Court File and Parties
DIVISIONAL COURT FILE NO.: 26/24
ONTARIO SUPERIOR COURT OF JUSTICE DIVISIONAL COURT
FAIETA, SHORE, O’BRIEN JJ.
BETWEEN:
DOXY.ME INC.
Applicant
– and –
ONTARIO HEALTH, ONTARIO (MINISTER OF HEALTH AND LONG-TERM CARE) AND ONTARIO (LIEUTENANT GOVERNOR IN COUNCIL)
Respondents
COUNSEL:
Justin Safayeni and Stephen Aylward, for the Applicant
Thomas Lipton and Matthew Chung, for the Respondents
HEARD: April 3, 2025
REASONS FOR DECISION
FAIETA J.
1The applicant, Doxy.me (“Doxy”) is an American web-based videoconference provider that is used by over one million physicians in many countries, including Canada, to conduct virtual consultations with patients. Its videoconference service is hosted on a cloud service network that is located in the United States. In this application for judicial review, Doxy challenges Ontario Health’s refusal to verify that its video service complies with required standards. The result of Ontario Health’s decisions is that Doxy’s physician clients are not entitled to receive payment from the Ontario Health Insurance Plan (“OHIP”) for any services rendered through its videoconferencing platform.
2Under s. 2(1) of the Health Insurance Act, R.S.O. 1990, c. H.6, (the “HIA”) the respondent Minister of Health and Long-Term Care is responsible for the administration and operation of OHIP, which provides insurance against the costs of insured services to all residents of Ontario.1 Under s. 45(1)(e) of the HIA, the respondent Lieutenant Governor in Council has the authority to make regulations governing insured services, including specifying those services that are not insured services.
3Under s. 37.1(1) of Ontario Regulation 552 a service rendered by a physician is an insured service if amongst other things "… the service is referred to in the schedule of benefits and rendered in such circumstances or under such conditions as may be specified in the schedule of benefits”. Under s. 1(1) of Regulation 552, “schedule of benefits” means the document published by the Ministry of Health and Long-Term Care entitled “Schedule of Benefits – Physician Services under the Health Insurance Act …” and includes amendments made to the document.
4Since December 1, 2022, the Schedule of Benefits has provided that a virtual visit with a physician will only be eligible for reimbursement if the physician uses a videoconference service that is a “Verified Virtual Visit Solution”. Ontario Health, a Crown Agency, under the Connecting Care Act, 2019, S.O. 2019, c. 5, Sched. 1, which is accountable to, and funded by, the Minister, determines whether a videoconference service (also referred to as a “virtual visit solution”) is a “Verified Virtual Visit Solution” based on whether the videoconference service meets the requirements described in its Virtual Visits Solution Requirements document (the “VVV Standard”). The purpose of the VVV Standard is to ensure that the videoconference service used by a physician is a service that is private, secure, and interoperable with other healthcare technologies. The most significant requirement, at least for purposes of this case, is the requirement under s. 2.3.14 of the VVV Standard that all PHI be held by systems located in Canada.
5In September 2022, Doxy applied to Ontario Health to have its videoconference service approved as a Verified Virtual Visit Solution. In November 2022, Ontario Health notified Doxy that its videoconference service may be collecting and using personal health information and, if it wished its service “verified”, then it would need to migrate to a Canadian cloud service provider to ensure that all such information was processed, handled, accessed and stored within Canada at all times.
6In December 2022, Doxy submitted that its videoconference service did not collect and store information that could be used to identify patients and thus it did not collect and store personal health information. In January 2023, Ontario Health notified Doxy that it maintained the view that its videoconference service collects “personal health information” within the meaning of the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A (“PHIPA”). Later that month, Doxy notified Ontario Health that it was being unfairly prevented from entering the Canadian market as it believed that Doxy had demonstrated compliance with the VVV Standard. On December 8, 2023, Ontario Health repeated its position that “… the minimum data elements required to be retained under section 5.1 [of the VVV Standard] constitute personal health information” and therefore must be held on a system that is located in Canada.
7Doxy submits that the data residency requirement found in the VVV Standard and Regulation 552, to the extent that it incorporates the data residency requirement in the Schedule of Benefits (“Data Residency Requirement”) which provides that that video services are only eligible for payment when performed using a verified video service delivery platform approved by Ontario Health, should be quashed on the basis that it is ultra vires on various grounds including that the Data Residency Requirement exceeds the statutory purpose of the HIA.
8Doxy further submits that Ontario Health’s repeated refusal to approve its videoconference service as a Verified Virtual Visit Solution under the VVV Standard is unreasonable as it is: (a) based on a flawed interpretation of “personal health information”; and (b) inconsistent with Ontario Health’s approval of other similar videoconference services. Doxy seeks an order quashing Ontario Health’s decisions to refuse to approve its videoconference service as a Verified Virtual Visit Solution and an order remitting this matter to Ontario Health for reconsideration.
9Doxy also seeks an order admitting the affidavit of Dr. Ann Cavoukian, sworn August 19, 2024, which, amongst other things, opines that the rationale for the Data Residency Requirement is flawed.
10The respondents submit that Doxy’s application should be dismissed as premature as they assert that Doxy has not received a final decision and that Doxy’s entitlement to verified solution status is ongoing.
BACKGROUND
11In 2019, the predecessor of Ontario Health began the development of the Virtual Visits Verification Program (“VVVP”). The VVVP aimed to facilitate the procurement of virtual care solutions by healthcare providers. It provided a set of minimum standards that address technology, privacy, security and functionality for virtual visit platforms.
12In March 2020, following the outbreak of COVID-19, and the explosion in demand for virtual care, the Schedule of Benefits was amended to include temporary billing codes allowing physicians to bill OHIP for virtual visits, with no restrictions on what virtual care solutions they used. During this period, Doxy developed a significant user base among Ontario physicians.
