OTNhub Secure Messaging PIA Summary

Date of PIA Report: September 2018 (PIA reflective of information received up until this date) 

Date PIA Summary Last Reviewed and Updated: May 9, 2025

Secure Messaging (iOS, Android, OTNhub): Full PIA and Delta PIA

Secure Messaging (Additional OTNhub Features and Provincial Roll-Out Preparation): Statements of Risk

The following is a summary of the above-referenced privacy impact assessment (PIA) for Secure Messaging, including a brief background on the Secure Messaging project, key findings and recommendations, and the target date for completion. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

Ontario Health owns and operates the OTNhub, a virtual care platform that provides access to thousands of users across several core services, including eVisit and eConsult. Feedback from the field indicated demand for an unstructured messaging service for ad hoc collaboration, shorter questions, and care coordination. In response to this demand, Ontario Health entered into a signed agreement with a limited number of OTNhub members to launch a Proof of Concept (POC) initiative to provide secure messaging functionality to those Members. 

The first phase of the Secure Messaging POC initiative provided secure messaging functionality, via the OTNConnect Application, to a limited number of OTNhub members using iOS devices. A full PIA was conducted on this project phase in September 2018. Subsequent project phases enabled secure messaging functionality for select OTNhub members using the OTNhub (that is, desktop browser endpoint) and android devices, via the OTNConnect Application. To identify risks associated with the deployment of secure messaging functionality to these new endpoints, Ontario Health completed a delta PIA for the android and OTNhub phases of the POC pilot in March 2019. 

After completion of the delta PIA for the Secure Messaging OTNhub and Android releases, additional scope was added for the OTNhub endpoint. As such, a privacy Statement of Risk (SoR) was conducted to assess the additional scope in September 2019. A final privacy Statement of Risk was conducted in March 2020 to ensure readiness for an anticipated provincial roll-out of Secure Messaging functionality. 

Key Findings

The four assessments described above identified a total of fifteen risks. Ontario Health’s PIA policy recommends that all high and medium risks be mitigated to an acceptable level prior to a project going live. As such the following recommendations should be implemented prior to or in concert with this project’s launch. The recommendations should reduce the risk ratings from high to medium and from medium to low. The identified low risks should be mitigated within a reasonable time as determined by the Privacy Team. 

Risks and Recommendations

The PIA makes the following risks and recommendations:

Secure Messaging iOS PIA and Secure Messaging Android and OTNhub Delta PIA 

Risk 1: End users may not remember the terms and conditions that they are required to meet under the relevant agreement(s) which may lead to unauthorized collection, use and disclosure of sensitive information, including Personal Information and Personal Health Information (PI/PHI). 

Risk Level: Medium

Recommendations: A short disclaimer should be presented to the end user each time they log in to the OTNhub, informing the end users of the purpose for which they are to use Secure Messaging. The disclaimer should inform end users that any collection, use, disclosure or handling of PI/PHI is subject to PHIPA, including any PHI where a patient has withdrawn consent. The language should also warn users against copying, pasting and/or exporting data that may lead to unauthorized collection, use, disclosure and handling of PI/PHI. 

Status: In Progress. 

Risk 2: There is a risk of unauthorized access, use, disclosure and handling of sensitive information, including PI/PHI, in the event the mobile device is lost or stolen if the end user fails to secure the device. Without enabling user authentication security features, a thief may be able to access the contents of the phone, including the secure messages.

Risk Level: Medium

Recommendations: Ontario Health should require end users to enable authentication security features on their phone (i.e. PIN or password and locking after a period of inactivity), as well as prohibiting mobile devices that have been jail broken from connecting to Ontario Health services. 

Status: Completed.

Risk 3: There is a risk that Ontario Health is in non-compliance with its Health Information Network Provider (HINP) requirements under s.6(3) of O.Reg.329/04, as the current OTNhub Terms of Service for Member Organizations, June 2018, does not provide an accurate and up-to-date plain language description of the Secure Messaging function which is part of the OTNhub service.

Risk Level: Medium

Recommendations: Prior to rolling out the Secure Messaging function as a service and after the POC, Ontario Health should amend OTNhub’s Terms of Service for Member Organizations, June 2018 and update the description of services to include a description of the Secure Messaging function, as well as the purpose for which members and users may use the messaging feature. 

