skip to main content

Privacy & Security Training

Frequently Asked Questions

1. Who can take OMD's online privacy and security training?

OMD's online Privacy and Security Training Module is open to all Ontario physicians, existing OntarioMD.ca users, as well as other clinicians and practice staff. The OMD Virtual Care Privacy and Security Training Module is open to all Ontario family physicians, specialists, nurse practitioners, nurses, office managers / executive directors, non-IT administrative staff, IT administrative staff, clinic managers, dieticians, mental health/social workers, pharmacists, and other allied health professionals. 

2. Can my staff do the training on my behalf?

No, your staff cannot do the training on your behalf. Every user must complete the training on their own. To receive Continuing Medical Education (CME) credits from the College of Family Physicians of Canada or the Royal College of Physicians and Surgeons of Canada for completing the OMD Privacy and Security Training Module and/or the OMD Virtual Care Privacy and Security Training Module, it is mandatory for physicians to complete the training themselves. Each physician user must register for an account with OntarioMD.ca using their own email address to access the online training modules. Multiple users cannot access the training module using the same email address or account. Other clinician users must register for an account on OntarioMD.ca specifically for access to the OMD Virtual Care Privacy and Security Training Module.

3. Why do I need to take privacy and security training?

Privacy and security training for clinicians is a critical obligation inherent in the accountability that Health Information Custodians have with respect to the appropriate collection, viewing, use, disclosure and safeguarding of personal health information (PHI). Educating yourself and your staff enables you to comply with regulatory frameworks. Privacy and security training is also recommended to access provincial digital health assets such as the provincial Clinical Viewers, Health Report Manager (HRM®), eNotifications, Insights4Care Dashboard, Ontario Laboratories Information System (OLIS) and any future digital health assets as they become available and may become a mandatory requirement for access in the future. 

4. What does the training cover?

The OMD Privacy and Security Training Module covers:

  • the importance of privacy and security, and your legal and professional obligations
  • PHI and ownership of medical records
  • Ontario's EHR systems and your obligations as a user of such systems
  • consent and consent directives 
  • ways to safeguard PHI 
  • developing acceptable use policies
  • system and network controls that must be in place before you access EHR systems
  • how to manage relationships with electronic service providers
  • identifying and appropriately responding to privacy breaches and security incidents

The OMD Virtual Care Privacy and Security Training Module covers:

  • technology and patient information management
  • the importance of privacy and security, and your legal and professional obligations when using virtual care tools
  • consent and privacy policies
  • protocols for virtual visits and prescriptions
  • ways to safeguard PHI for virtual encounters

5. How long does the training module take to complete? 

On average, the Privacy and Security training Module takes about 45 minutes to complete while the Virtual Care Privacy and Security Training Module takes between 25 to 30 minutes to complete. If you are unable to complete a module in one session, you can log out and log back in to resume the training from where you left off.

6. What score do I need to pass the test at the end of the training modules to receive the certificates of completion? 

To be issued a certificate of completion upon completion of the Privacy and Security Training Modules, a minimum score of 80% must be achieved for the Privacy and Security module, however, the virtual care module is unscored. The test can be taken repeatedly until a passing grade has been achieved. 

7. How often should I take the training?

OMD recommends that all Ontario physicians, nurse practitioners, nurses, office managers/executive directors, non-IT administrative staff, IT administrative staff, dieticians, mental health/social workers, pharmacists, and other allied health professionals take the training at least once a year or whenever you feel you could use a reminder of the concepts and best practices covered in the Privacy and Security and Virtual Care Training Modules. Annual training ensures that you are educated on your obligations under current legislation, as well as on the most current best practices to protect your practice against privacy breaches and security incidents and new digital health tools such as those used to provide virtual care.

8. Can family physicians claim CME credits for completing the training module?

Yes, this Self-Learning program has been certified by the College of Family Physicians of Canada's Ontario Chapter for up to 2 Mainpro+ credits for each module. The CFPC login page can be accessed here.