VVV Standard
13On November 30, 2020, Ontario Health adopted the VVV Standard. To receive verified status from Ontario Health, a virtual visit platform must comply with the VVV Standard. The current iteration of the VVV Standard is Version 2.0, dated October 2022.
14The VVV Standard states, at page 6:
The purpose of the Virtual Visits Verification Program is to support health service providers to select solutions that are designed to support safe, privacy and security enhanced virtual visits with patients and to advance interoperable health information exchange in alignment with the Digital Health Information Exchange Standard.
Doxy’s 2022 Application for Verified Virtual Visit Solution Status
15On September 30, 2022, Doxy applied for verified virtual visit solution status and attested that its platform satisfied all mandatory requirements in the VVV Standard. Doxy’s web-based videoconference service is hosted at Amazon Web Services in Virginia, and it has no Canadian data centres.
First Remediation Notice
16On November 21, 2022, Ontario Health notified Doxy that it had determined that its service collected personal health information and, as a result, Doxy would have to use a Canadian cloud service provider and ensure that all personal health information was processed, handled, accessed and stored within Canada at all times.
17On December 2, 2022, Doxy responded that its solution was designed to not collect PHI as the solution does not collect identifying information about an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized to identify an individual. In particular, Doxy said that its solution was designed to not collect and store information that could be used to identify patients, as follows:
We do not deny that we collect information about the patient. But out of respect for patient privacy, we (1) do not collect any information that can be reasonably used to identify the patient and (2) only collect the minimum necessary to run and optimize our application. We strongly assert that the information we collect is neither identifiable nor related to their health. From our conversations with Ontario Health, the biggest issues were related to the following:
Event data: For every call we track anonymous system event data for each session to create an electronic audit trail of all virtual visit encounters, meeting history for providers, and to help optimize the performance of the system. However, Ontario Health has reviewed Events Collected by doxy.me and determined that it constitutes PHI. Specifically, the events Ontario Health considered to be potentially identifiable are (with sample data):
Unique ID event (ajs-159d4a789e4f8e28c69b 08df0c6fec)
Time stamp (2021-08-01 4:44:09)
Name of event (CHECKIN_COMPLETED)
Web browser version (106)
Operating system (ios)
Mobile or desktop or tablet (mobile)
Client model (LM-K920)
Unique ID assigned by Vonage (2_MX4zNjU5MTU3Mn5-MTYyOTg4NTgwODczOX5sTVZRTDZjT1VJMDFBWjcrc0FDU1hYc0J-UH4)
Internet service provider used (Spectrum)
As seen in the sample data, it is simply not possible to identify an individual using anonymous event data. Furthermore, the de-identified event data is secured using industry standard encryption, on a secured server, and not publicly accessible outside of doxy.me. We do not have access to the underlying algorithms to create the IDs. We also do not have access to outside information that could be used to re-identify patients in our system. It is not “reasonably foreseeable in the circumstances” to combine this data with other information to identify the patient and therefore, should not be considered PHI.
IP address: An IP by itself is not identifiable. Every IT system on the internet uses IP addresses. They are stored and logged everywhere. In all sorts of systems. IP only becomes identifiable in combination with a corresponding physical address, name, or contact information, which is only available to Ontario Internet Service Providers (ISP).
We are unable to identify the patient by combining the IP address with other information available to us. Further, we have no intention to seek that information, and even if we did, the ISP would not disclose that information to us. We don’t make the IP address available publicly. The information is encrypted and stored using industry-leading security protections, and only accessible to specific doxy.me employees who have been vetted, trained, and bound by employment contracts to keep data they have access to private and secure.
Since we do not have the ability to combine the IP address with other information needed to identify someone, nor is it “reasonably foreseeable in the circumstances”, the IP address does not meet the PHIPA definition of PHI in this context.
Free text responses: Ontario Health’s determination that free-form survey data about the call quality is PHI because it could inadvertently contain PHI is unsubstantiated. We conducted an analysis of the 732 rating with written comments from patients in Ontario, there were exactly zero (0/732; 0.00%) responses that contained patient identifiers or health information. This is consistent with all the free-text responses we’ve ever received from the survey. Thus, since our data shows that no PHI has ever been entered, we can reasonably foresee that free-text responses are unlikely to contain PHI, and should not be treated as such.
The unanimous conclusion of our experienced internal and external privacy and security experts is straightforward: without access to other information that is needed in combination to re-identify the data doxy.me has, it is NOT reasonably foreseeable in the circumstances that the information can be re-identified, so it does not meet the PHIPA definition of PHI.
Should Ontario Health continue to insist that this information is PHI, we are simply unable to accommodate this data being stored on Canadian servers at this time. Since we don’t consider our data identifiable, we’ve designed our application to run seamlessly across jurisdictions. Requiring territorial boundaries to our data would require a complete overhaul to our system architecture, which would take years on our current roadmap.
As a result, our only option to comply is to delete the offending data, such as IP address and free text responses, within 30 days of receiving it. This is not an ideal option because it impacts the quality of the service that we provide to Ontario providers and their patients. Certain features that providers currently enjoy may no longer be available to them as a result. Meeting history, provider analytics, and meeting audits will be impacted. We won’t be able to assist your or law enforcement’s investigations, should you or they have a need.
Also, given the additional administrative burden of deleting records, we may no longer be able to provide a free telemedicine service to all Ontario providers (since we don’t know who is or isn’t seeking reimbursement from Ontario Health and need to treat everyone the same). Regrettably, if this option is not permitted by Ontario Health, then the 15,629 clinicians and their 578,053 unique patients (since October 2021) who use doxy.me will be negatively impacted. These are avoidable and unnecessary consequences, and do not align with our mission to make telemedicine available to all.