Status: Completed

Risk 4: Without providing a publicly available description of the Secure Messaging function, applicable policies, guidelines and a description of safeguards, there is a risk that Ontario Health is in non-compliance with its HINP requirements under s.6(3) of O.Reg.329/04.

Risk Level: Medium

Recommendations: Prior to rolling out the Secure Messaging function as a service and after the POC, Ontario Health should update its website to include a description of the Secure Messaging function and include relevant policies and guidelines, as well as a high-level description of safeguards. 

Status: Completed.

Risk 5: Without readily available and accurate audit logs, there is a risk of delays in responding to requests by participating sites for audit logs in the event of a privacy and/or security breach, which may delay containment and investigation efforts. 

Risk Level: Medium

Recommendations: Ontario Health should develop queries and reports that automatically capture the required fields as described under s.6(3) paragraph 4 of O.Reg. 329/04, to ensure that this information is readily available upon request. Efforts should also be made to log the HIC of the PHI in an accurate manner (as opposed to deriving the HIC from the username). 

A documented procedure must exist to ensure Ontario Health only transmits sensitive audit logs that may contain PHI to authorized individuals from member sites. 

Status: Completed

Risk 6: There is a risk that Ontario Health is in non-compliance with its HINP requirements under s. 6(3) of O.Reg. 329/04 due to missing provisions in the agreement between Ontario Health and the third-party vendor that require the vendor to comply with the restrictions and conditions necessary to allow Ontario Health to comply with its HINP requirements.

Risk Level: Medium

Recommendations: Ontario Health to amend its agreement with the vendor to include provisions that require the third-party vendor to comply with the restrictions and conditions necessary to allow Ontario Health to comply with its HINP requirements. 

Status: Completed

Risk 7: The Ontario Health OTNhub User Agreement, June 2018, does not include a description of the Secure Messaging function. Without including a description of the Secure Messaging function in the agreement, there is a risk of ambiguity with respect to the roles and responsibilities of Ontario Health and users.

Risk Level: Medium

Recommendations: Prior to rolling out the Secure Messaging function as a service and after the POC, Ontario Health should update the OTNhub User Agreement, June 2018, to include a description of the Secure Messaging function and to make it clear that the Secure Messaging function is part of the existing OTNhub services. The requirements in the agreement are general requirements that will apply for Secure Messaging as well. 

Status: Completed

Risk 8: A documented offboarding procedural document is not in place for Ontario Health’s clients using Ontario Health services. The absence of documented offboarding procedures may lead to ambiguity with clients as well as potential delays in containing privacy and/or security breaches involving Ontario Health services where end user access needs to be removed. Improper offboarding may also lead to a higher likelihood of unauthorized access and use when user accounts remain active in error, resulting in a privacy and/or security breach, and a higher likelihood of procedural breakdown when relevant staff leave due to improper knowledge transfer. 

Risk Level: Medium

Recommendations: Ontario Health to draft and develop offboarding procedures that address offboarding and revocation of credentials for its clients using Ontario Health services. This documented procedure should be shared with the clients using Ontario Health services to ensure that they are aware of the proper procedures, and for knowledge transfer purposes. 

Status: Completed

Risk 9: Two (2) different sets of addresses for sending the Privacy Complaint Form to Ontario Health may lead to confusion with respect to form submission. In the event that one of the addresses is no longer valid, there is a risk that Privacy Complaint Forms containing sensitive information could be sent to the wrong address. 

Risk Level: Medium

Recommendations: Ontario Health to review and update all public facing forms with the correct mailing address. 

Status: Completed

Risk 10: In the event that the POC/Pilot is extended beyond the limited number of Ontario Health Members already participating, this PIA may not suffice due to the limited scope. Without a PIA to assess Secure Messaging services beyond current pilot participants, there is a greater risk of unauthorized handling of PHI and non – compliance with Ontario Health’s legislative, contractual and administrative requirements. 

Risk Level: Medium

Recommendations: Should the POC/Pilot of the Secure Messaging service be extended to a larger audience beyond current pilot participants, a PIA must be undertaken to assess any changes and to ensure all safeguards are in place including the mitigation of risks and compliance with Ontario Health’s legislative, contractual and privacy policy requirements. 

