Executive Summary: Key Legal and Evidentiary Issues

• Scope of Ontario Health’s authority to impose a Canada-only data residency requirement through the Virtual Visits Verification Standard and its consistency with the Connecting Care Act and Health Insurance Act.
• Validity of the OHIP “Payment Rule” in Regulation 552 that limits reimbursement for video services to Ontario Health–verified virtual visit platforms, and whether it unlawfully subdelegates regulatory power.
• Proper interpretation of “personal health information” under PHIPA, including whether IP addresses, event logs and limited metadata can reasonably identify patients in Doxy’s “data-lean” virtual care model.
• Reasonableness of Ontario Health’s refusal to verify Doxy’s platform, given alleged non-compliance with mandatory technical requirements (data transfer to medical records and a compliant privacy impact assessment).
• Treatment and admissibility of expert evidence (Dr. Cavoukian’s affidavit) on the policy rationale and comparative context of data residency, and the court’s refusal to weigh policy merits in a vires review.
• Attempt to invoke Canada’s CUSMA trade obligations concerning cross-border data flows and data localization, and the court’s decision that such treaty-compliance issues are for trade tribunals rather than domestic judicial review.

Background and parties

Doxy.me Inc. is a U.S.-based web videoconferencing provider used by over one million physicians worldwide, including a significant user base in Ontario that grew during the COVID-19 pandemic when OHIP temporarily reimbursed virtual visits on any platform. Its platform is hosted on Amazon Web Services servers located in the United States and does not use Canadian data centres. The respondents are Ontario Health (a Crown agency under the Connecting Care Act, 2019), the Minister of Health (responsible for OHIP under the Health Insurance Act) and the Lieutenant Governor in Council, who makes regulations governing insured services. Doxy applied for judicial review after Ontario Health refused to list its platform as a “Verified Virtual Visit Solution,” a status that is now a condition for physicians to bill OHIP for video-based virtual services conducted through the platform.

The Ontario virtual visits framework

The provincial virtual care framework is built on several interlocking instruments. Under the Health Insurance Act and Regulation 552, a physician service is an insured service only if the service appears in the Schedule of Benefits and is provided in the circumstances or conditions set out there. The Schedule of Benefits, as amended effective December 1, 2022, provides that video services are only eligible for OHIP payment when performed using a “Verified Virtual Visit Solution.” A Verified Virtual Visit Solution is defined in the Schedule by reference to Ontario Health’s public list of verified platforms. Ontario Health administers the Virtual Visits Verification Program and has adopted a detailed Virtual Visits Verification Standard (VVV Standard). The stated purpose of this program and standard is to help health providers select virtual visit solutions that support safe, private and secure virtual visits and interoperable health information exchange consistent with digital health standards. Ontario Health’s statutory objects under the Connecting Care Act include developing or adopting standards for digital health products and services, and certifying products and suppliers in accordance with those standards, which underpins its role in verifying virtual visit solutions.

The data residency requirement in the VVV Standard

At the heart of the dispute is section 2.3.14 of the VVV Standard, which requires that all personal health information (PHI), as defined under Ontario’s Personal Health Information Protection Act (PHIPA), be held by systems located in Canada. This is commonly referred to as the Data Residency Requirement. The Standard also prescribes mandatory data elements that a verified solution must retain about each virtual visit. Section 5.1 lists “mandatory virtual visit data elements,” including a unique event ID, solution and organization identifiers, event timestamps, clinician name, flags indicating whether the host is a physician, and location data such as postal code or IP address for the clinician and participant. Sections 5.2 and 5.3 list recommended and audit-related elements, including potentially identifying patient information, but Ontario Health later confirmed that the retention requirement in section 2.1.3 did not apply to the recommended and audit fields. Ontario Health’s interpretation was that the minimum data elements required under section 5.1, combined with other information handled in practice by Doxy (such as certain identifying fields and support interactions), amounted to PHI for PHIPA purposes, so the Data Residency Requirement would be triggered and necessitate Canadian hosting.

Doxy’s application and Ontario Health’s remediation notices

Doxy applied on September 30, 2022, attesting that its platform met all mandatory VVV requirements. In November 2022, Ontario Health issued a first remediation notice stating it had determined Doxy’s service collected PHI and would therefore need to migrate to a Canadian cloud provider so all such information would be processed, handled, accessed and stored in Canada at all times. Doxy responded in December 2022, emphasizing that its solution was deliberately “data-lean”: it did not create patient accounts or medical records, and it did not require identifying patient information. It acknowledged collecting system event data (such as unique event IDs, timestamps, browser/OS details, device type and telephony IDs), IP addresses and free-text quality-of-service survey responses, but argued that none of these, alone or in combination with information reasonably available to Doxy, could identify individual patients or constitute PHI under PHIPA’s definition. Doxy pointed to internal and external privacy experts’ consensus that, without access to outside datasets, re-identification was not reasonably foreseeable. It also offered, as a compromise, to delete certain data—such as IP addresses and free-text survey content—within 30 days if Ontario Health insisted on treating them as PHI, although it warned this would degrade features such as audit trails, analytics and support functions and might force it to stop offering a free service tier.