In the effort to comply with Ontario Health Verified Virtual Health Standard, we resubmit our application to be reviewed with additional clarification about how these data elements should not be considered PHI, and if they continue to be then we will delete them within 30 days. We affirm that doxy.me meets all mandatory requirements as detailed in the standard, we are including an up-to-date Privacy Impact Assessment and Threat Risk Assessment summaries, and look forward to complete scenario-based validation testing of doxy.me against mandatory requirements and submit substantiation materials within 12 months to demonstrate the information we have is not PHI. [Bold in original. Underlining added]
Second Remediation Notice
18On January 3, 2023, Ontario Health issued a second remediation notice:
Ontario Health has determined that Doxy will be required, should you wish to become verified, to remediate and to re-submit once remediation is complete. …
In summary, Ontario Health has determined that Doxy collects PHI as defined in Ontario’s privacy law (PHIPA) on the basis that Doxy collects information about both patients and health care providers. As referenced on Doxy’s website, information collected, be it mandatory or optional, includes data elements that Ontario Health deems to constitute PHI, including email address, first name and last name, mobile number, and health care provider name and specialty. In addition, the copy of events collected file that Doxy provided to Ontario Health includes identifying information that would constitute PHI under PHIPA: TIMESTAMP, ID, ANONYMOUS_ID, ORIGINAL_TIMESTAMP, USER_ID, CITY, COUNTRY, CONTEXT_IP.
19By letter dated April 3, 2023, from Ontario Health to the Ministry of Health, Ontario characterized the above remediation notice as a “final Remediation Notice”.
20On January 30, 2023, Doxy notified Ontario Health that it was its view that “… there is bias against Doxy.me and you will next be contacted by the U.S. Department of Commerce and our attorney. We believe that OH is preventing an American company from fairly entering a Canadian market after demonstrating compliance.”
21In a letter dated April 3, 2023, counsel for Doxy wrote to provide assurance as to the outstanding requirements for the company to obtain verification. The letter states:
The company does not “hold” personal health information in any system in any jurisdiction because its solution has been designed for the highest level of privacy protection. Doxy.me does not require patients to have accounts, provide for a patient medical record, facilitate appointment bookings or feature any other services that would frustrate the company’s data minimization objective. Based on its discussions with Ontario Health, Doxy.me has decided to no longer retain patient IP addresses in its event record. This mitigates the risk of indirect identification. …
As the parties have discussed, patients engaged in a session may enter their name so it is revealed to their provider. The company does not retain this information. The parties have also discussed the possibility that patients will provide identifying information in the free text field the company provides to elicit feedback on video quality. As the company has conveyed, it analyzed 732 comments from patients of Ontario and zero (0/732; 0.00%) contained identifying information. …
22On June 20, 2023, Ontario Health responded:
The Virtual Visits Verification Program received your letter dated April 3, 2023 which advised that your firm was retained by Doxy to assist with its application to the Program. As you know, the Program has determined that Doxy cannot be listed as verified under the Program until Doxy meets the mandatory Program requirements or Doxy undertakes an acceptable remediation plan. …
Key actions that are required for Doxy to successfully complete the verification process include: (i) establishment of Canadian data residency, and (ii) performance of a privacy impact assessment that reflects Doxy has established Canadian data residency and that is appropriate to the Ontario Health privacy context. With respect to Doxy’s attestation letter dated December 12, 2022 the Program notes that the attestation letter was modified extensively from the original prescribed form. Adherence to that form is also required for the purposes of the annual re-attestation requirement, as noted in the Program terms and conditions.
Doxy will not be listed as a verified solution on the Ontario Health Virtual Visits Verification Program website unless and until the verification process is successfully completed. Pending that listing, Doxy’s physician customers are not eligible to bill OHIP for virtual visits using Doxy’s platform.
23In a letter to counsel for Ontario Health dated September 6, 2023, counsel for Doxy argued that the VVV Standard was ultra vires, a global outlier in imposing these restrictions, unreasonable, and had applied these requirements inconsistently. Counsel stated:
The purpose of the Connecting Care Act, 2019 is to promote patient care. The data localization requirements in the VVV Standard do not advance any patient care objective; in fact, excluding companies like Doxy.me from OHIP coverage undermines patient care, in a world where access to such services is in high demand and patient choices are limited. …
In fact, Ontario Health has not applied the VVV Standard consistently. As outlined in the April 3, 2023 letter (at pp. 7-8 and Appendix A), many verified and validated providers already make use of US-based service providers. It is arbitrary and unreasonable to effectively penalize Doxy.me for doing the same thing. As the Supreme Court held in Vavilov at para. 131, “[w]here a decision maker does depart from longstanding practices or established internal authority, it bears the justificatory burden of explaining that departure in its reasons. If the decision maker does not satisfy this burden, the decision will be unreasonable”. Here, Ontario Health has not provided any explanation at all for the differential treatment of Doxy.me.
Finally, Ontario is an outlier in imposing these restrictions. Doxy.me is a global leader in telemedicine, with over 200,000 clinician users around the world. Ontario is the only jurisdiction that has limited access to its platform based on data localization rules. …
24On October 13, 2023, counsel for Ontario Health responded to counsel for Doxy as follows:
The issues raised in your letters have been canvassed previously by our clients. The most significant point of departure is whether the information that Doxy.me is required to retain (pursuant to ss. 2.1.3, 2.3.4 and 5.1 of the VVV Standard) is Personal Health Information (“PHI”). Contrary to your assertion otherwise, for the reasons set out in Mr. Himmel’s email dated November 21, 2022, and letters dated January 3, 2023 and January 27, 2023, such information is PHI. Consequently, pursuant to 2.3.14 of the VVV Standard, such information must be held in systems located in Canada. We have enclosed a table that refers to the sections of the VVV Standard that the parties have been discussing, our understanding of Doxy.me’s position, and Ontario Health’s response.
