Privacy and Security

Personal Health Information (PHI) is important and must be protected, both to comply with legislation and to ensure patient safety, trust, and a good clinical experience When your health care provider sets up an eVisit appointment with you, you will receive an email appointment with the date, time, and other information. It is important that you understand the risks, eVisit's safeguards, email best practices, and general security best practices.

Understand the Risks of Using Email

Today, most emails you send are not encrypted and their security can never be 100% guaranteed. For example, if you use a popular web-based email app such as Gmail, those emails are not encrypted. As a result, email poses several risks. These risks include:

  • Email can be forwarded, intercepted, circulated, stored, or even changed without the knowledge or permission of the physician or the patient.
  • Email senders can easily make a mistake and use an incorrect email address, resulting in it being sent to unintended and unknown recipients.
  • Email is indelible. Even after the sender and recipient have deleted their copies of the email, back-up copies may exist on a computer or in cyberspace.
  • Emails may be subject to review by third parties (e.g., law enforcement), or in the context of an access request, litigation, or Privacy Commissioner or College investigation.
  • The email address that patients provide to their physicians (personal or business) carries with it certain risks as outlined below:
    • Personal - The content of personal emails sent to web mail addresses (e.g., Gmail, Yahoo, Microsoft Live Outlook) are routinely scanned by the web mail providers to enable targeted advertising to email users.
    • Business - Use of business email address is considered the “Property” of an Organization/Employer, and subject to review by them. When using an Employer’s or a third party’s email system (e.g., hospitals and clinics), these third parties might have the right to access the email communications.
  • Be aware that video visit emails are recorded and retained by Ontario Health (OTN) every time an email is sent, and that Ontario Health (OTN) may, in some instances, act as an Agent of the Member Organization or health care provider.

eVisit Email Safeguards

eVisit appointments are designed to minimize the risks of using email. The appointment email content has been carefully reviewed to ensure the privacy and security of the communications. Some of the email safeguards include:

  • Only if the eVisit email recipient has consented to Personal Health Information (PHI) in eVisit appointment emails, will the emails contain identifiable information (such as the physician’s name or contact phone number), which may be considered PHI in the context of a clinical event. If consent has been provided, the following information appears in eVisit emails:
    • Patient’s first and last names
    • Doctor’s name
    • Doctor’s administrative contact phone number
  • When a health care provider sets up an eVisit appointment, they are asked to confirm the recipient’s name and email address before they can send the email.
  • PIN information is never included in the email notification for clinical events. (This means that an intercepted email will not include enough information for a third party to join an event protected by a PIN.) The videoconference organizer can provide the PIN to an invitee during their initial consultation or over the phone.

Best Practices when receiving your appointment email

  • Do not share the appointment email, videoconference link (URL), or PIN with anyone.
  • Enter a name when you log in so that other participants know that you have joined the videoconference and they will see a meaningful label with your video image.
  • When receiving an email invite, make sure that it originates from the following address: do-not-reply-otninvite@otn.ca
  • Do not open any attachments. A videoconference email appointment from Ontario Health (OTN) will never contain attachments. If an attachment is present in the email, it is most likely spoofed and did not come from Ontario Health (OTN).
  • Do not reply to the appointment email. The email will never ask you to disclose any personal or sensitive information.
  • Before clicking on the provided videoconference link, make sure to read the target address by moving your mouse cursor over the link. If it is not pointing to an 'otn.ca' website, do not click on the link.

Best Practices when using your computer, videoconferencing, and emailing

  • Before sending an email, check the recipient’s address for accuracy and any spelling mistakes. This will ensure that the email is sent to the intended recipient.
  • Be aware of your surroundings. Never use eVisit or virtual care technology in a public or unsecured environment (e.g., an airport, internet café, or open area).
  • Be mindful of the prevalence of malware and malicious applications. Ensure your computer is secure with anti-spyware, anti-virus protection, and an auto-lock screen saver.
  • Do not use the “Remember Me” function on a login page. (Clear your user-name and password when you sign out.)
  • Ensure your computer (desktop, laptop, tablet, or phone) is password protected and follow these best practices around password use:
    • Change passwords regularly (e.g., every six months).
    • Do not share your credentials (i.e., User ID and password) with anyone, including trusted colleagues, family members, or support technicians.
    • Do not write down your password and then store it where it is easy to find.
    • Do not use the same password for all applications. Passwords used to access confidential information require stronger protection and hence should not be used on potentially unsecured sites where it can be stolen.