtual health care policies to address how virtual health care may be provided virtually (e.g., when, how, and the purposes for which health care may be provided virtually, any conditions or restrictions in doing so, including access to personal health information restricted to need-to-know access);
- notify patients about those virtual care policies;
- ensure employees and agents participate in ongoing privacy and security training to reduce the risk of unauthorized collection, use and disclosure of personal health information (including guidance specific to working from home);
- develop an information security management framework to monitor, assess, and mitigate any security risks associated with virtual platforms – which would set out all of the required administrative, technical, and physical safeguards expected of employees, other agents, and any electronic service providers (e.g., access controls, maintain audit logs, regularly monitor for and apply software updates, and conduct regular audits and threat risk assessments); and
- have a privacy breach management protocol in place for responding to actual and suspected privacy breaches related to the virtual care solution (or otherwise).
Safeguards to Protect Personal Health Information
The Guidelines require that custodians put in place appropriate safeguards to protect personal health information when health care is provided virtually, which may include:
- technical safeguards, such as using firewalls or protections against software threats and encrypting data on all portable storage devices;
- physical safeguards, such as keeping technology that contains personal health information in a secure location; and
- administrative safeguards, such as explicit provisions in confidentiality agreements with employees and other agents which address their obligations when delivering virtual health care.
Custodians should consider further platform-specific safeguards when communicating personal health information by email, videoconference, or through patient portals.
Additional safeguards for email communication may include providing notice in the email that the information received is confidential, communicating from professional rather than personal email accounts, and providing instructions to follow if an email is received in error. Custodians should use encryption for emails to and from patients and when emailing personal health information to other custodians.
When engaging in virtual care via videoconference, custodians and patients should join the videoconference from private locations using a secure internet connection. The custodian should confirm that the meeting is secure from unauthorized participants and verify the identity of the patient. If others are present with the patient or if the visit will be recorded, the custodian should have the patient’s consent.
With respect to patient portals, custodians must ensure that the privacy safeguards in place are relevant to the functionality or type of platform. This includes developing a procedure for the patient’s initial access and subsequent logins and implementing access controls if the patient would like to share information with a substitute decision-maker, employer, or insurance company through the portal. Custodians should clearly explain to patients the type of information that is available in the portal, to whom it is accessible, when information provided by the patient will be reviewed by the custodian, and how long information will remain in the portal.
Selecting Virtual Platform Vendors
The Guidelines encourage custodians to consult Ontario Health’s new provincial Standard when procuring a virtual visit solution to ensure it complies with privacy, security, interoperability, and technical specifications. The Standard and its associated verification process are discussed below.
If custodians engage third-party service providers, it is important to ensure that written contracts containing appropriate privacy and data security clauses are in place. This will ensure that the custodian is itself meeting its own obligations under PHIPA by ensuring that its service provider is taking suitable steps to address PHIPA’s requirements.
The Privacy Commissioner has also cautioned against engaging a virtual care solution that requires, as a condition of service, that individuals register with the service provider or accept terms of service and privacy policies that require the handling of personal health information for purposes unrelated to the provision of health care. If a solution does require that the individual have such a direct relationship with the service provider, we recommend that this be assessed in light of the circumstances of the solution, including the patient user’s expectations and options for receiving care.
Engaging in Virtual Care
Before engaging in virtual care, custodians should determine whether virtual care is appropriate in the circumstances. This determination involves considering the patient’s needs and the purpose of their visit, regulatory guidance, ease of access for the patient, technological requirements, and the custodian’s ability to protect the privacy and security of the patient’s personal health information in the virtual setting.
In circumstances where virtual care is appropriate and proper safeguards are in place, custodians should still inform their patients of the limitations and risks of virtual care visits. Custodians must have the patient’s consent to collect, use, and disclose personal health information through virtual care technologies. Custodians should record virtual patient interactions in the same manner as in-person interactions.
After engaging in virtual care, custodians are encouraged to seek feedback from patients to confirm that they feel comfortable using the digital platforms.
Ontario Health’s Virtual Visit Solution Standard and Verification Process
Ontario Health’s provincial Standard, developed in collaboration with the Ministry of Health and OntarioMD, outlines functional and non-functional requirements for virtual visit solutions used by health care providers. Vendors whose virtual visit solutions meet the criteria set out in the Standard may apply for verification by Ontario Health.
Using a verified solution gives health care providers additional privacy, security, interoperability, and technical assurances and also offers opportunities for provincial program funding.
The Virtual Visit Solution Standard
The Standard provides a comprehensive list of general requirements, privacy and security requirements, and data requirements that apply to all virtual visit solutions. For example, all virtual visit solutions must enable identity verification of the provider and user, provide for the automated verification of patient OHIP numbers, and seamlessly integrate with health care providers’ existing point-of-sale (POS) systems.
In terms of privacy and security, virtual visit solutions must publish a notice of their relevant information practices, provide an electronic audit trail of all visits, and ensure virtual visit data is held by systems located in Canada, among other requirements. The minimum data requirement for all virtual visit solutions is an event summary that provides information about the organization, solution, modality of each unique virtual visit, and the day and time it occurred.
The Standard also provides requirements that are specific to either videoconferencing or secure messaging platforms. For example, video solutions are expected to enable scheduled and unscheduled visits, allow users to share files, and provide an audio-only option. Secure messaging solutions must support bidirectional communication between patients and one or more clinicians, ensure secure messaging services are only accessible by authenticated users, and separate clinical and administrative messages, among other requirements.
The Vendor Verification Process
A virtual visit solution vendor must satisfy all mandatory requirements set out in the Standard in order to be designated as a verified solution by Ontario Health.
Vendors who wish to become verified must complete an application process which includes the following:
- self-attestation that the solution meets all mandatory virtual visit solution standard requirements for video, secure messaging, or both;
- summary of the vendor’s Privacy Impact Assessment and Threat Risk Assessment, completed within the last two years, showing no significant outstanding risks;
- completion of the legal terms and conditions (PDF) associated with becoming a verified solution; and
- agreement to participate in additional risk-based verification testing within one year of engaging in the verification process.
Ontario Health publishes a list of verified solutions online to assist health care providers in selecting vendors. To date, four vendor solutions have been verified for the provision of video and secure messaging services and two vendor solutions have been verified for only video services.
Ontario Health verification is not a legal requirement to offer telemedicine solutions in Ontario. Ontario Health notes that verification should not be taken as an endorsement of any virtual care platform or service model. Health care providers are still advised to conduct their own due diligence in determining which solution meets their needs.
Health care providers engaged in virtual care should assess their current practices to confirm that they align with the Privacy Commissioner’s Guidelines. They may also wish to explore whether their current or prospective virtual care platform vendor is verified by Ontario Health.
Platform vendors should consider applying to become verified through Ontario Health’s voluntary verification process.