|
Internet - Video-conferencing. Doxy.Me Inc. v. Ontario Health et al.
In Doxy.Me Inc. v. Ontario Health et al. (Ont Div Ct, 2026) the Ontario Divisional Court dismissed a JR, this brought against "Ontario Health’s refusal to verify that its video service complies with required standards. The result of Ontario Health’s decisions is that Doxy’s physician clients are not entitled to receive payment from the Ontario Health Insurance Plan (“OHIP”) for any services rendered through its videoconferencing platform."
Here the court considers whether privacy standards adopted for use in OHIP-approved medical videoconferencing were ultra vires the Connecting Care Act, 2019:ISSUE #3: IS THE DATA RESIDENCY REQUIREMENT IN THE VVV STANDARD ADOPTED BY ONTARIO HEALTH ULTRA VIRES?
[43] As noted earlier, in 2020, Ontario Health adopted the VVV Standard. This policy contains a data residency requirement, found in section 2.3.14 of the VVV Standard. In order to be verified by Ontario Health as a virtual visit solution it is required to demonstrate that “… all personal health information as defined in PHIPA is held by systems located in Canada”.
Is the Data Residency Requirement Consistent with the Objectives of the CCA?
[44] Doxy submits that the Data Residency Requirement of the VVV Standard bears no connection to the statutory objectives of the Connecting Care Act, 2019, S.O. 2019, c. 5, Sched.1 (the “CCA”). Doxy submits that this requirement is based on the assumption that the patient data located in Canada is more secure than data located in the United States. Given that the U.S. law provides for robust protection for personal health information, as a matter of technical security, data hosted in the United States is at least as secure as data hosted in Canada.
[45] I disagree that the Data Residency Requirement bears no connection to the objective of the CCA.. The preamble to the CCA expresses the Legislature’s intention to create a single provincial agency (now called Ontario Health) that would oversee the development of a “digitally-enabled, publicly funded health care system” that would “put each patient at the centre of a connected care system anchored in the community”.
[46] The objectives of Ontario Health include:3. Developing or adopting standards respecting digital health products and digital health services and the suppliers of such products and services.
4. Certifying products, services and suppliers in accordance with the standards developed or adopted pursuant to paragraph 3: See Ontario Regulation 376/19, s. 1(1). [47] Given the provisions described above, the data residency requirement found in the VVV Standard is consistent with the CCA and its objects and is specifically supported by the intention that the community care system be “anchored in the community”.
Is the Data Residency Requirement Arbitrary or Does It Conflict with the Broader Legislative Context?
[48] Doxy further submits that the Data Residency Requirement conflicts with the broader legislative context in that the PHIPA imposes extensive obligations on the custodians of personal health information but does not impose a data residency requirement that prohibits the storage of personal health information outside of Ontario. Doxy submits that this leads to absurd consequences as highly sensitive personal health information, such as patient diagnostics, treatment plans, and clinical photos, may be stored on servers in the U.S.A., however the Data Residency Requirement under the VVV Standard applies to far less sensitive information retained by virtual care solutions such as call metadata. As a result, less sensitive data is subject to greater restrictions under the VVV Standard than higher sensitive data under the PHIPA.
[49] Doxy further submits that there is no rational basis for the Data Residency Requirement found in the VVV Standard and Regulation 552 on the grounds that the Data Residency Requirement is not logically connected to the protection of personal health information. In this respect, Doxy relies on Dr. Cavoukian’s opinion that identified three rationales for the Data Residency Requirement were misplaced. She stated that these rationales were: 1) a concern that foreign jurisdictions will lack adequate privacy protections; 2) a concern over foreign government surveillance; and 3) a concern that enforcement of Canadian privacy laws would be more difficult for data held outside of Canada.
[50] As stated in Auer, at para. 33:... a vires review does not involve assessing the policy merits of the subordinate legislation to determine whether it is “necessary, wise, or effective in practice”. [51] The grounds advanced by Doxy challenge the necessity, wisdom and effectiveness of the Data Residency Requirement. I agree with the respondents’ view that the PHIPA does not limit Ontario Health’s authority to impose the Data Residency Requirement in the VVV Standard. Although PHIPA is aimed at protecting privacy, the protection of personal health information does not need to be uniform in different contexts. The VVV Standard was specifically designed in part to protect privacy and security. While the VVV Standard may impose stricter standards than PHIPA, it was open to Ontario Health to adopt a VVV Standard that imposes more stringent requirements on the storage of personal health information gathered on a virtual visit than for other visits with a physician. The policy merits of its doing so are not open to challenge. . Doxy.Me Inc. v. Ontario Health et al.
