Virtual Visits Verification FAQ

The purpose of the program is to support health service (HSP) providers to make informed decisions about the virtual care solutions they use and by ensuring that solutions meet a provincial standard for privacy, security, technology, accessibility and functionality.  HSPs must still perform their own due diligence on privacy and security risks and confirm the compliance of their solution with relevant applicable laws, such as the Personal Health Information Protection Act, 2004 (PHIPA) and the Freedom of Information and Protection of Privacy Act (FIPPA), which govern the collection, use, and disclosure of personal health information (PHI) and personal information (PI).

HSPs benefit in multiple ways:

• The Virtual Visits Verification Standard (Standard) helps HSPs make informed decisions about the procurement of virtual care solutions. Compliance with this Standard ensures that HSPs use safe, secure and interoperable platforms for patient to provider video and secure messaging.
• Safeguarding of PHI enables HSPs to comply with their legislative and regulatory obligations.
• Alignment with provincial initiatives in which use of an Ontario Health verified virtual care solution is a recommendation or a requirement.

Program scope currently includes video and secure messaging. Solution providers may submit to become verified for video, secure messaging, or for both video and secure messaging.

No. Solution providers may submit to become verified at any time. However, in cases where a solution was withdrawn from the program, Solution Providers may submit their solution to become re-verified no sooner than six months from the date the solution was moved from the Verified Solutions List to the Withdrawn Solutions List.

Solutions in the process of withdrawing from the program are identified on the Verified Solutions List for 60 days before they are withdrawn in order for HSPs to change to an alternative solution that has been verified by Ontario Health. Once a solution is moved to the Withdrawn Solutions List, it is no longer considered an Ontario Health verified solution and thus no longer meets the terms of any contractual requirements to use an Ontario Health verified solution that users may be subject to (e.g. Ontario Health Insurance Plan (OHIP). Withdrawn solutions remain on the Withdrawn Solutions List for a period of six months.

Solution Providers must submit documentation demonstrating compliance with the Standard and program requirements. Ontario Health performs the verification function, starting with an orientation session and overview of the verification process. Verification involves the review and assessment of the documents submitted and the subsequent testing of the solution to validate compliance. Solution Providers offering more than one solution must verify each solution independently. Each solution will be separately listed on the Verified Solutions List.

Solutions are required to undergo validation testing and to submit substantiation materials to meet program requirements. OntarioMD performs the validation testing function, which begins with an orientation session and overview of the validation process. Validation involves the testing of functionalities and submission of documentation as may be required (i.e. certifications, audit logs, data tables, etc.).

Yes, however, verification does not replace the procurement process. HSPs (buyers) are still required to follow all applicable broader public sector procurement guidelines. Providers and organizations are advised to conduct their own due diligence to ensure that any solution they procure aligns with their specific needs and requirements.

It is the Solution Provider’s responsibility to notify Ontario Health of any material change to their software or platform that could impact the Solution Provider’s ability to meet all mandatory requirements. A material change may include updates to core functionality, data handling processes, integrations with other systems, or any modifications that could affect compliance, performance, patient safety, or security of the software including user access, data flow, etc. Timely communication ensures continued alignment with Ontario Health’s Virtual Visits Verification Standard and supports effective oversight. If a Solution Provider is unsure whether a change made, or planned to be made, is material, contact the program at verification@ontariohealth.ca to discuss.

HSPs should encourage their Solution Providers to visit Ontario Health’s Virtual Visits Verification Standard page, where information about the program is published. If you are an HSP that is participating in an innovative pilot, project or program, you are encouraged to email verification@ontariohealth.ca to request a meeting to discuss options available to verify your solution.

Yes. Requirements will evolve over time. Ontario Health will publish updated versions of the standard on the Virtual Visits Verification Standard page. Verified Solution Providers will be notified of changes made to the requirements to which they have already attested to meeting. Where a requirement has changed and a Solution Provider is no longer able to meet its compliance obligation, a remediation process will be initiated to ensure that the Solution Provider has sufficient time to comply with the updated version of the requirements.

The Virtual Visits Verification Program Terms and Conditions govern the overarching relationship between Ontario Health and solution providers.

The Virtual Visits Verification Standard outlines mandatory requirements that virtual care solutions must demonstrate to be verified by Ontario Health’s Virtual Visits Verification Program.

Additional information regarding the program and submission criteria are described at the Ontario Health Virtual Visits Verification Standard page.

Solution Providers that are interested in becoming verified are required to request from Ontario Health a submission package via email at verification@ontariohealth.ca.

A key program objective is to provide HSPs with the freedom to choose virtual care solutions best suited to their needs, while still meeting the provincial standards for privacy, security, accessibility, and functionality.

Privacy Impact Assessments (PIAs) must be refreshed every three years or when there has been a material change to the solution, legislation, policy, or business operations that may have an impact on privacy of health information or to privacy rights. Ontario Health collects PIA Summaries and not the full PIA. SOC 2 Type 2 audits must be refreshed annually. ISO 27001 certification is required to be refreshed every three years, OMD Certification every two years, and HiTrust Certification every two years.

SOC 2 Type 2 audits must be refreshed annually. ISO 27001 certification is required to be refreshed every three years, OMD Certification every two years, and HiTrust Certification every two years.

No. Mitigation timelines depend on the risk level:

• High risks must be fully mitigated by the date of submission.
• Risk identified as medium must have a clear mitigation plan with timelines for closure within six (6) months of the date the privacy or security assessment, audit, or certification was submitted.
• Low risks may be mitigated at the Solution Provider’s discretion.

The effective date of the privacy or security assessment is the date on which each assessment is finalized. Ontario Health uses these effective dates to monitor risk remediation and compliance timelines.

The date of submission refers to the date the vendor submits its application for verification. At the time of submission, the privacy or security assessment must accurately reflect the current version of the solution being submitted for program consideration.

Yes, EMRs that have been certified by OntarioMD do need to become separately verified by Ontario Health. OntarioMD Certification meets requirement 2.3.8 (Security Controls Assurance).