This PIA must also assess whether processes/mechanisms are in place to ensure that Ontario Health can meet the requirements of its clients, including (but not limited to) meeting retention requirements and responding to individual access requests in a timely manner. 

Status: Completed Privacy Statement of Risk Completed February 2020.

Risk 11: The hyperlink in Ontario Health’s OTNhub User Agreement, June 2018 that directs users to Ontario Health’s Privacy Statement appears to be out-of- date and only describes the collection of PI in the context of Ontario Health’s website. In contrast, the hyperlink provided in the iOS Privacy Notice contains a comprehensive description of services offered by Ontario Health. Without consistency in Ontario Health’s Privacy Statement, there is a risk of confusion and lack of clarity around the services offered by Ontario Health including Ontario Health’s practices around the collection, use and disclosure of PI/PHI. 

Risk Level: low

Recommendations: Ontario Health should update the hyperlink in Ontario Health’s OTNhub User Agreement, June 2018 with the hyperlink provided in the iOS Privacy Notice. In updating the hyperlink in the OTNHub User Agreement, June 2018, Ontario Health should not limit the Privacy Notice to iOS as the Secure Messaging Service will also be deployed for Android devices and OTNhub App Browser. Privacy Notice should be inclusive for iOS, Android and OTNhub App browser users. 

Status: Completed

Risk 12: Ontario Health’s Privacy Statement does not include a description of the Secure Messaging function as part of existing OTNhub services. Without a description of the Secure Messaging function in Ontario Health’s Privacy Statement, there is a lack of transparency around Ontario Health’s handling of PI/PHI with respect to the Secure Messaging service. 

Risk Level: Low

Recommendations: Prior to rolling out the Secure Messaging function as a service and after the POC, Ontario Health should update its Privacy Statement to include secure messaging as a function that is being offered as part of the existing OTNhub services. 

Status: Completed

Secure Messaging OTNhub SoR and Secure Messaging Full Provincial Roll-Out SoR:

Risk 1: Although mitigation plans are in progress, there is a risk that the five outstanding medium risks from prior assessments may not be mitigated prior to full roll-out of the Secure Messaging solution. 

Risk Level: Medium

Recommendations: Mitigate all medium risks in accordance with documented action plans prior to the Secure Messaging full roll-out. 

Status: In Progress

Risk 2: Permitting users to export, save or print attachments creates a risk of unauthorized disclosure of PHI by users and/or members. Ontario Health’s existing agreements do not clearly articulate that users/members become responsible for the appropriate management of exported/transferred PHI, creating a risk for Ontario Health in the event of a privacy breach. 

Risk Level: Low

Recommendations: Ontario Health should consider adding additional language to the OTNhub User Agreement under User Obligations (section 2c), clearly indicating the following: 

• Any content exported or transferred from Ontario Health applications becomes the responsibility of the user (and/or the associated member (HIC)) who exported/transferred it. 
• Users must ensure that any PHI exported or transferred from Ontario Health applications is managed in accordance with their organization’s privacy policies and PHIPA
• Users must follow their organization’s privacy breach management procedures in the event exported/transferred PHI is lost, stolen, or otherwise used or disclosed without authority. The Ontario Health Privacy Office should also be notified in such instances. 

Ontario Health should consider adding the language suggested above to the OTNhub Member Terms of Service under section E, Personal Health Information. 

Ontario Health should consider adding the language suggested above to a pop-up banner or message that appears when information is saved, exported, or printed from any application in the OTNhub. 

Status: Completed

Risk 3: By retaining Secure Messaging attachments indefinitely, there is a risk that Ontario Health may retain PHI and other confidential information for longer than is reasonably required to fulfil the intended purpose. 

Risk Level: Low

Recommendations: Ontario Health should consider implementing a defined retention period for Secure Messaging attachments. The retention period should be long enough to allow health information custodians to fully comply with their record keeping requirements (i.e., 10-15 years) but stop short of indefinite retention. Attachments may also be deleted at the express request of the relevant health information custodian(s).

Status: In Progress. Retention Schedule is undergoing review and revisions as part of integration with Ontario Health.