Policy Number: AD- PO- 1007
Effective Date: May 10, 2016
Last Revised Date: December 13, 2017
Next Review Date: December 13, 2018
1. WHAT DOES OntarioMD DO?
OntarioMD supports physicians in the sustained and enhanced use of certified Electronic Medical Records ("EMRs") and related technologies and supports physicians who are new to EMRs with the selection, implementation, and adoption of a certified EMR. Protecting personal information is a key value at OntarioMD.
OntarioMD has developed products and services that allow physicians, hospitals, medical clinics and other health care organizations to optimize their use of digital delivery mechanisms and EMRs. OntarioMD has developed solutions that enable and promote the exchange of patient health information between and among clinicians and health facilities. We have developed and delivered electronic health initiatives that align and respond to provincial government priorities. We are currently focusing on value-added services. Due to the nature of our work, OntarioMD will have access to personal information.
OntarioMD's products and services, such as its funding for the roll-out of Health Report Manager ("HRM"), EMR Practice Enhancement Program ("EPEP"), Peer Leader Program, EMR Certification Program, and the EMR Adoption Program, are funded by the Ontario Ministry of Health and Long-Term Care ("MOHLTC"). The OntarioMD Privacy and Security Training and Attestation Module is an online education tool and collects Users' name, CPSO number and successful completion status. OntarioMD also collaborates with other stakeholders to research, evaluate and deliver other services.
In relation to health information custodians, OntarioMD acts as a service provider; we support custodians in the use and adoption of technology and digital health delivery tools; this may include either OntarioMD led, or collaborative research and publications related to the progress and effectiveness of use and adoption of technology and digital health delivery tools. Although from time to time, our representatives may access or view personal health information in order to perform our services, OntarioMD itself, does not collect or store personal health information in the course of providing these services.
With respect to its provision of HRM and in accordance with Personal Health Information Protection Act ("PHIPA"), OntarioMD acts as a "health information network provider" since we provide services to two or more health information custodians which enables the custodians to use electronic means to transfer personal health information to one another. However, neither OntarioMD nor its representatives access personal health information in the course of connecting HRM data.
2. WHAT PERSONAL INFORMATION DO WE COLLECT?
Personal information includes information about an identifiable individual. Personal information does not include name, business address or business contact information, such as business title, or phone number, that are provided for business purposes. Types of personal information that we collect include date of birth, personal address, clinic address, and, in some cases, financial information and practice information. OntarioMD generally collects personal information that is voluntarily provided, but we may collect information from third parties where you have registered for a program that requires this data, or otherwise where you consent, or as permitted or required by law. We may also collect information through our Website. OntarioMD does not collect or store personal health information for its own purposes.
3. USE AND DISCLOSURE OF PERSONAL INFORMATION
OntarioMD collects, uses and discloses personal information in order to deliver programs, products and services that work with, and on behalf of, health information custodians to leverage information technology ("IT") and to facilitate the adoption of new IT tools. OntarioMD also has developed tools and services that facilitate the delivery of health information between stakeholders. As discussed above, OntarioMD does not require access to personal health information in order to fulfill its mandate other than converting it to secure file formats for transmission to health information custodians in the provision of HRM.
OntarioMD uses personal information for the following purposes:
- Providing information about OntarioMD products and services, and about developments in health IT policy of interest to physicians.
- Registering physicians and other health care clinicians or their administrators so that they can use the OntarioMD Portal and other IT tools. We exchange information with the Ontario Medical Association (OMA) in order to have up-to-date records, including registration information for service and Portal access.
- Developing education programs and information services about developments in health IT and health policy of interest to physicians. This includes marketing services and products tailored to the needs and interests of OntarioMD stakeholders.
- Engaging stakeholders including physicians and other clinicians, in order to assess their views on OntarioMD services and benefits, and on the technology adoption. This information is then de-identified for use in economic and policy analysis, research and future planning.
- OntarioMD led, or collaborative research and publications related to the progress and effectiveness of use and adoption of technology and digital health delivery tools.
- Delivering personal information on behalf of health information custodians in regards to HRM or related services.
- Supporting physicians and clinicians with any technical issues related to OntarioMD supported products (e.g., HRM).
- Updating stakeholders about the direction of OntarioMD to ensure they are well informed.
Stakeholders: OntarioMD is required to provide reporting information on its activities to its funding agent, the MOHLTC. Depending on the nature of its role, in some cases, this will include information about physicians who received EMR funding. In almost all other situations, OntarioMD only provides anonymized or aggregated information to the MOHLTC and other stakeholders.
In order for OntarioMD and the OMA to administer their respective funding and member programs, they may share practice information for purposes of registering in or accessing program. Similarly, in order to register and onboard clinicians for products such as eConsult, provincial EHR assets and viewers, ONE ID (or other products as they are introduced), practice information including CPSO numbers and Billing Numbers may be shared with Ontario Telemedicine Network (OTN) or eHealth Ontario for purposes of enrollment.
Where you consent, OntarioMD will share the status of your successful completion of the OntarioMD Privacy and Security Training Module (including required identification numbers) with provincial digital health partners (such as eHealth Ontario) in order to facilitate your access their assets. We may also share such status with CME accreditation bodies for the purpose of granting of CME credits.
Service Providers: From time to time we may transfer personal information to third party agents and service providers who provide services on our behalf. For example, we may use a service provider to help us conduct a study or verify information, to authorize and process payments, host our Website and operate some of its features. These third parties are required to safeguard the personal information transferred to them and not to use or disclose personal information transferred to them for any purpose other than the provision of services to OntarioMD. Examples of our service and infrastructure providers include health eHealth Ontario and its data centers and networks. Some service provides may process data on servers outside of Canada. In the event our service provider is located in a foreign jurisdiction they are bound by the laws of the jurisdiction in which they are located and may disclose personal information in accordance with those laws.
