OTNhub eConsult Phase 1 PIA Summary

Date of PIA Report: October 9, 2013 (PIA reflective of information received up until this date) 

Date PIA Summary Last Reviewed and Updated: May 29, 2025

The following is a summary of the privacy impact assessment (PIA), conducted by the legacy agency Ontario Telemedicine Network Hub (OTNhub), now a part of Ontario Health including a brief background on eConsult Prototype service, key findings and recommendations, and target date for completion. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

The eConsult project is comprised of a web-based application, supporting business processes and an underlying store and forward technology infrastructure. The eConsult application will enable health care professionals to more efficiently exchange patient health information with one another, to electronically request advice from one another, to refer patients to one another, and to better coordinate the overall care of their patients. 

eConsult addresses the clinical needs of two groups of potential users: referring health care practitioners and medical specialists.  First, the Ontario health care system is facing problems with access to specialist physicians, such as barriers to health professionals who need advice from specialists, disparate organizational structures and referral requirements of specialists, and long wait times for patients who have been referred to specialists. At the same time, specialists encounter their own set of issues, including high volumes of consult requests, incomplete information from referring health care professionals, and a plethora of inappropriate referrals. Although many propose electronic consult and referral management systems as the solution to these problems, there are currently no broadly available electronic systems in Ontario that support secure, on-line consultations between clinicians. Based on this information, it is apparent that Ontario needs a simple, scalable solution, which is integrated into the existing workflow and information systems used by health care professionals

Key Findings

The PIA identified some privacy controls that should be enhanced to support the eConsult Phase 1 service.  Ontario Health’s Privacy Risk Management Policy and Procedures recommends that all very high, high and moderate risks be mitigated to an acceptable level prior to a project going live. As such, the following recommendations should be implemented prior to or in concert with this project’s launch. The recommendations should reduce the risk ratings from high to moderate and from moderate to minor. The identified minor risks should be mitigated within a reasonable time as determined by the Privacy Team.   

A risk rating used to assess the risk of each identified gap is available upon demand.  

Risks and Recommendations

The PIA makes the following risks and recommendations:

Risk 1: Although OTNhub’s role as a HINP (O. Reg. 329/04 s. 6(3)) is addressed in the Membership Agreement, its role as an “e-service supplier” (O. Reg. 329/04 s. 6(1)) is not addressed.  

Risk Level: Low 

Recommendations: OTNhub should ensure that agreements with Members address OTNhub’s obligations pursuant to O. Reg. 329/04 s. 6(1).  

Status: Completed

Risk 2: Various documents were in draft form or undergoing revision at the time of the PIA. For example: privacy policies, privacy governance framework, information practice statements etc.   

Risk Level: Low

Recommendations: OTNhub should prioritize efforts to revise and finalize the following artifacts:  

• Privacy policies and procedures  
• Privacy program governance framework  
• Information practice statements (for example, Privacy Services and Safeguards)    

Status: Completed

Risk 3: OTNhub’s Membership Agreement is specific to Videoconferencing services and does not address Store and Forward services such as eConsult.

Risk Level: Moderate

Recommendations: OTNhub should revise the Membership Agreement to specifically address Store and Forward services or else develop alternate/supplementary agreements specifically governing these services.

Status: Completed

Risk 4: The eConsult application requires Referrers to indicate whether consent has been obtained from patients for eConsultations. This is not necessary because for use and disclosure of PHI via eConsult, the Referrer can rely on the consent for the initial collection of PHI already obtained in the course of treating the patient. The eConsult application only needs to provide the Referrers with the ability to indicate situations where limited consent was obtained.  

Furthermore, the current implementation of consent in eConsult could lead to confusion on the part of the participating HICs (both Referrers and Consultants) by, for example, causing them to believe that they must obtain express consent for eConsultations.  

Risk Level: High

Recommendations: OTNhub should remove the currently implemented patient consent functionality from the eConsult application, and replace it with a simple ‘tick box’ allowing Referrers to indicate that only limited consent was obtained, and that some information was withheld from the Consultant  

HICs should be provided with appropriate training by OTNhub to ensure that they are aware that, if a patient decides to withhold some PHI from the eConsultation that would normally be provided to the Consultant, then the Consultant must be informed of this appropriately by the Referrer.  

OTNhub’s terms of service should inform HICs that they are responsible for obtaining consent from their patients, and that eConsult does not provide functionality to support withdrawal of consent (that is, “Lock Box”)  

Status: Completed

Risk 5: Information Retention  

OTNhub’s data retention policy requires that eConsult PHI be retained for a significantly longer period than is necessary or legally required.

Risk Level: Moderate

Recommendations: OTNhub should retain eConsult data only for as long as is necessary to fulfil the purposes of the eConsultations  

OTNhub’s terms of service should require HICs to acknowledge that eConsult is not intended to function as a persistent patient record and that PHI held in the eConsult database will not be retained longer than necessary for the purpose of conducting eConsultations.    

OTNhub should modify the eConsult application so that in order to close an eConsultation, the HIC must acknowledge that they have copied or transferred sufficient information from the eConsultation to meet all legal requirements for maintaining patient records.  

Status: Completed