In Doxy.Me Inc. v. Ontario Health et al. (Ont Div Ct, 2026) the Ontario Divisional Court dismissed a JR, this brought against "Ontario Health’s refusal to verify that its video service complies with required standards. The result of Ontario Health’s decisions is that Doxy’s physician clients are not entitled to receive payment from the Ontario Health Insurance Plan (“OHIP”) for any services rendered through its videoconferencing platform."
Here the court illustrates a dispute where some internet video services were denied coverage under the OHIP Schedule of Benefits:[4] Since December 1, 2022, the Schedule of Benefits has provided that a virtual visit with a physician will only be eligible for reimbursement if the physician uses a videoconference service that is a “Verified Virtual Visit Solution”. Ontario Health, a Crown Agency, under the Connecting Care Act, 2019, S.O. 2019, c. 5, Sched. 1, which is accountable to, and funded by, the Minister, determines whether a videoconference service (also referred to as a “virtual visit solution”) is a “Verified Virtual Visit Solution” based on whether the videoconference service meets the requirements described in its Virtual Visits Solution Requirements document (the “VVV Standard”). The purpose of the VVV Standard is to ensure that the videoconference service used by a physician is a service that is private, secure, and interoperable with other healthcare technologies. The most significant requirement, at least for purposes of this case, is the requirement under s. 2.3.14 of the VVV Standard that all PHI be held by systems located in Canada.
[5] In September 2022, Doxy applied to Ontario Health to have its videoconference service approved as a Verified Virtual Visit Solution. In November 2022, Ontario Health notified Doxy that its videoconference service may be collecting and using personal health information and, if it wished its service “verified”, then it would need to migrate to a Canadian cloud service provider to ensure that all such information was processed, handled, accessed and stored within Canada at all times.
[6] In December 2022, Doxy submitted that its videoconference service did not collect and store information that could be used to identify patients and thus it did not collect and store personal health information. In January 2023, Ontario Health notified Doxy that it maintained the view that its videoconference service collects “personal health information” within the meaning of the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A (“PHIPA”). Later that month, Doxy notified Ontario Health that it was being unfairly prevented from entering the Canadian market as it believed that Doxy had demonstrated compliance with the VVV Standard. On December 8, 2023, Ontario Health repeated its position that “… the minimum data elements required to be retained under section 5.1 [of the VVV Standard] constitute personal health information” and therefore must be held on a system that is located in Canada.
[7] Doxy submits that the data residency requirement found in the VVV Standard and Regulation 552, to the extent that it incorporates the data residency requirement in the Schedule of Benefits (“Data Residency Requirement”) which provides that that video services are only eligible for payment when performed using a verified video service delivery platform approved by Ontario Health, should be quashed on the basis that it is ultra vires on various grounds including that the Data Residency Requirement exceeds the statutory purpose of the HIA.
[8] Doxy further submits that Ontario Health’s repeated refusal to approve its videoconference service as a Verified Virtual Visit Solution under the VVV Standard is unreasonable as it is: (a) based on a flawed interpretation of “personal health information”; and (b) inconsistent with Ontario Health’s approval of other similar videoconference services. Doxy seeks an order quashing Ontario Health’s decisions to refuse to approve its videoconference service as a Verified Virtual Visit Solution and an order remitting this matter to Ontario Health for reconsideration.
....
BACKGROUND
[11] In 2019, the predecessor of Ontario Health began the development of the Virtual Visits Verification Program (“VVVP”). The VVVP aimed to facilitate the procurement of virtual care solutions by healthcare providers. It provided a set of minimum standards that address technology, privacy, security and functionality for virtual visit platforms.
[12] In March 2020, following the outbreak of COVID-19, and the explosion in demand for virtual care, the Schedule of Benefits was amended to include temporary billing codes allowing physicians to bill OHIP for virtual visits, with no restrictions on what virtual care solutions they used. During this period, Doxy developed a significant user base among Ontario physicians.
