Prescribed Organization Statement of Information Practices

Ontario Health is a provincial agency whose mandate is set out in the Connecting Care Act, 2019. To fulfill this mandate, Ontario Health receives personal health information and personal information relating to health care provided in Ontario and to Ontario residents. In respect of this confidential information, Ontario Health is committed to complying with its obligations under applicable privacy law and protecting the privacy rights of individuals and the confidentiality of their personal health information and personal information. For information about Ontario Health’s information practices, visit Ontario Health Statement of Information Practices.

This Statement of Information Practices explains how Ontario Health handles and manages personal health information in respect of its Prescribed Organization role under the Personal Health Information Protection Act, 2004 (PHIPA), including Ontario Health’s authority under the law to collect, use, disclose and otherwise handle this information.

Authority to Collect, Use and Disclose Personal Health Information

Prescribed Organization

Ontario Health is a prescribed organization under the Personal Health Information Protection Act, 2004 (PHIPA). As a prescribed organization, Ontario Health has the power and duty to develop and maintain the provincial electronic health record (EHR), carry out digital health identifier (DHI) activities, to provide individuals with access to their EHR and DHI records, and other prescribed duties.

Only Ontario Health carries out the role of a prescribed organization under PHIPA. Ontario Health has developed policies and procedures to ensure it carries out its roles and responsibilities in compliance with the prescribed organization requirements. The Information and Privacy Commissioner of Ontario (IPC) reviews and approves a prescribed organization’s information practices every three years.

Developing and Maintaining the Electronic Health Record (EHR)

Ontario Health develops and maintains the provincial electronic health record (EHR) in accordance with Part V.1 of PHIPA. The EHR contains a secure digital record of individuals’ personal health information contributed by authorized health information custodians and provides an electronic means to enable health care providers and other authorized entities to access this personal health information for the delivery of care or other authorized purposes. For a description of the EHR and a summary of the types of personal health information received by Ontario Health to develop and maintain the EHR, see Ontario Health's Electronic Health Record (EHR) Description and List of Repositories.

Under PHIPA, Ontario Health is not considered to be collecting personal health information from health information custodians or disclosing personal health information to health information custodians when it receives and makes available personal health information as a prescribed organization. Ontario Health uses personal health information for the purposes of developing and maintaining the EHR, including associated functions: ensuring the proper functioning of the EHR; managing and integrating EHR data; making sure that EHR data is of the same level of quality as what was submitted to the EHR by health information custodians; and analyzing EHR data to provide alerts and reminders to health care practitioners for their use in the provision of health care to individuals. Ontario Health may not provide or disclose personal health information that is accessible by means of the EHR, to any person, except as permitted or required by PHIPA.

The EHR and DHI  Privacy FAQ provides more information on how Ontario Health protects and enhances the privacy of EHR data, including: who can see EHR data; how EHR data is used; and how access to EHR data can be managed.

Carrying out Digital Health Identifier (DHI) Activities

Ontario Health carries out digital health identifier (DHI) activities in accordance with Part V.2 of PHIPA. These digital health identifier (DHI) activities include Ontario Health providing services to validate and verify an individual's identity, to authenticate an individual’s identity each time they use their DHI to access a digital health tool, and to manage accounts. For a description of the DHI activities Ontario Health carries out, see Ontario Health's Digital Health Identifier (DHI) Description of Activities.

Under PHIPA, Ontario Health is permitted to collect, use, and disclose personal health information to carry out DHI activities with express consent. Under prescribed circumstances, Ontario Health may continue to use personal health information following an individual's withdrawal of consent, where required to carry out DHI activities.

The EHR and DHI  Privacy FAQ provides more information on how Ontario Health protects and enhances the privacy of DHI records, including: who can see DHI records; how DHI records are used; and how disclosure of DHI records can be managed.

Providing Individuals with Access to their EHR and DHI Records

Ontario Health provides individuals with access to their EHR and DHI records in accordance with Part V of PHIPA. This includes clinical records contributed to the EHR by health information custodians, logging records associated with EHR access and consent management, and logging records of validation, verification, authentication, consent, and updates in relation to DHI activities. Ontario Health also provides assistance to individuals making such requests.

Under PHIPA, Ontario Health is permitted to collect, use, and disclose personal health information where reasonably required to receive, process, and respond to an access request. Further information on access requests can be found under "Accessing your health records" below.

