Remote Care Management (RCM) PIA Summary

Date of PIA Report: June 19, 2024 (PIA reflective of information received up until this date) 

Date PIA Summary Last Reviewed and Updated: May 26, 2025

The following is a summary of the above-referenced privacy impact assessment (PIA), including a brief background on Remote Care Management (RCM) Solution, key findings, risk and recommendations as applicable. The PIA for Remote Care Management (RCM) was conducted by an external third-party PIA consultant and completed in June 2024. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

Ontario Health’s Remote Care Management (RCM) is a model of care enabled by technology to provide high quality evidence-based care and promote patient self-management. Ontario Health has engaged TELUS Health Solutions Inc. (TELUS) to provide the new RCM solution. The TELUS RCM solution, branded as Home Health Monitoring (HHM), is a Software as a Service (SaaS) solution procured by TELUS. TELUS hosts the service and supports the software and managed service.  RCM supports chronic disease management and preventive care, palliative care, surgical care, and many other clinical pathways. Up until fiscal year 2021/22, Ontario Health provided a provincial platform that supported RCM programs in Ontario, which had approximately 40 participating Member Organization sites with more than 12,000 unique patients enrolled in one of the 25 different clinical pathways available.  It is expected that the new RCM solution will support the similar number of participating Member Organizations and patients with plans to continue to expand and scale significantly over the next several years.     

Ontario Health’s role is to foster and support the development of an effective and sustainable RCM program to support various regions within the province and the health authorities responsible for regional administration of public health care services in the province.     

The HHM solution offers patients:   

• Access to an application on a mobile tablet, over the web or on their own device that can be used from their home.   
• Use of an intuitive, step-by-step application based on pre-scheduled questions that patients can answer.    
• Seamless integration with electronic medical devices (such as blood pressure cuffs) that can capture health data and share with health care providers via the HHM solution. Ability to communicate with their health care provider (HCP) using instant chat, secure messaging and video conferencing.   
• Access to educational material uploaded by health care providers on their specific care needs.      

The HHM solution offers health care providers:   

• Access to a centralized view of their patients allowing health care providers to tailor workflows, protocols and interventions, creating customized care plans according to a patient’s condition and status.   

• Easy analysis of results, empowering health care providers to adjust treatment based on best-practice guidelines and protocols.   
• Alerts and reminders to health care providers based on triggers set up for patients such as high blood pressure alert.   
• Sophisticated care coordination through monitoring of patient health data and suitable health coaching strategies.   
• Asset management, making it easy to manage devices including location and to whom they are assigned. 

Key Findings

With the Remote Care Management (RCM) Program, the privacy analysis of the initiative identified 12 risks.  In accordance with Ontario Health’s Privacy Risk Management policy and procedures and Privacy Impact Assessment (PIA) Standard, the Chief Privacy Officer (CPO) or delegate, approves and endorses the results of the Long Form PIA and risk management process, and should there be a risk or risks that cannot be mitigated to an acceptable risk tolerance of minor, the designated business or portfolio owner must:  

• Review and sign off the Risk Acceptance Form;  
• Prepare a supporting documentation (briefing note) addressing possible consequences as a result of accepting the risk(s) and not implementing the recommendation(s) provided by Strategy, Planning, Privacy & Analytics Portfolio; and  
•  
• Submit the Risk Acceptance Form and supporting documentation to the Executive Lead for the applicable portfolio and to the Executive Lead for Strategy, Planning, Privacy & Analytics Portfolio for review and approval. 

Ontario Health’s PIA Standard recommends that all very high, high, and moderate risks be mitigated to an acceptable level (minor) prior to a project going live. As such, the following recommendations should be implemented prior to or in concert with this project’s launch.

Risks and Recommendations

The PIA makes the following risks and recommendations:

Risk 1: There is a risk is that Ontario Health may not be able to ensure the Health Information Custodian’s (HIC) will be able to meet their retention and record-keeping obligations in alignment with their policies and procedures with respect to Personal Health Information (PHI).  

Risk Level: Moderate 

Recommendations: Ontario Health should work with TELUS and Member Organizations to identify a common retention schedule for the HHM solution. 

Status: Completed

Risk 2: There is a risk that Ontario Health’s role as a PHIPA Agent, as defined in the Agreement, does not align with the definition of PHIPA Agent. Therefore, clear roles, responsibilities and accountabilities may lead to a lack of understanding and operationalization if not clearly defined. 

Risk Level: Moderate

Recommendations: Ontario Health should explore with TELUS possibility to have health care providers accept the privacy notice via a link or a pop-up button at the time of their account creation.  