Escalation of the PHI and data residency dispute

Ontario Health’s second remediation notice on January 3, 2023, reiterated its view that Doxy collected PHI, relying on references from Doxy’s own materials to data such as email addresses, first and last names, mobile numbers and provider details, as well as an events file showing identifiers and location-related fields (including IP address and city/country). In subsequent correspondence, Doxy’s counsel insisted that Doxy did not “hold” PHI in any system in any jurisdiction, stressed its data minimization design, and advised that, in response to Ontario Health’s concerns, it had decided to stop retaining patient IP addresses in its event record to further reduce identifiability risk. Doxy also presented empirical evidence regarding the free-text feedback field: in a review of 732 Ontario patient comments, none contained identifiers or health information, which it argued made it unreasonable to treat this survey channel as a realistic PHI vector. Ontario Health replied in June and December 2023 that Doxy could not be listed as verified unless it both established Canadian data residency and produced a privacy impact assessment (PIA) consistent with that residency and Ontario’s privacy context, and that it continued to regard the mandatory section 5.1 elements, plus other handling of support and related data, as PHI that must be stored on Canadian systems. In the interim, physicians using Doxy remained ineligible to bill OHIP for virtual visits conducted through its platform.

Challenge to the legality of the Data Residency Requirement

In its judicial review application, Doxy attacked the Data Residency Requirement on vires grounds. It argued that the requirement exceeded the statutory objectives of the Connecting Care Act and improperly transformed Ontario Health’s role into that of a general privacy regulator, particularly given that PHIPA itself does not impose a blanket prohibition on storing PHI outside Ontario or Canada. Doxy suggested this produced an absurd policy outcome: highly sensitive PHI (such as diagnostics or clinical images) might lawfully reside on U.S. servers under PHIPA, while relatively low-sensitivity metadata collected by virtual visit platforms would be subject to stricter localization through the VVV Standard and associated OHIP reimbursement rules. Doxy further claimed Ontario was a global outlier in imposing such localization, and that the Data Residency Requirement conflicted with Canada’s obligations under CUSMA provisions that limit restrictions on cross-border data transfers and data localization demands. The court held that a vires review does not engage the wisdom, necessity or effectiveness of the policy. It found that the Data Residency Requirement was rationally connected to the CCA’s objective of a “digitally-enabled” health system anchored in the community, and to Ontario Health’s express objects of developing standards for digital health products and certifying compliant services. The fact that PHIPA permits out-of-country storage in other contexts did not strip Ontario Health of authority to adopt a stricter standard for verified virtual visit platforms. Policy merits and comparative practices in other jurisdictions were treated as beyond the court’s remit in deciding whether the Standard fell within statutory authority.

Validity of the Payment Rule and alleged subdelegation

Doxy also challenged the OHIP Payment Rule, contained in Regulation 552 and the Schedule of Benefits, which restricts payment for physician video services to those performed on listed verified platforms. It argued this rule exceeded the Health Insurance Act’s purpose by moving from administration of insurance benefits into broad privacy regulation, and that by linking OHIP eligibility to Ontario Health’s dynamic list of verified solutions (via a hyperlink to its website), the Lieutenant Governor in Council had unlawfully subdelegated regulatory authority in violation of the Legislation Act’s constraints on delegating regulation-making power. The court rejected these arguments. It held that conditioning reimbursement on compliance with the VVV Standard, including its privacy provisions, fell squarely within the HIA’s broad purpose of governing insured services and related benefits. It further characterized the structure of the regulation as an anticipatory incorporation by reference of Ontario Health’s list—which Ontario Health had independent authority to maintain under its own statute—rather than an impermissible delegation of the LGIC’s regulation-making power. The LGIC, empowered to “govern” insured services, was entitled to define conditions by reference to standards and lists developed by another statutory body with its own mandate to certify digital health solutions.

Attempted reliance on international trade obligations

On the international front, Doxy invoked Canada’s obligations under CUSMA, pointing to provisions on cross-border transfer of information by electronic means and prohibitions on requiring local computing facilities as a condition of doing business. It argued that the Data Residency Requirement, by effectively disqualifying foreign-hosted platforms from OHIP coverage unless they localize Canadian data, restricted cross-border data flows and violated the prohibition on mandated local hosting. The court declined to decide whether the Ontario regime complied with CUSMA. It reasoned that domestic courts are not the forum for adjudicating state-to-state trade obligations under such treaties; instead, treaty-compliance disputes belong before the designated international mechanisms. Any trade-based challenge to Ontario’s data residency rules, therefore, would have to proceed through CUSMA’s own processes rather than through this judicial review.

