Therapist Assisted Internet-Based Cognitive Behaviour Therapy Solution for Depression, Anxiety and Post Traumatic Stress Disorder (MindBeacon) PIA Summary

Date of PIA Report: October 21, 2022 (PIA reflective of information received up until this date) 

Date PIA Summary Last Reviewed and Updated: May 13, 2025

The following is a summary of the privacy impact assessment (PIA), including a brief background on the Therapist Assisted Internet-Based Cognitive Behaviour Therapy Solution for Depression, Anxiety and Post Traumatic Stress Disorder, key findings and recommendations, and target date for completion. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

The PIA for the Therapist Assisted Internet-Based Cognitive Behaviour Therapy Solution for Depression, Anxiety and Post Traumatic Stress Disorder release was conducted by an external consultant and completed in January of 2023. 

Background

The Mental Health and Addictions Center of Excellence at Ontario Health was established to support the delivery and implementation of the provincial Mental Health and Addictions strategy. A key component of achieving this strategy is providing coordinated access to mental health services through the implementation of the Ontario Structured Psychotherapy (OSP) program. 

The OSP program provides access to evidence-based, short-term, cognitive behavioural therapy (CBT) and related approaches to Ontarians with depression and anxiety-related conditions, with no out-of-pocket costs for participants. The program is delivered through 10 regional psychotherapy networks as a coordinated provincial program. Adopting a “hub and spoke” model, each network is comprised of several organizations working collaboratively to administer and deliver high-quality services for individuals (collectively, “clients” and individually a “client”) within a defined region of Ontario.  

Access to the program is centralized within each network which means that all individuals are referred directly to a Network Lead Organization (NLO) for screening and assessment. Following the centralized screening and assessment process, clients are directed to the service that best meets their needs with all available and appropriate client data. Based on ongoing monitoring of client progress throughout treatment, clients will either complete treatment or be referred to the NLO for service navigation, as required. 

The Ministry of Health has provided funding to Ontario Health to add an iCBT service offering to the OSP program as another treatment option available to eligible and interested OSP clients. The Mental Health and Addictions Center of Excellence is collaborating with external stakeholders, including the Provincial System Support Program (PSSP) from CAMH and the Ministry of Health to acquire and implement the iCBT service. 

Given that personal health information (PHI) is being collected, used, stored, and disclosed as a function of the iCBT solution, Ontario Health has mandated that a Privacy Impact Assessment (PIA) is conducted to ensure that the information is privacy protected. This PIA is focused on the iCBT service provided by MindBeacon that will be embedded into the OSP model and implemented as an available service offering at each of the NLOs. 

The PIA was conducted over the course of two months, beginning on August 22, 2022, and the assessment was based on information available up to and including October 10, 2022. 

Key Findings

With the Therapist Assisted Internet-Based Cognitive Behaviour Therapy Solution for Depression, Anxiety and Post Traumatic Stress Disorder, the privacy analysis of the initiative identified nineteen (19) risks. In accordance with Ontario Health’s Privacy Risk Management policy and procedures, the Chief Privacy Officer (CPO) approves and endorses the results of the PIA and risk management process, and should there be a risk or risks that cannot be mitigated to an acceptable risk tolerance of minor, the designated business or portfolio owner must:  

• review and sign off the Risk Acceptance Form.  
• prepare supporting documentation (briefing note) addressing possible consequences as a result of accepting the risk(s) and not implementing the recommendation(s) provided by Legal, Privacy and Risk Portfolio; and  
• submit the Risk Acceptance Form and support documentation to the Executive Lead for the applicable portfolio and to the Executive Lead for Legal, Privacy, and Risk Portfolio for review and approval.  

Ontario Health’s PIA standard recommends that all very high, high, and moderate risks be mitigated to an acceptable level (minor) prior to a project going live. As such, the following recommendations should be implemented prior to or in concert with this project’s launch.   

Risk rating definitions used to assess the risk of each identified gap are available upon demand. 

Risks and Recommendations

The PIA makes the following risks and recommendations:

Risk 1: The intent of a client-facing privacy policy is to provide the foundation for client ‘knowledgeable consent’ by describing how an organization complies with relevant privacy law and fair information practices.  MindBeacon’s ‘Platform Privacy Policy and HIPAA Notice of Privacy Practices place a focus on HIPAA (an Act that is not relevant to the Ontario Health instance of iCBT). A privacy policy that is based on a law that is not relevant to the Ontario Health instance of iCBT creates a risk of non-compliance with PHIPA.  

Risk Level: Medium

Recommendations: It is strongly recommended that MindBeacon consider rewriting its ‘Platform Privacy Policy and HIPAA Notice of Privacy Practices’ to place a focus on PHIPA and relevant fair information practices and reflect how MindBeacon complies with PHIPA. Sub-section 6.2.1 of this PIA contemplates areas of change which may inform amendments to the Policy. This should also align with the Privacy Policy available on the website.  

Status: Completed. 

