OTNhub eConsult and eConsult Electronic Medical Record (EMR) PIA Summary

Date of PIA Report: June 2020 (PIA reflective of information received up until this date) 

Date PIA Summary Last Reviewed and Updated: May 29, 2025

eConsult 2.4 and eConsult Electronic Medical Record (EMR) Application Program Interface (API) 3.0.5 and 3.1

The following is a summary of the above-referenced PIA, including a brief background on eConsult, key findings, risk and recommendations as applicable, target dates for completion. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

Ontario Health OTNhub delivers the eConsult program in partnership with the Ontario eConsult Centre of Excellence and its regional delivery partners. The eConsult program aims to improve access to specialized care in Ontario by allowing primary care providers and other health care providers to send questions to specialists in electronic format as eConsult cases. eConsult cases can range from questions about prescription dosages to requests for virtual dermatology assessments based on enclosed patient images. In many cases, eConsults eliminate the need for in-person appointments with specialists, reducing costs and wait times. Additionally, response times for eConsult cases average just two days, ensuring timely responses for requesting providers.  

Key Findings

The eConsult 2.4 and eConsult EMR API 3.0.5 & 3.1 PIA evaluated 8 standard risk scenarios by assessing the risk level of the releases against those risk scenarios. Of the eight (8) risk scenarios evaluated, the PIA identified zero (0) high, one (1) medium, five (5) low and two (2) very low risk areas relative to the scenarios. Ontario Health OTNhub’s PIA policy recommends that all high/medium risks be mitigated to an acceptable level prior to a project going live. As such, the recommendations for high and medium risks should be implemented prior to or in concert with the project’s launch. The recommendations should reduce the risk ratings from high to medium and from medium to low. The identified low risks should be mitigated within a reasonable time frame, as determined by the Ontario Health OTNhub Privacy team. Risk ratings used to assess the risk of each identified gap are available upon demand.

Risks and Recommendations

The PIA makes the following risks and recommendations:

Risk 1: Unauthorized disclosure by external malicious agent     

Risk Level: Moderate 

Recommendations: Implement logical threat and risk assessment (LTRA) recommendations. 

Status: Closed

Risk 2: Unauthorized use of PHI by staff (intentional, non-malicious). 

Risk Level: Low

Recommendations: No action required at this time.  

Status: Accepted

Risk 3: Unauthorized disclosure of PHI by staff (intentional, malicious) 

Risk Level: Low

Recommendations: No action required at this time.

Status: Accepted

Risk 4: Patients’ rights not fully protected  

Risk Level: Low

Recommendations: Ontario Health OTNhub should consider the critical dependencies associated with the agreement framework. 

Status: Closed – Ontario Health OTNhub has updated its member and user agreements since the PIA was conducted. Further amendments to the eConsult Schedule are also planned.

Risk 5: Corruption of PHI  

Risk Level: Low

Recommendations: No action required at this time.

Status: Accepted

Risk 6: Ontario Health OTNhub collects more information than is needed for identified purposes  

Risk Level: Very Low

Recommendations: No action required at this time.  

Status: Accepted

Risk 7: Unauthorized disclosure – Improper disposal of media containing PHI  

Risk Level: Very low

Recommendations: No action required at this time

Status: Accepted