Needless to say, we do not agree that Ontario Health has applied the VVV Standard in an “unreasonably rigid manner”. Ontario Health has applied the VVV Standard pursuant to its express terms and consistent with the purpose of the Virtual Visits Verification Program: “to support health service providers to select solutions that are designed to support safe, privacy and security enhanced virtual visits with patients …” As a point of clarification, Ontario Health does not have the “statutory power to determine which solutions are eligible for OHIP reimbursement”; the services eligible for OHIP reimbursement are prescribed by the Ministry of Health under the Health Insurance Act.
We also do not agree that the VVV Standard is ultra vires or unreasonable. Ontario Health has broad objects and powers pursuant to section 6 of the Continuing Care Act, 2019. Those objects include, among others, “developing or adopting standards respecting digital health services and the suppliers of such products and services” and “certifying products, services and suppliers in accordance with the standards developed or adopted …”. The VVV Standard is plainly within the statutory authority of Ontario Health. [Footnotes omitted]
25On December 8, 2023, following a meeting between the parties that took place about one month earlier, counsel for Ontario Health reiterated its view that the minimum data elements required to be retained under section 5.1 of the VVV Standard constitute personal health information.
26This application for judicial review was commenced on January 8, 2024.
ISSUES
27This application raises the following issues:
(a) Is this application for judicial review premature?
(b) Should the affidavit of Dr. Ann Cavoukian be admitted?
(c) Is the Data Residency Requirement in the VVV Standard Ultra Vires?
(d) Is the Payment Rule in Regulation 552 Ultra Vires?
(e) Was Ontario Health’s decision to deny Doxy’s application unreasonable?
STANDARD OF REVIEW
28When a court reviews the merits of an administrative decision, the standard of review is reasonableness unless applying a reasonableness standard would undermine legislative intent or the rule of law.
29A reasonable decision “is one that is based on an internally coherent and rational chain of analysis and that is justified in relation to the facts and law that constrain the decision maker. The reasonableness standard requires that a reviewing court defer to such a decision”: Canada (Minister of Citizenship and Immigration) v. Vavilov, 2019 SCC 65, [2019] 4 S.C.R. 653, at para. 85.
30The Court further stated:
[15] In conducting a reasonableness review, a court must consider the outcome of the administrative decision in light of its underlying rationale in order to ensure that the decision as a whole is transparent, intelligible and justified. What distinguishes reasonableness review from correctness review is that the court conducting a reasonableness review must focus on the decision the administrative decision maker actually made, including the justification offered for it, and not on the conclusion the court itself would have reached in the administrative decision maker’s place. …
[68] Reasonableness review does not give administrative decision makers free rein in interpreting their enabling statutes and therefore does not give them licence to enlarge their powers beyond what the legislature intended. Instead, it confirms that the governing statutory scheme will always operate as a constraint on administrative decision makers and as a limit on their authority. Even where the reasonableness standard is applied in reviewing a decision maker’s interpretation of its authority, precise or narrow statutory language will necessarily limit the number of reasonable interpretations open to the decision maker — perhaps limiting it one. Conversely, where the legislature has afforded a decision maker broad powers in general terms — and has provided no right of appeal to a court — the legislature’s intention that the decision maker have greater leeway in interpreting its enabling statute should be given effect.
31When reviewing the vires of subordinate legislation, the presumptive standard of review is reasonableness. In exceptional cases, the correctness standard is applied when it is alleged that it fails to respect the division of powers between Parliament and provincial legislatures: Auer v. Auer, 2024 SCC 36, at para. 27.
32The following principles apply when assessing the vires of subordinate legislation on the standard of reasonableness:
(a) Subordinate legislation is presumed to be valid. The burden is on a challenger to demonstrate that subordinate legislation is invalid. Further, subordinate legislation is to be interpreted in a manner so that, where possible, it is construed in a manner that renders it intra vires.
(b) Subordinate legislation must be consistent with the specific provisions of the enabling legislation and with its overriding purpose or object.
(c) The challenged subordinate legislation and the enabling legislation should be interpreted using a broad and purposive approach.
(d) A review of the vires of subordinate legislation does not involve an assessment of its policy merits: Auer v. Auer, 2024 SCC 36, at paras. 31-40; Katz Group Canada Inc. v. Ontario (Health and Long‑Term Care), 2013 SCC 64, at paras. 24-28.
33No exception to the presumption of reasonableness review applies in this case nor has any exception been asserted.
ISSUE #1: IS THIS APPLICATION FOR JUDICIAL REVIEW OF ONTARIO HEALTH’S “DECISION” PREMATURE?
34Ontario Health submits that this application for judicial review is premature as Doxy has received notices of remediation but not a final decision. It submits that Doxy’s entitlement to Verified Solution Status is ongoing as Ontario Health has delivered notices of remediation but not a final decision.
35Doxy submits that throughout its lengthy review process Ontario Health has consistently refused to grant Verified Solution Status to its videoconference platform largely because they have differing views on what constitutes PHI (personal health information) and the view that Doxy’s platform fails to comply with the Data Residency Requirement.
36In SkipTheDishes Restaurant Services Inc. v. Canadian Union of Postal Workers, 2025 ONSC 1399, N. Backhouse J. summarized the principle of prematurity as applied in this court: Absent exceptional circumstances, courts should not interfere with ongoing administrative processes until after they are completed, or until the available, effective remedies are exhausted She went on to explain the purpose of the principle as follows:
[32] The doctrine of prematurity, as it has developed in the law of judicial review prevents the fragmentation of administrative proceedings, reduces costs and delays, and ensures that judicial review is used as a last resort and only after the administrative decision-making process has been exhausted. Further, allowing the underlying proceeding to complete its course, respects the role of the administrative decision-maker: Canadian Union of Postal Workers v. Canada Post Corporation, 2024 ONSC 5924 (Div. Ct.), at para. 6; Sudbury and District Health Unit v. ONA, 2023 ONSC 2419 (Div. Ct.), at para 11; C.B. Powell Limited, at paras. 30-33; Volochay, at paras. 68-69; Malekzadeh v. Ontario Labour Relations Board, 2024 ONSC 2559 (Div. Ct.), at para. 7. [Emphasis added]
37Ontario Health’s letter dated December 8, 2023, states that there are four unresolved issues that remain open for resolution. Doxy has agreed to reconfigure its platform to address the concerns outlined in VVV section 2.1.4. subject to the other three issues, which address the Data Residency Requirement, being resolved to its satisfaction. After having exchanged views over two years, Doxy and Ontario Health are at impasse regarding the legal validity of the Data Residency Requirement. Neither party has capitulated on the issue of the Data Residency Requirement and there is no administrative process that will resolve this issue for the parties.