Status: Completed

Risk 3: There is a risk that health care providers may not be aware of their privacy obligations if they are not forced to acknowledge privacy notice at the time of their account creation

Risk Level: Moderate

Recommendations: Ontario Health should explore with TELUS possibility to have health care providers accept the privacy notice via a link or a pop-up button at the time of their account creation.  

Status: Completed

Risk 4: The mitigation plan for risks identified in the Threat Risk Assessment (TRA) has not yet been developed.  There is a risk that without an agreed upon mitigation plan, risk level will not be reduced to Ontario Health risk tolerance level. 

Risk Level: Moderate

Recommendations: Ontario Health should ensure that mitigation plan in place to lower risk to risk tolerance in accordance with privacy risk management Policies & Procedures.

Status: Completed

Risk 5: There is a risk that Ontario Health and TELUS may not be able to manage privacy incidents in accordance with the Master Agreement for Remote Care Management Services in the absence of a joint privacy management procedure, thereby creating non-compliance with legal obligations and privacy requirements. 

Risk Level: Moderate

Recommendations: Ontario Health and TELUS should develop a joint privacy incident management process or RACI chart (Responsibility Assignment Matrix) to manage privacy incidents and breaches. 

Status: Completed

Risk 6: There is a risk of non-compliance with PHIPA as Ontario Health has not yet developed plain language description of the services for sharing with Member Organizations and with public. 

Risk Level: Moderate

Recommendations: Ontario Health should develop a plain language description of the RCM program which includes a general description of the safeguards in place and share.

Status: Completed

Risk 7: Ontario Health has not yet had the opportunity to see the audits and verify they capture all required fields described under s. 6(3) paragraph 4 of O. Reg. 329/04 ‘to the extent reasonably practical, and in a manner that is reasonably practical, keep and make available to each applicable health information custodian, on the request of the custodian, an electronic record of,  

1. all accesses to all or part of the personal health information associated with the custodian being held in equipment controlled by the provider, which record shall identify the person who accessed the information and the date and time of the access, and  
2. all transfers of all or part of the information associated with the custodian by means of equipment controlled by the provider, which record shall identify the person who transferred the information and the person or address to whom it was sent, and the date and time it was sent.’   

Information and Privacy Commissioner of Ontario (IPC) Order HO-013 recommends logging and auditing of all patient activities.  As a result, there is a risk of non-compliance with PHIPA without verification of the logs

Risk Level: Moderate

Recommendations: Ontario Health should verify HHM solution logs meets the requirement of s. 6(3) paragraph 4.  

Status: Completed

Risk 8: There is a risk of contravention of HICs record retention policies if instant chat messages, which may contain Personal Information (PI)/Personal Health Information (PHI) are not retained.  

Risk Level: Moderate

Recommendations: HICs should be notified and directed to include a note of the interaction in their own patient record.

Status: Completed

Risk 9: There is a risk that health care providers may not be aware of IPC recommended best practices for video conferencing. 

Risk Level: Minor

Recommendations: Ontario Health should encourage HICs to review the IPC recommended best practices for video conferencing (Privacy and Security Considerations for Virtual Health Care visits, February 2021) to ensure they are aware of IPC guidance with respect to virtual health care visits.  

Status: Completed

Risk 10: Ontario Health has not yet developed privacy training module for the HHM solution.  There is a risk that without providing HHM specific guidance to patients and health care providers, they may not be aware of their privacy obligations.  

Risk Level: Minor

Recommendations: Ontario Health should develop a privacy training module for health care providers which provides guidance on the privacy features of the RCM solution.  The privacy guidance for patients should focus on patient’s use of the RCM solution as well as patients own obligation to protect their devices from unauthorized use.  

Status: Completed

Risk 11: There is a risk of non-compliance with Ontario Health standard as the Agreement between TELUS and Ontario Health commits TELUS to provide certificate of destruction, however, the Agreement does not require Certificate of Destruction to include details as documented in Ontario Health’s Media Destruction, Sanitization and Disposal standard.

Risk Level: Minor

Recommendations: Ontario Health should append the agreement with TELUS requiring TELUS to comply with Ontario Health’s Media Destruction, Sanitization and Disposal standard.  

Status: Completed

Risk 12: Ontario Health has not yet developed a TRA summary as required by O.Reg. 329/04 s. 6(3)(5) to: ‘perform, and provide to each applicable health information custodian a written copy of the results of, an assessment of the services provided to the health information custodians, with respect to,  

1. threats, vulnerabilities and risks to the security and integrity of the personal health information, and  
2. how the services may affect the privacy of the individuals who are the subject of the information.’   

There is a risk of non-compliance with PHIPA without developing and sharing TRA summary with Member Organizations.  

Risk Level: Minor

Recommendations: Ontario Health should develop TRA summary and share it with Member Organizations.  

Status: Completed