Treatment of the expert affidavit on data residency

An important evidentiary issue concerned Doxy’s attempt to rely on an affidavit from Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario. Her evidence critiqued the rationale for data localization, compared Ontario’s approach with other jurisdictions, and addressed whether Canadian localization meaningfully enhances privacy or security in the context of Doxy’s platform and U.S. hosting. The court applied the usual rule that judicial review is decided on the record before the decision-maker, with only narrow exceptions for background information, procedural unfairness and true “fresh evidence.” It held that most of Dr. Cavoukian’s affidavit went beyond general background and entered into policy debate and legal opinion on international trade matters outside her expertise and outside the limited scope of vires review. Apart from a small portion describing the general nature and purpose of data residency requirements at a high level, the affidavit was found inadmissible and was not used to assess the legality or reasonableness of Ontario Health’s decisions.

Reasonableness of Ontario Health’s finding on personal health information

On the reasonableness review, the court concentrated on PHIPA’s definition of personal health information. PHI must be “identifying information” about an individual that relates to their health or the provision of health care, and “identifying information” is information that identifies an individual or could reasonably be expected, alone or with other information, to be used to identify the individual. Ontario Health took the position that the mandatory section 5.1 elements—particularly patient location data (postal code or IP address) and event-level metadata in the required audit trail—constituted PHI when collected and retained by a virtual visit solution. It also pointed to other contexts in which Doxy might handle identifiable data, such as patient-initiated customer support requests or specific provider URLs that could reveal details about a patient’s care. The court found Ontario Health’s conclusion that Doxy’s virtual visit solution “holds” PHI to be unreasonable. It emphasized that Ontario Health had not provided a coherent explanation of how the specific mandatory fields actually collected and retained by Doxy as part of its “data-lean” model could reasonably be used to identify an individual patient. The mere presence of an IP address or postal code, without more, did not in and of itself reveal a patient’s identity or health status, and Ontario Health did not convincingly articulate a practical, reasonably foreseeable pathway to identification given Doxy’s access to other information. The court also noted the uncontradicted evidence that none of the 732 sampled free-text survey responses from Ontario patients contained identifiers or health information, which significantly undermined Ontario Health’s reliance on that channel as a PHI source. On this analysis, the court held that Ontario Health’s reasoning chain regarding PHI was deficient and did not meet the standard of a transparent, intelligible, and justified decision.

Failure to meet other mandatory VVV requirements

Despite finding Ontario Health’s PHI conclusion unreasonable, the court turned to other mandatory provisions of the VVV Standard that Doxy admittedly did not satisfy. Section 2.1.4 requires that a verified solution enable the electronic transfer of virtual visit information to a medical or hospital record for clinical documentation and audit purposes, and contemplates a minimal event log that can be moved into clinical records. Doxy’s current architecture did not meet this requirement; it indicated that, if the PHI/data residency dispute were resolved favourably, it might reconfigure its platform in future to export the required event-level data, but as matters stood, the functionality was lacking. Section 2.3.7 requires submission of an up-to-date PIA summary that reflects the solution’s data handling and residency in a manner appropriate to Ontario Health’s privacy framework. The PIA Doxy provided contemplated storage of data outside Canada and was not updated to align with the Canadian data residency requirement, a deficiency Doxy itself acknowledged was unresolved pending a determination of whether its solution in fact held PHI outside Canada. The court held that these failures provided independent, reasonable bases for Ontario Health’s refusal to verify Doxy’s platform, separate from the flawed PHI analysis.

Outcome and implications

In the result, the Divisional Court dismissed Doxy’s application for judicial review. It upheld the legality of the Data Residency Requirement in the VVV Standard and the OHIP Payment Rule in Regulation 552, and found no unlawful subdelegation or justiciable breach of international trade obligations. At the same time, it declared Ontario Health’s conclusion that Doxy’s solution necessarily held personal health information to be unreasonable, directing that any future verification submissions by Doxy must be assessed in light of that finding. Nonetheless, because Doxy undisputedly did not meet other mandatory requirements around integration with clinical records and a compliant privacy impact assessment, the refusal to grant verified status was found reasonable overall. The successful parties in this proceeding were therefore Ontario Health, the Minister of Health and the Lieutenant Governor in Council, and there were no damages or quantified monetary awards granted; costs were left for the parties to negotiate, with the court only inviting written submissions if they could not agree, so the precise amount ordered (if any) cannot be determined from this decision alone.