38Unlike SkipTheDishes and the cases referenced therein, there is no statutory process of adjudication and appeal in this case that has to be followed to completion. As a result, this application for judicial review does not result in a fragmentation of administrative proceedings.
39I find that this application for judicial review is not premature.
ISSUE #2: SHOULD THE AFFIDAVIT OF DR. ANN CAVOUKIAN BE ADMITTED?
40Doxy seeks to admit the affidavit of Dr. Ann Cavoukian, the former Information and Privacy Commissioner for Ontario, for the purpose of receiving her views on the following issues relating to the Data Residency Requirement imposed by the VVV Standard adopted by Ontario Health:
(a) The nature and purpose of the Data Residency Requirement.
(b) Does the Data Residency Requirement meaningfully promote patient privacy or data security in general, and also in relation to data that is stored in the United States?
(c) In the case of Doxy’s platform, would it increase patient privacy or data security if Doxy stored the data it holds in Canada?
(d) Does Doxy’s platform protect patient privacy and data security to a level consistent with the level of protection required under the VVV Standard?
(e) Are there other verified solutions under the VVV Program that do not comply with the Data Residency Requirement?
41The evidence on an application for judicial review is generally restricted to the evidence that was before the original decision-maker. There are limited exceptions to this rule, which Penny J. described In 30 Bay ORC Holdings Inc. et al. v. City of Toronto, 2021 ONSC 251, at para. 114 as follows:
(a) the materials ought to have been included in the record of proceedings (i.e., they are properly part of the record pursuant to s. 20 of the Statutory Powers Procedure Act, R.S.O. 1990, c. S.22);
(b) although the materials are not part of the record, they are properly added to the record because of one of the narrow exceptions to the principle that the record before the Divisional Court is the official record from the tribunal below. The usual examples of materials that may be admissible on this basis are:
(i) to set out general background that would assist the court;
(ii) to show procedural defects that are not apparent from the record or the reasons – for example, a reasonable apprehension of bias or a denial of procedural fairness; or
(iii) to show a complete lack of evidence to support a material finding of fact; and
(c) materials that are properly “fresh evidence” on the application.
42Except for the discussion regarding the nature and purpose of data residency requirements at paragraphs 14-21, Dr. Cavoukian’s evidence is not general background information. The affidavit addresses the data residency requirement in other jurisdictions in Canada and beyond, and opines on the merits of the data residency requirement, and whether the data residency requirement increases privacy protection for users of Doxy’s video service. Further, on this application, the policy merits of the data residency requirement under Ontario law are not relevant to its vires. Finally, Dr. Cavoukian is not a lawyer and has no special or particular knowledge of international law and trade agreements, including CUSMA and thus to the extent her affidavit addresses and opines on these matters it is inadmissible for that reason alone. Other than paras. 14-21, I would not admit the evidence in her affidavit.
ISSUE #3: IS THE DATA RESIDENCY REQUIREMENT IN THE VVV STANDARD ADOPTED BY ONTARIO HEALTH ULTRA VIRES?
43As noted earlier, in 2020, Ontario Health adopted the VVV Standard. This policy contains a data residency requirement, found in section 2.3.14 of the VVV Standard. In order to be verified by Ontario Health as a virtual visit solution it is required to demonstrate that “… all personal health information as defined in PHIPA is held by systems located in Canada”.
Is the Data Residency Requirement Consistent with the Objectives of the CCA?
44Doxy submits that the Data Residency Requirement of the VVV Standard bears no connection to the statutory objectives of the Connecting Care Act, 2019, S.O. 2019, c. 5, Sched.1 (the “CCA”). Doxy submits that this requirement is based on the assumption that the patient data located in Canada is more secure than data located in the United States. Given that the U.S. law provides for robust protection for personal health information, as a matter of technical security, data hosted in the United States is at least as secure as data hosted in Canada.
45I disagree that the Data Residency Requirement bears no connection to the objective of the CCA.. The preamble to the CCA expresses the Legislature’s intention to create a single provincial agency (now called Ontario Health) that would oversee the development of a “digitally-enabled, publicly funded health care system” that would “put each patient at the centre of a connected care system anchored in the community”.
46The objectives of Ontario Health include:
Developing or adopting standards respecting digital health products and digital health services and the suppliers of such products and services.
Certifying products, services and suppliers in accordance with the standards developed or adopted pursuant to paragraph 3: See Ontario Regulation 376/19, s. 1(1).
47Given the provisions described above, the data residency requirement found in the VVV Standard is consistent with the CCA and its objects and is specifically supported by the intention that the community care system be “anchored in the community”.
Is the Data Residency Requirement Arbitrary or Does It Conflict with the Broader Legislative Context?
48Doxy further submits that the Data Residency Requirement conflicts with the broader legislative context in that the PHIPA imposes extensive obligations on the custodians of personal health information but does not impose a data residency requirement that prohibits the storage of personal health information outside of Ontario. Doxy submits that this leads to absurd consequences as highly sensitive personal health information, such as patient diagnostics, treatment plans, and clinical photos, may be stored on servers in the U.S.A., however the Data Residency Requirement under the VVV Standard applies to far less sensitive information retained by virtual care solutions such as call metadata. As a result, less sensitive data is subject to greater restrictions under the VVV Standard than higher sensitive data under the PHIPA.
