TeleSensi (formerly Tele-Stethoscope Service) PIA Summary

Date of PIA Report: June 27, 2022 *(PIA reflective of information received up until this date) 

Date PIA Summary Last Reviewed and Updated: May 26, 2025

The following is a summary of the above-referenced privacy impact assessment (PIA), including a brief background on the Tele-Stethoscope service, key findings, risk and recommendations as applicable, and target dates for completion. See our Privacy Contact page to find information on how to contact the Ontario Health Privacy Office should you have any questions.

Background

The Tele-Stethoscope service ensures that patients can access the care they need in their home communities without the financial, physical and mental burden of traveling long distances to see their care providers. The main users of the service are clinicians working in cardiology, anesthesiology, and primary care. For communities with limited access to primary care, the service allows remote primary care providers to fill the gap and provide quality primary care while reducing the strain on local emergency departments. It also reduces the need for specialists to travel to communities they support, allowing for increased direct patient care.  

The Tele-Stethoscope service allows a remotely based Consultant to listen to a patient’s heart and lung sounds via an electronic Stethoscope over a secure network for the purpose of diagnosis. The current solution (TeleSteth) uses software which is no longer supported by the vendor, and the end of updates and support services in 2018 presented a risk to business continuity. Ontario Health completed a Request for Proposal (RFP) and selected TeleSensi developed by Stone Three as the replacement solution replacement solution. COVID-19 priorities affected the timeline to transition to the new solution, and Ontario Health’s intentions were to transition users to the new platform in April 2022.  

Key Findings

The privacy analysis of the initiative identified three risks.  Ontario Health’s Privacy Risk Management Policy and Procedures recommends that all very high, high and moderate risks be mitigated to an acceptable level prior to a project going live. As such the following recommendations should be implemented prior to or in concert with this project’s launch. The recommendations should reduce the risk ratings from high to moderate and from moderate to minor. The identified minor risks should be mitigated within a reasonable time as determined by the Privacy Team.   

Risk rating definitions used to assess the risk of each identified gap are available upon demand. 

Risks and Recommendations

The PIA makes the following risks and recommendations:

Risk 1: There may be differences between Stone Three’s privacy incident response procedure and the requirements for vendors in Ontario Health’s privacy incident response procedure.    

Risk Level: Low

Recommendations: Ontario Health should share a copy of its incident response procedure with Stone Three and request that the company review the Ontario Health procedure to identify any differences with their own incident response procedures. Should there be material differences, Stone Three

Status: Completed

Risk 2: Some patients may be anxious about the remote aspect of the Consultant listening to heart and lung sounds over the internet and not understand that it is both secured and transitory.

Risk Level: Low

Recommendations: Ontario Health should provide communications content for participating Patient Access Network (PAN) and OTNhub member sites to share with patients that includes a plain language description of how TeleSensi works to facilitate the TS consultation. Ontario Health should also post this description on the Ontario Health Website to align its obligations as a Health Information Network Provider.  

Status: Completed

Risk 3: A Threat Risk Assessment and associated technical vulnerability assessment or penetration test have not been completed on the TeleSensi solution. Therefore, there may be technical or other security risks that have not been identified. For instance, as the TeleSensi solution processes sound waves that could be identified as personal health information, there are fields that could be correlated to identify and associate the sound waves to the actual individual.

Risk Level: Medium

Recommendations: We recommend that an external, third-party TRA be performed for the TeleSensi solution in order to obtain an independent, third-party perspective on the security of Ontario Health’s implementation of the solution.  

Status: Completed