9. Can I claim credit(s) from the Royal College of Physicians and Surgeons of Canada under the Maintenance of Certification Program?

Yes, these modules can be claimed for credit(s) under the Royal College Maintenance of Certification (MOC) Program as a Section 2: Personal Learning Project for 2 credits/hour for each module. To claim the credit(s), you must record the activity in your MAINPORT ePortfolio and complete at least one learning outcome. The Royal College login page can be accessed here.

 

Frequently Asked Questions – Virtual Care Privacy and Security

The following Frequently Asked Questions are intended to help clinicians understand the regulatory concepts, including privacy law, professional requirements, and practical considerations relevant to virtual care settings.

They are not meant to be construed as legal advice, nor do they address all matters pertaining to privacy and the confidentiality of personal health information.

Physicians should seek advice from the College of Physicians and Surgeons of Ontario (CPSO), the Canadian Medical Protective Association (CMPA), their legal counsel, or the Information and Privacy Commissioner of Ontario if they are uncertain about how to interpret the legal requirements of PHIPA in relation to virtual care.

1. What is a virtual visit tool?

There are many virtual tools that can be used to help you complement in-person care.

Any direct-to-patient telephone service, or secure end-to-end encrypted telemedicine and video calling platform can now be used and the work is remunerated with fee codes. This allows rapid and wide scaling of care that works best in your area. When choosing a platform/method through which to provide virtual care, consider how easy the technology is for you to use, how easy it is for patients to use, how the technology works to keep patient information private and secure, and that you must keep medical records as you have done for in-person care. Additional technical guidance may be provided by the Ministry of Health or Ontario Health to inform technology selection. Consider the right type of contact, for the right patient, at the right time, for the right problem. Video conferencing and phone calls are billable under the new fee codes, but email and texts to patients may also be useful to support care, even if not discretely funded.

2. What is the right or most appropriate time to use virtual care tools?

Virtual care has become an accepted way to deliver care to patients efficiently and effectively when in-person visits are not advisable. Virtual care is just care: the same standard of practice applies as for an in-person visit.

3. What are the roles and responsibilities in practice regarding privacy obligations for a virtual visit?

It is required that you identify a Privacy Officer/Designate in your organization/practice who will assume accountability for information on privacy and confidentiality requirements. A Privacy Officer/Designate does not need to be a legal authority or a third party, but they must have completed privacy and security training and understand PHIPA. In a solo practice environment, the practitioner is the person accountable for privacy and security and therefore, typically becomes the 'Privacy Designate'.

Q: What is PHIPA?

A:  The Personal Health Information Protection Act, 2004 (PHIPA) is the health-specific privacy legislation in Ontario. PHIPA governs the manner in which personal health information (PHI) may be collected, used and disclosed within the health care system, as well as its secure retention, transfer and disposal. The legislation also regulates individuals and organizations that receive PHI from health care providers. It further provides individuals with a right to access their records of PHI and to request that corrections or amendments be made.



4. What are some practical considerations for accountability when entering a virtual encounter?

Virtual care requires additional considerations for privacy from the traditional in-person physician-patient interaction. Health care providers must take reasonable steps to ensure that the hardware and software used is functioning properly and securely. Patients should be advised of possible limitations of their electronic devices, and the potential for breach of their information through hacking or malfunctions of technology.

Practical considerations for accountability when you enter into a virtual encounter:

  • Did you confirm your own identity to the patient, and the identity of the patient to ensure the information you share is protected?
  • Consider your physical setting and your patient's physical setting: are they able to have a private conversation with you?
  • Did you take reasonable steps to confirm that the technology and setting (from both yours and the patient's perspective) allows you to exchange PHI in a private and secure manner?
  • Do the technology platform and the device being used by the patient allow them to discuss and demonstrate their medical concerns safely and effectively?