49Doxy further submits that there is no rational basis for the Data Residency Requirement found in the VVV Standard and Regulation 552 on the grounds that the Data Residency Requirement is not logically connected to the protection of personal health information. In this respect, Doxy relies on Dr. Cavoukian’s opinion that identified three rationales for the Data Residency Requirement were misplaced. She stated that these rationales were: 1) a concern that foreign jurisdictions will lack adequate privacy protections; 2) a concern over foreign government surveillance; and 3) a concern that enforcement of Canadian privacy laws would be more difficult for data held outside of Canada.
50As stated in Auer, at para. 33:
… a vires review does not involve assessing the policy merits of the subordinate legislation to determine whether it is “necessary, wise, or effective in practice”.
51The grounds advanced by Doxy challenge the necessity, wisdom and effectiveness of the Data Residency Requirement. I agree with the respondents’ view that the PHIPA does not limit Ontario Health’s authority to impose the Data Residency Requirement in the VVV Standard. Although PHIPA is aimed at protecting privacy, the protection of personal health information does not need to be uniform in different contexts. The VVV Standard was specifically designed in part to protect privacy and security. While the VVV Standard may impose stricter standards than PHIPA, it was open to Ontario Health to adopt a VVV Standard that imposes more stringent requirements on the storage of personal health information gathered on a virtual visit than for other visits with a physician. The policy merits of its doing so are not open to challenge.
ISSUE #4: IS THE PAYMENT RULE IN REGULATION 552 ULTRA VIRES?
52Under s. 37.1(1) of the HIA, a service rendered by a physician may be reimbursed for a service that is referred to in the schedule of benefits in such circumstances and conditions as specified in the schedule of benefits. As noted, Regulation 552 defines the schedule of benefits to mean the Ministry’s “Schedule of Benefits – Physician Services under the Health Insurance Act”. Since December 2022, the Schedule of Benefits provides that “… video services are only eligible for payment when performed using a Verified Virtual Visit Solution.” (“Payment Rule”).
53Doxy submits that the Payment Rule is ultra vires for the following reasons:
(a) it exceeds the statutory purpose of the HIA by going beyond the proper administration of the OHIP program and into general privacy regulation;
(b) Regulation 552 impermissibly subdelegates responsibility for OHIP eligibility to Ontario Health; and
(c) Regulation 552 violates Canada’s obligations under international trade agreements.
Does Regulation 552 exceed the purpose of the HIA?
54Doxy submits that Regulation 552, and in particular the Data Residency Requirement incorporated by the Schedule of Benefits, exceeds the purpose of the HIA by going beyond the proper administration of the OHIP program and into general privacy regulation.
55The purpose of the HIA is to provide publicly available insurance against the cost of insured services. Section 10 of the HIA states:
The Ontario Health Insurance Plan is continued for the purpose of providing for insurance against the costs of insured services on a non-profit basis on uniform terms and conditions available to all residents of Ontario, in accordance with this Act, and providing other health benefits related thereto.
56Clause 37.1(1) of Regulation 552, made by the LGIC under the HIA, states that a service rendered by a physician is an insured service if amongst other things "… the service is referred to in the schedule of benefits and rendered in such circumstances or under such conditions as may be specified in the schedule of benefits”.
57The purpose of the VVV Standard is to establish that a physician’s virtual service meets standards that “… support safe, privacy and security enhanced virtual visits with patients and [that] advance interoperable health information exchange in alignment with the Digital Health Information Exchange Standard.”
58It is within the broad purpose of the HIA, to promote the proper administration of the OHIP program, to require that the reimbursement for the virtual delivery of services by a physician is conditional on showing the physician’s virtual services meet the requirements of the VVV Standard, including its privacy requirements.
Does Regulation 552 unlawfully subdelegate responsibility for determining OHIP eligibility to Ontario Health?
59Under s. 45(1)(e) of the HIA, the LGIC may make regulations governing insured services, including specifying those services that are not insured services.
60Clause 37.1(1) of Regulation 552, made by the LGIC under the HIA, states that a service rendered by a physician is an insured service if amongst other things "… the service is referred to in the schedule of benefits and rendered in such circumstances or under such conditions as may be specified in the schedule of benefits”.
61Under s. 1(1) of Regulation 552, “schedule of benefits” means the document published by the Ministry of Health and Long-Term Care entitled “Schedule of Benefits – Physician Services under the Health Insurance Act …”.
62The Schedule of Benefits states:
Video services are only eligible for payment when performed using a Verified Virtual Visit Solution.
“Verified Virtual Visit Solution” means virtual service delivery platforms listed on Ontario Health’s public list of verified solutions.
[Commentary: Ontario Health’s public list of verified solutions is available at https://www.ontariohealth.ca/our-work/digital-standards/virtual-visits-verification-standard/vendor-list.]
63Subsection 80.1(1) of the Legislation Act, 2006, S.O. 2006, c. 21, Sched. F, states:
A person on whom an Act confers power to make a regulation may delegate the power only if an Act specifically authorizes the delegation of that regulation-making power.
64Doxy submits that the responsibility for determining which virtual care solutions are eligible for OHIP reimbursement has been unlawfully delegated from the LGIC to Ontario Health as it is given the power to determine the conditions under which certain “insured services” will be reimbursed by OHIP. Doxy states:
… the Schedule of Benefits does not simply incorporate the list of “verified solutions” as it existed at a particular point in time; it provides an active hyperlink to the Ontario Health website. The clear intent is that reimbursement depends on whether a solution is “verified” when the virtual visit takes place.
This means that the Lieutenant Governor in Council has relinquished control over this aspect of the OHIP program and left future changes to the list of “verified” solutions entirely up to Ontario Health. This is an impermissible sub-delegation of authority.