Safeguards for the Protection of Personal Health Information

Ontario Health has general safeguards in place for the protection of personal information and personal health information. For information, visit Ontario Health Safeguards for the Protection Of Personal Information and Personal Health Information.

Ontario Health has implemented strong administrative, physical and technical safeguards, consistent with industry best practices, to protect the personal health information being transferred, processed or stored from theft, loss, unauthorized use, modification, disclosure, destruction or damage. EHR safeguards include but are not limited to the following:

  • a comprehensive suite of EHR privacy policies outlining our information handling practices;
  • agreements with health information custodians (health care providers and organizations) that outline the roles, responsibilities and obligations governing their contribution and access to the EHR.

For more information about the EHR safeguards in place at Ontario Health please refer to the Electronic Health Record (EHR) Description and List of Repositories. For privacy impact assessment summaries, review the Ontario Health Privacy Impact Assessment Summaries page.

Your Privacy Rights

Accessing your health records

You have a right under PHIPA to access your records of personal health information, which includes your health records that are stored in the EHR. You also have a right to access certain audit records that identify when your personal health information was accessed or transmitted by means of the EHR, when you applied, modified, or revoked any consent directives in relation to your personal health information in the EHR, and when a consent override was performed in relation to your personal health information in the EHR. Accessing your Information: EHR and DHI provides more information on how to access your EHR data.

You have a right under PHIPA to access your DHI records, including records related to changes in the identifying information used in the creation or maintenance of the DHI, consents given or withdrawn in relation to the DHI, DHI validation and verification service records, and dates on which a DHI was used to access My Health Record. Accessing your Information: EHR and DHI provides more information on how to access your DHI Records.

Correcting your health records

You have a right under PHIPA to request a correction to your records of personal health information if you believe a record is inaccurate or incomplete for the purposes for which the information is collected or used.

Ontario Health does not control the content or accuracy of the health records that are stored in the EHR. If you have questions or concerns about the accuracy of your health records in the EHR, including the accuracy of your health records that are accessible through My Health Record, please contact the health information custodian (For example, your primary care provider or family physician) who provided the record to the EHR, or who is directly involved in your care and treatment.

For assistance, please contact us, or complete our EHR Request for Access and Correction to Personal Health Information Form. For more details, please see the Electronic Health Record Request for Correction to Personal Health Information Policy.

Note: Ontario Health is not required to accept correction requests in relation to logs it is required to keep in relation to the EHR or DHI.

Withdrawing your consent for access to your personal health information in EHR

If you do not want your health records held in the EHR to be accessed by health care practitioners for the purposes of providing you care or assisting in your care, you can request that Ontario Health blocks access to your health records.  This is called a “consent directive.”  If you choose to apply a consent directive to your health record(s), a notice will be displayed indicating that access to your health record(s) is blocked when a health care practitioner tries to access these records in the EHR. Consent directives do not block access in other systems outside of the EHR.

Consent Overrides

If you have applied a consent directive to your health records in the EHR, there are certain circumstances where a health information custodian may still access these records in compliance with PHIPA. This is known as a consent override. The Electronic Health Record Consent Directive and Consent Override Policy outline the circumstances where an override is permitted.

In some instances, a health information custodian may not have the technical ability to perform a consent override and therefore may not be able to access the personal health information while a consent directive is in place, even in cases of significant risk of serious bodily harm to you or to another person or group of persons.

See Managing Access to your EHR for more information on consent directives and managing access to your EHR data.

To withdraw consent for handling of your personal health information for digital health identifier activities, refer to the DHI FAQ for more information.

Contact Us

See our Privacy Contact Page to find information on how to contact the Ontario Health Privacy Office.

Last Updated: April 08, 2026

The information on this website is intended for informational purposes only and is not a substitute for medical advice. Always consult your health care provider if you have questions or concerns. The use of the information on this website does not create a physician-patient relationship between Ontario Health and you.
Ontario Health is committed to ensuring accessible services and communications to individuals with disabilities. To receive any information on this website in an alternate format, please contact Ontario Health’s Communications Department at: 1-877-280-8538, TTY 1-800-855-0511, or by email at info@ontariohealth.ca.

The province of Ontario Logo
© Ontario Health 2025