VVV Standard
[13] On November 30, 2020, Ontario Health adopted the VVV Standard. To receive verified status from Ontario Health, a virtual visit platform must comply with the VVV Standard. The current iteration of the VVV Standard is Version 2.0, dated October 2022.
[14] The VVV Standard states, at page 6:The purpose of the Virtual Visits Verification Program is to support health service providers to select solutions that are designed to support safe, privacy and security enhanced virtual visits with patients and to advance interoperable health information exchange in alignment with the Digital Health Information Exchange Standard. Doxy’s 2022 Application for Verified Virtual Visit Solution Status
[15] On September 30, 2022, Doxy applied for verified virtual visit solution status and attested that its platform satisfied all mandatory requirements in the VVV Standard. Doxy’s web-based videoconference service is hosted at Amazon Web Services in Virginia, and it has no Canadian data centres.
First Remediation Notice
[16] On November 21, 2022, Ontario Health notified Doxy that it had determined that its service collected personal health information and, as a result, Doxy would have to use a Canadian cloud service provider and ensure that all personal health information was processed, handled, accessed and stored within Canada at all times.
[17] On December 2, 2022, Doxy responded that its solution was designed to not collect PHI as the solution does not collect identifying information about an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized to identify an individual. In particular, Doxy said that its solution was designed to not collect and store information that could be used to identify patients, as follows:We do not deny that we collect information about the patient. But out of respect for patient privacy, we (1) do not collect any information that can be reasonably used to identify the patient and (2) only collect the minimum necessary to run and optimize our application. We strongly assert that the information we collect is neither identifiable nor related to their health. From our conversations with Ontario Health, the biggest issues were related to the following:Event data: For every call we track anonymous system event data for each session to create an electronic audit trail of all virtual visit encounters, meeting history for providers, and to help optimize the performance of the system. However, Ontario Health has reviewed Events Collected by doxy.me and determined that it constitutes PHI. Specifically, the events Ontario Health considered to be potentially identifiable are (with sample data):● Unique ID event (ajs-159d4a789e4f8e28c69b 08df0c6fec)
● Time stamp (2021-08-01 4:44:09)
● Name of event (CHECKIN_COMPLETED)
● Web browser version (106)
● Operating system (ios)
● Mobile or desktop or tablet (mobile)
● Client model (LM-K920)
● Unique ID assigned by Vonage (...)
● Internet service provider used (Spectrum) As seen in the sample data, it is simply not possible to identify an individual using anonymous event data. Furthermore, the de-identified event data is secured using industry standard encryption, on a secured server, and not publicly accessible outside of doxy.me. We do not have access to the underlying algorithms to create the IDs. We also do not have access to outside information that could be used to re-identify patients in our system. It is not “reasonably foreseeable in the circumstances” to combine this data with other information to identify the patient and therefore, should not be considered PHI.
IP address: An IP by itself is not identifiable. Every IT system on the internet uses IP addresses. They are stored and logged everywhere. In all sorts of systems. IP only becomes identifiable in combination with a corresponding physical address, name, or contact information, which is only available to Ontario Internet Service Providers (ISP).
We are unable to identify the patient by combining the IP address with other information available to us. Further, we have no intention to seek that information, and even if we did, the ISP would not disclose that information to us. We don’t make the IP address available publicly. The information is encrypted and stored using industry-leading security protections, and only accessible to specific doxy.me employees who have been vetted, trained, and bound by employment contracts to keep data they have access to private and secure.
Since we do not have the ability to combine the IP address with other information needed to identify someone, nor is it “reasonably foreseeable in the circumstances”, the IP address does not meet the PHIPA definition of PHI in this context.
Free text responses: Ontario Health’s determination that free-form survey data about the call quality is PHI because it could inadvertently contain PHI is unsubstantiated. We conducted an analysis of the 732 rating with written comments from patients in Ontario, there were exactly zero (0/732; 0.00%) responses that contained patient identifiers or health information. This is consistent with all the free-text responses we’ve ever received from the survey. Thus, since our data shows that no PHI has ever been entered, we can reasonably foresee that free-text responses are unlikely to contain PHI, and should not be treated as such. The unanimous conclusion of our experienced internal and external privacy and security experts is straightforward: without access to other information that is needed in combination to re-identify the data doxy.me has, it is NOT reasonably foreseeable in the circumstances that the information can be re-identified, so it does not meet the PHIPA definition of PHI.