Risk 2: Data residency requirements are met by MindBeacon and its partners. However, while MindBeacon’s ‘Platform Privacy Policy and HIPAA Notice of Privacy Practices’ is clear on data residency, iCBT clients can also access the website privacy policy which states that their data may reside in the U.S. This creates a situation whereby a client may not understand what they are consenting to in the privacy policy, which in turn creates a risk of non-compliance with PHIPA ‘knowledgeable consent’ requirements.

Risk Level: Low

Recommendations: Further to recommendation #1 above, MindBeacon should resolve the potential conflict in data residency messaging as part of the rewrite of its Platform Privacy Policy.  

Status: Completed.

Risk 3: The ‘Platform Privacy Policy and HIPAA Notice of Privacy Practices’ indicates that IP addresses will be collected for (amongst other things) auditing and tracking purposes. This creates a risk that both terms could be interpreted to mean that iCBT clients are under surveillance, which could in turn result in reputational/ public relations challenges for MindBeacon and, by extension, Ontario Health. 

Risk Level: Medium

Recommendations: Further to recommendation #1, MindBeacon should clearly define what it means by ‘auditing and tracking’ of clients using IP address, and determine value, advisability and risks associated with this functionality.  Based on the results of the above analysis: 

• MindBeacon may wish to stop auditing and tracking using IP address and remove the practice from the policy – or 
• MindBeacon may wish to augment the policy if it would like to continue the practice

Status: Completed

Risk 4: When registering, clients provide their email address and/or cell phone number which MindBeacon uses to send information about software updates to the platform. In compliance with CASL section 10, this information is included in the ‘Privacy Policy and HIPAA Notice of Privacy Practices’. However, there is no mention of software updates to the mobile application. This fact situation creates a risk of MindBeacon being in a state of non-compliance with the Act.

Risk Level: Medium

Recommendations: Further to recommendation #1, it is strongly recommended that MindBeacon update its ‘Privacy Policy and HIPAA Notice of Privacy Practices’ to include software updates to the mobile application. 

Status: Completed.

Risk 5: While MindBeacon has a number of foundational policies, there is a lack of clear procedural documentation for policies and practices to operationalize key aspects of PHIPA. This creates a risk of non-compliance with the Act.  

Risk Level: Medium

Recommendations:

• It is recommended that MindBeacon create procedural documentation that demonstrates how access requests will be addressed. The procedures could include (for example) information about what data is accessible (for example, csv file, case notes), what fees should be charged if there should be any, and what form the provision of the requests should take.
• It is recommended that MindBeacon create procedural documentation that demonstrates how requests for correction will be addressed. The procedures could include (for example) information about the type of information that can be corrected (e.g., information in the .csv file), whether there is timeline restrictions associated with corrections, and role within MindBeacon that will make the corrections. 
• It is recommended that MindBeacon create procedural documentation on why and how to aggregate PHI, and the procedures should align with Ontario Health aggregation guidelines. 
• It is recommended that MindBeacon create procedural documentation on why and how to de-identify PHI, and the procedures should align with the IPC de-identification guidelines.
• It is recommended that MindBeacon review its Privacy Breach Management Policy and Procedures with Ontario Health for assurance that the notification section meets Ontario Health requirements. The review should pay particular attention to how and in what form the notification will happen. 
• It is recommended that MindBeacon enhances its Risk Management Protocols document to specifically address privacy and security risks. 

Status: Completed

Risk 6: MindBeacon’s privacy program is a work in progress that does not appear to include measurements to assess the health and maturity of its program over time. Without KPIs placed in the context of privacy requirements, there is a risk that MindBeacon may have challenges assessing sufficiency of its approach to compliance, particularly as laws and standards continue to evolve. 

Risk Level: low

Recommendations: It is recommended that MindBeacon consider developing performance measurements to determine (and perhaps report on where required) the health and maturity of its privacy program over time. There are several industry-standard privacy maturity assessment models that MindBeacon could look at (including one that Dr. Cavoukian developed for IPC when she was the Ontario Privacy Commissioner). 

Status: Completed

Risk 7: Given that CloudMD has no role in the Ontario Health iCBT project, it is unclear what mechanism has been implemented by MindBeacon to ensure that PHI is not shared with CloudMD.

Risk Level: Low

Recommendations: It is recommended that MindBeacon provides attestation of contractual arrangements with CloudMD that stipulates that MindBeacon will not share PHI. 

Status: Completed

Risk 8: There is a lack of understanding of third parties utilized by MindBeacon to provide iCBT services, and the corresponding agreements. This creates a risk of harm (direct or indirect) to iCBT clients if their data is inappropriately accessed, used, or disclosed by third parties that have not been contractually obligated to protect PHI. 

Risk Level: Medium

Recommendations: It is recommended that MindBeacon provides a description of all its agreements with third parties that have access to PHI, including attestation that the agreements include delineation of privacy roles and responsibilities and breach management. The description should be mapped to the third parties included in the architectural diagram. 

Status: Completed

Risk 9: A Solution Design Document (SDD) is a blueprint for what a project is building. Solution Design serves as an overarching reference for an entire project setting, including the direction forand expectations from the implementation phase. 