Note that OntarioMD's service providers that transmit, or handle PHI must process and store such PHI in Canada.
Sale of Business: OntarioMD may transfer any information we have about individuals as an asset in connection with a merger or sale involving all or part of OntarioMD or the OMA or as part of a corporate reorganization or other change in corporate control. OntarioMD may also transfer personal information to the professional advisors of the successor entity under an obligation of confidentiality for due diligence purposes and ultimately to the successor entity upon completion of the transfer of ownership
The majority of communications OntarioMD sends are required operational communications which provide important information regarding one of the products or services you are receiving. From time to time, OntarioMD also sends educational and marketing communications. Receiving marketing communications, whether in hard copy or by e-mail, is always optional and you will be provided every opportunity to be removed from such distributions. Registered Portal Users can manage their marketing preferences by logging in here. You can also unsubscribe by following links sent to you on marketing communications we send or by sending an email to email@example.com.
Your personal information is treated as private and confidential information by OntarioMD. We strive to ensure that your personal information, regardless of format, is protected and kept secure by providing security safeguards that are appropriate to the sensitivity of the information. OntarioMD only keeps personal information for as long as it is required for legal or business purposes. Although we make every reasonable effort to protect your personal information from unauthorized access, release, use, loss and theft, disclosure, alteration by third parties, copying or modification by physical and logical security procedures, confidentiality policies, and authorization requirements, you should be aware there is always some risk involved in transmitting information over the Internet. As a result, OntarioMD does not represent, warrant, or guarantee that personal information will be protected against loss, misuse or alteration and does not accept any liability for personal information submitted by you, nor for your or third parties' use or misuse of personal information.
OntarioMD maintains a Website and a Portal that provides information to registered users.
All Website Users:
Individuals may visit the public portion of our Website (OntarioMD.ca) without providing any personal information. However, we may automatically collect some information regarding your use on our Website and the pages you visit on the Website. Our servers may automatically collect information about the type of browser you use and the name of your Internet Service Provider. In addition, we may collect "cookie" information from your browser to identify your computer and provide us with a record of your visits to our Website (collectively, the foregoing is referred to as "Usage Data"). The technology used to gather "cookie" information is provided by the Internet browser you use, and is stored on your computer. You may set your browser to disable or refuse to accept cookies, although doing so may affect your viewing of certain portions of the Website. The Website collects Internet Protocol (IP) addresses for system administration, to report aggregate information and to audit the use of the Website. Our Website contains links to other Websites which may collect your personal information. OntarioMD assumes no responsibility for the privacy policies of these Websites. You should read the privacy policies of these Websites and make an informed decision whether or not to provide your personal information to the Websites' operators.
Registered Users Only:
OntarioMD collects personally identifiable information when you register for an OntarioMD Portal account. When you register for the Portal, we require your name, email address, gender, birth date, and telephone number. Once you have registered with the Portal and sign in, you are not anonymous to us. OntarioMD automatically receives and records information on our server logs from your browser which could include when you login, duration of Portal visits, IP addresses, portlets used and the pages requested. OntarioMD uses this information for the following purposes:
- Authentication and provisioning access to certain Portal resources
- Audit logging for security purposes
- Monitoring and improving site performance issues
8. ACCESSING YOUR PERSONAL INFORMATION
You have the right to verify and amend your personal information collected by us. You are also free to withdraw your consent to such collection, use and disclosure of your personal information. On written request, and in a reasonable timeframe, you have the right to access your personal information, identify the uses to which that information is put and identify any third party to whom it may have been disclosed and for what purpose. These rights are not absolute; however if we deny your request for access, we will provide reasons for doing so.
If an individual identifies incorrect personal information in OntarioMD's possession, OntarioMD will correct or delete that information in accordance with the individual's direction.
OntarioMD maintains reasonable administrative, technical, and physical safeguards in an effort to protect against unauthorized access, use, modification, and disclosure of personal information in our custody and control. OntarioMD maintains strict confidentiality of all personal information collected, and will only disclose such information to authorized persons who require such information for the purposes set out above. OntarioMD will keep to your personal information for as long as it remains necessary or relevant for the purposes stated above or as otherwise required by law.
OntarioMD makes its policies for protecting personal information readily available to those individuals from whom personal information has been collected. Reasonable access to such information can be provided where it does not interfere with the legal rights or requirements of OntarioMD or other third parties. The following policies are readily available on the OntarioMD Website:
- OntarioMD Privacy Complaints and Inquiry Policy and Procedures
- OntarioMD Privacy Breach Management Policy
- FAQ Privacy for Physicians and Staff
11. HOW TO CONTACT US OR MAKE A COMPLAINT
If you have any questions or concerns about how OntarioMD manages your personal information and protects your privacy, please contact our General Counsel and Chief Privacy Officer at:
- Address: 150 Bloor Street West, Suite 900, Toronto, ON M5S 3C1
- Phone: 416-623-1248 Ext. 5311 or 647 - 290-1248
- Email: firstname.lastname@example.org
You have the right to complain to the Information and Privacy Commissioner of Ontario or the Office of the Privacy Commissioner of Canada if you think we have violated your privacy rights for personal health information or personal information.
|Information and Privacy Commissioner of Ontario||Office of the Privacy Commissioner of Canada|
2 Bloor Street East, Suite 1400
30 Victoria Street
416-326-3333 or 1-800-387-0073
819-994-5444 or 1-800-282-1376
Author: Ariane Siegel, OntarioMD General Counsel & Chief Privacy Officer