Should Ontario Health continue to insist that this information is PHI, we are simply unable to accommodate this data being stored on Canadian servers at this time. Since we don’t consider our data identifiable, we’ve designed our application to run seamlessly across jurisdictions. Requiring territorial boundaries to our data would require a complete overhaul to our system architecture, which would take years on our current roadmap.
As a result, our only option to comply is to delete the offending data, such as IP address and free text responses, within 30 days of receiving it. This is not an ideal option because it impacts the quality of the service that we provide to Ontario providers and their patients. Certain features that providers currently enjoy may no longer be available to them as a result. Meeting history, provider analytics, and meeting audits will be impacted. We won’t be able to assist your or law enforcement’s investigations, should you or they have a need.
Also, given the additional administrative burden of deleting records, we may no longer be able to provide a free telemedicine service to all Ontario providers (since we don’t know who is or isn’t seeking reimbursement from Ontario Health and need to treat everyone the same). Regrettably, if this option is not permitted by Ontario Health, then the 15,629 clinicians and their 578,053 unique patients (since October 2021) who use doxy.me will be negatively impacted. These are avoidable and unnecessary consequences, and do not align with our mission to make telemedicine available to all.
In the effort to comply with Ontario Health Verified Virtual Health Standard, we resubmit our application to be reviewed with additional clarification about how these data elements should not be considered PHI, and if they continue to be then we will delete them within 30 days. We affirm that doxy.me meets all mandatory requirements as detailed in the standard, we are including an up-to-date Privacy Impact Assessment and Threat Risk Assessment summaries, and look forward to complete scenario-based validation testing of doxy.me against mandatory requirements and submit substantiation materials within 12 months to demonstrate the information we have is not PHI. [Bold in original. Underlining added] Second Remediation Notice
[18] On January 3, 2023, Ontario Health issued a second remediation notice:Ontario Health has determined that Doxy will be required, should you wish to become verified, to remediate and to re-submit once remediation is complete. …
In summary, Ontario Health has determined that Doxy collects PHI as defined in Ontario’s privacy law (PHIPA) on the basis that Doxy collects information about both patients and health care providers. As referenced on Doxy’s website, information collected, be it mandatory or optional, includes data elements that Ontario Health deems to constitute PHI, including email address, first name and last name, mobile number, and health care provider name and specialty. In addition, the copy of events collected file that Doxy provided to Ontario Health includes identifying information that would constitute PHI under PHIPA: TIMESTAMP, ID, ANONYMOUS_ID, ORIGINAL_TIMESTAMP, USER_ID, CITY, COUNTRY, CONTEXT_IP. [19] By letter dated April 3, 2023, from Ontario Health to the Ministry of Health, Ontario characterized the above remediation notice as a “final Remediation Notice”.
[20] On January 30, 2023, Doxy notified Ontario Health that it was its view that “… there is bias against Doxy.me and you will next be contacted by the U.S. Department of Commerce and our attorney. We believe that OH is preventing an American company from fairly entering a Canadian market after demonstrating compliance.”
[21] In a letter dated April 3, 2023, counsel for Doxy wrote to provide assurance as to the outstanding requirements for the company to obtain verification. The letter states:....
The company does not “hold” personal health information in any system in any jurisdiction because its solution has been designed for the highest level of privacy protection. Doxy.me does not require patients to have accounts, provide for a patient medical record, facilitate appointment bookings or feature any other services that would frustrate the company’s data minimization objective. Based on its discussions with Ontario Health, Doxy.me has decided to no longer retain patient IP addresses in its event record. This mitigates the risk of indirect identification. …
As the parties have discussed, patients engaged in a session may enter their name so it is revealed to their provider. The company does not retain this information. The parties have also discussed the possibility that patients will provide identifying information in the free text field the company provides to elicit feedback on video quality. As the company has conveyed, it analyzed 732 comments from patients of Ontario and zero (0/732; 0.00%) contained identifying information. .... [22] On June 20, 2023, Ontario Health responded:The Virtual Visits Verification Program received your letter dated April 3, 2023 which advised that your firm was retained by Doxy to assist with its application to the Program. As you know, the Program has determined that Doxy cannot be listed as verified under the Program until Doxy meets the mandatory Program requirements or Doxy undertakes an acceptable remediation plan. ...