65Professor Willis noted:
The administrative law which has grown up around the Latin maxim delegatus non potest delegare, a delegate may not re-delegate, deals with the extent to which an authority may permit another to exercise a discretion entrusted by a statute to itself . …
Delegation, as the word is generally used, does not imply a parting with powers by the person who grants the delegation, but points rather to the conferring of an authority to do things which otherwise that person would have to do himself: Willis, "Delegatus Non Potest Delegare", 21 Can. Bar Rev. 257 (1943), at p. 257-258
66I make the following observations:
i. First, the Act confers broad authority on the LGIC to make regulations “governing” what services are “insured services” rather than only authority to “prescribe” regulations.
ii. Second, the LGIC has not delegated authority to Ontario Health to verify a solution given that Ontario Health already has authority under the Continuing Care Act, 2019 to verify a solution as: (a) it has natural person powers for the purpose of carrying out its objects: Continuing Care Act, 2019, s. 7(1); and (b) its objects include “certifying products, services and suppliers in accordance with the standards developed or adopted …”. See Ontario Regulation 376/19, s. 1(1).
iii. Third, there is no dispute that the LGIC has the broad authority to referentially incorporate provisions adopted by other entities, including other legislative bodies or non-governmental bodies, as amended from time to time: Reference re An Act respecting First Nations, Inuit and Métis children, youth and families, 2024 SCC 5, at paras. 124-126.
67Doxy’s submission suggests that the LGIC only has authority to make a regulation that incorporates by reference a static list of solutions that have been verified by Ontario Health. Incorporation by reference may also be anticipatory and I find that LGIC also has authority to adopt solutions that may be verified by Ontario Health from time to time. The reference to “public list of verified solutions” in the Schedule of Benefits that was adopted by Regulation 552 shows a clear intent to engage in anticipatory incorporation by reference of verified solutions rather than only a static incorporation of verified solutions.
68Accordingly, I find that the Regulation does not unlawfully subdelegate responsibility for determining OHIP eligibility to Ontario Health.
Does the Data Residency Requirement Violate International Trade Agreements?
69Doxy submits that:
(a) legislation is presumed to comply with Canada’s international obligations and courts should avoid interpretations that would violate those obligations.
(b) Ontario’s authority to make regulations under the Health Insurance Act must be construed to ensure that any regulation complies with Canada’s international obligations including The Canada-United States-Mexico Agreement (CUSMA).
70Doxy submits that the Data Residency Requirement violates Article 19.11 and Article 19.12 of the CUSMA which state:
Article 19.11: Cross-Border Transfer of Information by Electronic Means
No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.
This Article does not prevent a Party from adopting or maintaining a measure inconsistent with paragraph 1 that is necessary to achieve a legitimate public policy objective, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
(b) does not impose restrictions on transfers of information greater than are necessary to achieve the objective.
Article 19.12: Location of Computing Facilities
No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory.
71Doxy submits that, contrary to Article 19.11.1, the Data Residency Requirement restricts the cross-border flow of data by removing OHIP eligibility for the use of virtual care solutions that store data outside of Canada. Doxy further submits that the respondents have not shown that the requirements in the exception provided by Article 19.11.2 are engaged. Further, Doxy submits that the Data Residency Requirement violates Article 19.12 because it requires virtual care solutions to maintain Canadian data residency in order to quality for OHIP reimbursement.
72I agree with the respondents’ position that this court should not rule on Doxy’s submission that the data residency requirement violates CUSMA because that submission requires the adjudication of state obligations under CUSMA. Domestic courts do not adjudicate state obligations arising out of trade law treaties and that such disputes are properly dealt with by international trade tribunals under such agreements. Accordingly, if Doxy wishes to challenge the data residency requirement relying on CUSMA, then such challenge must be made in the forum mandated by CUSMA.
ISSUE #5: WAS ONTARIO HEALTH’S DECISION TO DISMISS DOXY’S APPLICATION FOR APPROVAL AS A VERIFIED VIRTUAL SOLUTION UNREASONABLE?
73Section 2.3.14. of the VVV Standard imposes the following data residency requirement:
Ensure all PHI data as defined in PHIPA is held by systems located in Canada.
74Under s. 4(1) of the PHIPA “personal health information … means identifying information about an individual in oral or recorded form, if the information,
(a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
(b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual, … .
75Under s. 4(2) of PHIPA, “identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.
76Doxy submits that Ontario Health unreasonably denied its application for approval as a verified virtual solution on the basis of the Data Residency Requirement for the following reasons:
(a) The information collected by Doxy is neither “held” by Doxy nor does it constitute “personal health information”; and
(b) The denial of Doxy’s application was inconsistent with how Ontario Health treated its competitors.
77The respondents deny the above allegations and assert that, in any event, Doxy failed to comply with the mandatory requirements of sections 2.1.4 and 2.3.7. of the VVV Standard.
Did Ontario Health unreasonably find that Doxy’s virtual solution holds personal health information?
78Section 2.3.14. of the VVV Standard requires a solution provider to ensure that all PHI data as defined in PHIPA is held by systems located in Canada.
79Section 5 of the VVV Standard (which consists of sections 5.1, 5.2 and 5.3) specifies the data requirements for a verified virtual solution.
5.1 Mandatory virtual visit data elements.
5.1.1. Event ID. Unique identifier for each virtual visit. 5.1.2. Organization ID: Organization that provisioned the account. 5.1.3. Solution ID: Unique identifier for the solution that supported the virtual visit. 5.1.4. Event Details. Event start date, event start time, event end date, event end time 5.1.5. Event Type. 5.1.6. Clinician Information (Event Host): First name, last name 5.1.7. Physician Flag. Physician Flag. 5.1.8. Clinician Location (Event Host). Postal code or IP Address. 5.1.9. Participant Location (Patient): Postal Code or IP Address 5.1.10. Modality Use. Primary modality.
