Resources

From detailed guides to online courses – resources are available to provide you with the knowledge necessary to build and integrate EHR applications.

Identity Federation

EHR transactions are traced to the individuals who performed them, and to the organization under whose authority they acted. Electronic credentials link users to their real world identity and to their regulatory college, if applicable. They also map to an organization that has authorized the user’s access to specific applications and health care client records. By contrast, system-generated tokens describe the authority for an electronic transaction which can be associated with agreements between contributing parties. 

As a consequence of the broad use and need for EHR functionality, eHealth Ontario must support the activities of hundreds of thousands of health care providers and millions of health care clients at thousands of locations throughout the province, while keeping information available, accurate and secure. Providers wanting to access the EHR need to be assigned digital identities – i.e. they need to be securely identified, so that they can be authenticated when they make service requests. They also need to be assigned access privileges so that their requests can be properly authorized. Accurate identification of the requesting provider is also critical to allow consent features to work effectively. 

The identify federation concept takes advantage of the fact that many providers have already fulfilled similar requirements in the organization where they work. For example, clinicians in a hospital must satisfy internal criteria in order to access its systems. This provides an opportunity to partner with such organizations, by trusting and sharing their digital user identities. Organizations that are trusted in this way are ‘federated’ with respect to identity.

Federation partners sign agreements to follow relevant federation policies and standards. The agency will ensure that these policies and standards are followed.

Federation can be considered a network of organizations providing access to services based on user identity assertions made by trusted identity providers. For example a clinician’s hospital credentials, (asserted by an identity provider), are used to authenticate to provincial applications presented by eHealth Ontario. 

Benefits of federation include:

  • More effective use of provincial assets through consistency of business processes/operations, technical infrastructure and policies, standards, and agreements
  • Increased efficiency by minimizing duplication of effort among federation members and reducing/offloading some administrative responsibilities to the federation operator (defined below). For example, gathering, validating and maintaining identity information locally, as providers have clear and established relationships with their organizations.
  • Improved privacy and security by enforcing common policies, standards and agreements
  • Applications (EHR components, hospital and LHIN-based solutions) developed by one organization are easier to adopt by other organizations, since they recognize each other’s credentials
  • Users from a federated partner can use the same login credentials for both their local system and broader EHR services (this is called single sign-on). Credentials from federation members can be used to access provincial services, including eHealth Ontario assets like OLIS, which can rapidly increase the number of users with secure electronic access to clinical applications.

Figure 25: Access through Identity Federation using Trust Relationship

The eHealth Ontario federation model defines 4 roles for federation members. A federation member may play one or more of these roles:

  • Federation operator: sets policies, standards and agreements; provides business processes and technical infrastructure to facilitate federation operations
  • Identity provider: provides credentials to users based on real world identities; captures and passes verified data required for federation (e.g. professional designations), and authenticates users when requested by the federation operator
  • Delivery channel: provides a conduit to an EHR service. A good example is a portal that deploys eHealth Ontario portlets.
  • Application provider: provides services for consumption by federation members, and defines the rules by which users are entitled to access the services. Users with credentials from recognized identity providers can access services using a recognized delivery channel. 

An organization wanting to be an identity provider, (i.e. issue health care providers with electronic credentials to access EHR applications), or a delivery channel, (i.e. provide an entry point such as a portal, for EHR applications), must sign an agreement with eHealth Ontario to abide by the policy and standards applicable to their role in the federation. 

ONE ID as an Identity Provider

To support providers not affiliated with a hospital that can issue them a user ID and password, such as pharmacists, dentists, dieticians, midwives, occupational therapists, psychologists, administrative staff, and sole practitioners, eHealth Ontario’s ONE ID service acts as a province-wide identity provider, issuing electronic credentials for access to EHR applications. These applications may be hosted by eHealth Ontario or by other organizations. ONE ID is a member of the identity federation and also plays the federation operator role. 

The service uses a network of Local Registration Authorities (LRAs) employed by their own organization and acting on behalf of eHealth Ontario to simplify the registration process. 

A number of organizations also use ONE ID as their identity provider for access to their applications. Note that they may not necessarily consume any other eHealth Ontario services. By partnering with these organizations, the ONE ID service will reach a critical mass of users so that future applications or systems adopting ONE ID will be accessible to more users who are already registered.

Back to Top

Explore the Blueprint

Multiple views describe the many ways the blueprint supports EHR delivery.

Get Us Involved

From advisory consultations on blueprint alignment to standard selection, we can help you align, adopt and implement solutions.

Contact Us

Stay Up To Date

Published four times a year, the Blueprint Bulletin provides readers with regular insight into the elements, services and new developments associated with the Ontario eHealth blueprint.

Looks like you’re using an old browser.

To view this site, you’ll need to upgrade your browser.

Upgrade Now

×