Key actions that are required for Doxy to successfully complete the verification process include: (i) establishment of Canadian data residency, and (ii) performance of a privacy impact assessment that reflects Doxy has established Canadian data residency and that is appropriate to the Ontario Health privacy context. With respect to Doxy’s attestation letter dated December 12, 2022 the Program notes that the attestation letter was modified extensively from the original prescribed form. Adherence to that form is also required for the purposes of the annual re-attestation requirement, as noted in the Program terms and conditions.
Doxy will not be listed as a verified solution on the Ontario Health Virtual Visits Verification Program website unless and until the verification process is successfully completed. Pending that listing, Doxy’s physician customers are not eligible to bill OHIP for virtual visits using Doxy’s platform. [23] In a letter to counsel for Ontario Health dated September 6, 2023, counsel for Doxy argued that the VVV Standard was ultra vires, a global outlier in imposing these restrictions, unreasonable, and had applied these requirements inconsistently. Counsel stated:
... .
The purpose of the Connecting Care Act, 2019 is to promote patient care. The data localization requirements in the VVV Standard do not advance any patient care objective; in fact, excluding companies like Doxy.me from OHIP coverage undermines patient care, in a world where access to such services is in high demand and patient choices are limited. ...
In fact, Ontario Health has not applied the VVV Standard consistently. As outlined in the April 3, 2023 letter (at pp. 7-8 and Appendix A), many verified and validated providers already make use of US-based service providers. It is arbitrary and unreasonable to effectively penalize Doxy.me for doing the same thing. As the Supreme Court held in Vavilov at para. 131, “[w]here a decision maker does depart from longstanding practices or established internal authority, it bears the justificatory burden of explaining that departure in its reasons. If the decision maker does not satisfy this burden, the decision will be unreasonable”. Here, Ontario Health has not provided any explanation at all for the differential treatment of Doxy.me.
Finally, Ontario is an outlier in imposing these restrictions. Doxy.me is a global leader in telemedicine, with over 200,000 clinician users around the world. Ontario is the only jurisdiction that has limited access to its platform based on data localization rules. … [24] On October 13, 2023, counsel for Ontario Health responded to counsel for Doxy as follows:The issues raised in your letters have been canvassed previously by our clients. The most significant point of departure is whether the information that Doxy.me is required to retain (pursuant to ss. 2.1.3, 2.3.4 and 5.1 of the VVV Standard) is Personal Health Information (“PHI”). Contrary to your assertion otherwise, for the reasons set out in Mr. Himmel’s email dated November 21, 2022, and letters dated January 3, 2023 and January 27, 2023, such information is PHI. Consequently, pursuant to 2.3.14 of the VVV Standard, such information must be held in systems located in Canada. We have enclosed a table that refers to the sections of the VVV Standard that the parties have been discussing, our understanding of Doxy.me’s position, and Ontario Health’s response.
Needless to say, we do not agree that Ontario Health has applied the VVV Standard in an “unreasonably rigid manner”. Ontario Health has applied the VVV Standard pursuant to its express terms and consistent with the purpose of the Virtual Visits Verification Program: “to support health service providers to select solutions that are designed to support safe, privacy and security enhanced virtual visits with patients …” As a point of clarification, Ontario Health does not have the “statutory power to determine which solutions are eligible for OHIP reimbursement”; the services eligible for OHIP reimbursement are prescribed by the Ministry of Health under the Health Insurance Act.
We also do not agree that the VVV Standard is ultra vires or unreasonable. Ontario Health has broad objects and powers pursuant to section 6 of the Continuing Care Act, 2019. Those objects include, among others, “developing or adopting standards respecting digital health services and the suppliers of such products and services” and “certifying products, services and suppliers in accordance with the standards developed or adopted …”. The VVV Standard is plainly within the statutory authority of Ontario Health. [Footnotes omitted] [25] On December 8, 2023, following a meeting between the parties that took place about one month earlier, counsel for Ontario Health reiterated its view that the minimum data elements required to be retained under section 5.1 of the VVV Standard constitute personal health information.
....
CONCLUSIONS
[91] This application for judicial review is dismissed since, according to the analysis set out above, Ontario Health was entitled to find Doxy did not satisfy s. 2.1.4 and s. 2.3.7 of the VVV Standard. However, any further submission by Doxy for verification of its virtual solution must be considered in light of the finding that Ontario Health’s conclusion that Doxy holds personal health information was unreasonable.
|