5.2 Recommended Virtual Visit Data Elements
5.2.1 Therapeutic Area of Care. Area of Practice. 5.2.2. Name of Regulatory College. 5.2.3. Professional Registration Number. 5.2.4. Clinical Provider. IP Address. 5.2.5 Participant Location (participants). IP Address. 5.2.6. Participant Location (patient). IP Address. 5.2.7. Participant Identification. (patient). Participant’s name, date of birth, gender, and unique identifier, i.e. Heath card number. 5.2.8. Event Outcome.
5.3 Virtual Visit Data Elements for Audit
5.3.1. Create date. Date the event was created. 5.3.2. Last Modified Date. Date the event record was last modified. 5.3.3. Event Actor. Authority of the event creation or last modification.
80On December 8, 2023, Ontario Health confirmed by letter that, “… the retention requirement in 2.1.3. does not apply to the data elements in 5.2 and 5.3”.
81In that letter Ontario Health described two concerns. First, that the information specified by section 5.1 of the VVV standard constituted PHI and secondly, that voluntary patient feedback and customer support inquiries as well as transient copies of transferred files constitute PHI. Their letter states:
… Ontario Health maintains its position that the minimum data elements required to be retained under section 5.1 constitute personal health information. That data identifies an individual patient or is reasonably foreseeable in the circumstances to be used to identify an individual patient. That data is about the provision of health care to the individual (i.e., a virtual visit) provided by a particular clinician. Similarly, data about patient customer support requests, in which the patient is seeking support from the electronic services provider of a health information custodian, would likewise constitute personal health information if reasonably identifiable to the patient. In addition, Ontario Health identified other types of personal health information (beyond the items required under section 5.1) that are or may be handled by Doxy.me in a communication to Doxy.me on January 3, 2023. For example, information about a provider or provider clinic or organization, such as unique weblinks, would, if associated with information that could identify the patient, reveal not only the patient’s care provider, but also permits inferences about their physical or mental health – all of which is personal health information. …
82Ontario Health’s decision is not reasonable because it does not explain how it is reasonably foreseeable that the information collected could be used to identify an individual patient. The mandatory information required to be captured under section 5.1 of the VVV standard does not reasonably constitute “identifying information … that relates to the physical or mental health of the individual … or relates to the providing of health care to the individual” within the meaning of s. 4(1)((a) and s. 4(2) of PHIPA. The identity of a patient is not revealed by the patient’s IP address nor their postal code and Ontario Health does not explain how it would be.
83While the retention of the recommended virtual visit data element under s. 5.2 and s. 5.3 of the VVV Standard, such as participant identification information, would constitute personal health information, it is not information that is captured as part of Doxy’s virtual visit solution which it characterizes as a “data lean” model. Names, email addresses, and the like, are not data that is required to be captured. The circumstances in which such data might be collected is highly speculative. One such potential avenue for the collection of PHI is the use of the “free text response” patient survey on the quality of the audio and video on the virtual visit. There is no dispute that 0 of 732 survey responses did not contain PHI. It was unreasonable for Ontario Health to rely on this concern.
84I find that Ontario Health’s decision that Doxy virtual solution captures “personal health information” is not based on a rational chain of analysis that explains how the information collected could be used to identify an individual patient.
85Having come to this conclusion, there is no need to address whether Ontario Health has been inconsistent in its application of the data residency requirement.
Did Ontario Health unreasonably find that Doxy’s virtual solution did not satisfy section 2.1.4. of the VVV Standard?
86Section 2.1.4. of the VVV Standard states:
Requirement: Enable the electronic transfer of virtual visit information to a medical or hospital record.
Notes: Virtual visit information … must be transferable to a medical record or hospital record for clinical documentation and audit purposes. Solutions may also allow clinicians relevant chat message, file attachments or images that should be transferred to the patient’s medical or hospital record. A minimal event log must be retained which describes the event, event participants, timestamp and if any data was deleted as a result of a data exchange.
87There is no dispute that Doxy’s virtual solution does not comply with this requirement. Doxy states that, assuming the issue related to whether it collects personal health information is resolved to its satisfaction, that it might reconfigure its platform to permit the additional event record fields that correspond to the data elements required by s. 5.1 of the VVV Standard to be downloaded and exported.
88On this basis alone, Ontario Health’s decision to refuse to verify Doxy’s virtual solution was reasonable.
Did Ontario Health unreasonably find that Doxy’s virtual solution did not satisfy section 2.3.7. of the VVV Standard?
89Section 2.3.7 of the VVV Standard requires that an up-to-date Privacy Impact Assessment summary be delivered. Ontario Health found that the PIA summary delivered by Doxy did not comply with this requirement as it contemplated that personal health information would be stored outside of Canada contrary to the data residency requirement in section 2.3.14. of the VVV Standard. Doxy acknowledges that the requirement for a PIA remains unsatisfied pending the determination of the issue of whether its virtual solution holds personal health information outside of Canada.
90Accordingly, on this basis as well, Ontario Health’s decision to refuse to verify Doxy’s virtual solution was reasonable.
CONCLUSIONS
91This application for judicial review is dismissed since, according to the analysis set out above, Ontario Health was entitled to find Doxy did not satisfy s. 2.1.4 and s. 2.3.7 of the VVV Standard. However, any further submission by Doxy for verification of its virtual solution must be considered in light of the finding that Ontario Health’s conclusion that Doxy holds personal health information was unreasonable.
92The parties are encouraged to resolve the issue of costs failing which they may submit cost submissions within ten days and responding costs submissions within twenty days.
Faieta J
I agree____________________
Shore J.
I agree____________________
O’Brien J.
Released: April 16, 2026
Footnotes
- On August 8, 2019, the Minister of Health and the Ministry of Health were established by Order in Council. 1110/2019. Amongst other things, it made the Minister responsible for the administration of the Health Insurance Act and the Connecting Care Act, 2019.