MindBeacon provided an architectural diagram with no supporting information to describe what was in the solution design. This creates a risk of non-compliance with PHIPA, and a knock-on risk associated with change control because there is no reference document against which to measure future changes.

Risk Level: Low

Recommendations: It is recommended that MindBeacon place a focus on updating its architecture diagram with detailed descriptions of the technology, data flows and signature of interfaces (should map to data flows described in the PIA). 

Status: Completed

Risk 10: Based on interviews and documents provided, it appears as if there may be too much focus on HIPAA and inadequate focus on PHIPA and data residency requirements regarding employee/ therapist training. This creates a risk of unintentional breaches to privacy of PHI. 

Risk Level: Medium

Recommendations: In alignment with section 1.09 of the Service Agreement, it is recommended that MindBeacon realign its employee/therapist training to focus on PHIPA and data residency requirements and provide a copy of the updated training package to Ontario Health for review. 

Status: Completed

Risk 11: Aside from the Platform Privacy Policy and Consent forms, clients are not educated on privacy-protective measures when enrolling and participating in the program. This creates a risk of inappropriate access and use of information in the iCBT program (e.g., by family members). 

Risk Level: Medium

Recommendations: It is recommended that MindBeacon work with the NLOs to ensure there is standard language provided to the clients related to their privacy obligations prior to being triaged to MindBeacon. MindBeacon may wish to consider leveraging the IPC-developed guidelines on working in a virtual care environment, for the purpose of educating clients through a resource available to clients. 

Status: Completed

Risk 12: CAMH has been identified as an Agent of iCBT and to date has not entered into any sort of agreement in which privacy obligations are articulated. This creates a risk that CAMH could inadvertently breach privacy without having benefit of clear direction in an agreement. 

Risk Level: Medium

Recommendations: It is recommended that MindBeacon enter into an agent agreement with CAMH prior to sharing data. 

Status: Completed

Risk 13: MindBeacon has demonstrated that it undergoes full accessibility-related compliancy testing annually. However, without more clarity on MindBeacon’s approach to compliance with AODA, there is a risk that MindBeacon may be in a state of non-compliance with the Act and the Service Agreement. 

Risk Level: Medium

Recommendations: It is recommended that MindBeacon provides Ontario Health with attestation that it complies with the AODA requirements in alignment with section 3.12 of the Service Agreement

Status: Complete

Risk 14: Some NLOs may request a Data Sharing Agreement (though they are not required within the concept of ‘circle of care’). However, no standard template is being used by the NLOs, which creates a risk of disparate privacy obligations for MindBeacon. 

Risk Level: Low

Recommendations: While few NLOs have indicated an interest in requesting a DSA to date, if the number increases, it is recommended that MindBeacon work with the NLOs to explore standard language. 

Status: Completed

Risk 15: MindBeacon’s approach to consent may be characterized as confusing. This creates a risk of non-compliance with the knowledgeable consent requirements under PHIPA. 

Risk Level: Very High

Recommendations:

• It is strongly recommended that each of MindBeacon’s consent forms be rewritten (and perhaps shortened or merged) foralignment in messaging, correct terminology, and making the consents more patient-focused. Sub-section 6.2.3 of this PIA contemplates issues and areas of change which may inform amendments to the forms.
• It is recommended that MindBeacon consider looking at feasibility of dealing with selective consents online using (for example) check boxes, as this would ease challenges that clients will have with the process (patient-focused).
• It is strongly recommended that MindBeacon study consent as a complex aspect of privacy management and then develop and implement internal processes and procedures to address the complexities. For example, if a client opts out of participating halfway through the program, what does this mean in terms of retention of information collected up to the time of opt-out. Who will have access to the retained information and why.

Status: Complete. 

Risk 16: MindBeacon’s approach to record keeping appears to be incomplete, which creates a risk of issues and challenges with addressing access requests and breaches. 

Risk Level: Medium

Recommendations: It is recommended that MindBeacon place a focus on developing a policy, processes, procedures, and schedules to address record keeping. 

Status: Complete

Risk 17: No information was provided on MindBeacon’s support services. If policies and procedures have not been developed and communicated to support services, a risk is created of inappropriate access, uses and disclosures of PHI to which support services have access. 

Risk Level: Medium

Recommendations: It is recommended that MindBeacon develop privacy measures to limit uses, disclosure and retention that are specific to their support services.  

Status: Complete

Risk 18: It is unclear if the electronic audit log requirements under PHIPA have been met. This creates a risk of non-compliance with section 10.2(1) & (4) of the Act. 

Risk Level: Medium

Recommendations: It is recommended that MindBeacon have an electronic audit log in place prior to ‘go-live,’ and the log must address requirements under PHIPA s. 10.2(1) & (4). 

Status: Completed

Risk 19: Requests from a client to correct information in the application will be addressed manually by the MindBeacon staff. This practice has the potential to result in transposition or other accuracy-related issues which in turn create a risk of complaints and misalignment with the ‘accuracy’ privacy principle.  

Risk Level: Low

Recommendations: It is recommended that MindBeacon develop a quality-assurance process to ensure that updates to client information are accurate.  

Status: Completed