Privacy Notice

HDIRS' Privacy Notice

Hospital Diagnostic Imaging Repository Services (HDIRS) is one of three regional diagnostic imaging repositories (DIRs) in Ontario that enables hospitals and independent health facilities (e.g., diagnostic imaging facilities) to share your personal health information (PHI) to support diagnosis, treatment, and care.

HDIRS is a health information network provider (HINP), a type of service provider under Ontario’s Personal Health Information Protection Act (PHIPA) regulations, O. Reg. 329/04. As a HINP, HDIRS works on behalf of connected hospitals and independent health facilities to make your diagnostic images (e.g., X-rays, MRIs, CT scans) and related reports available to one another. HDIRS services include:

  • Enabling hospitals to access your diagnostic imaging information from other hospitals and independent health facilities through the HDIRS DIR.
  • Safeguarding your PHI in the DIR.
  • Coordinating the secure transmission of your PHI in the HDIRS DIR between the hospitals and independent health facilities using the Ontario Health network and other third-party service providers vetted and closely monitored by HDIRS.

HDIRS also provides additional services to its members sites that support them with other important activities (e.g., peer review of radiologists) or help make your images in the DIR available to you through third-party technology (e.g., PocketHealth).

As a service provider, HDIRS has an enterprise-wide privacy program to support our compliance with the requirements of PHIPA and its regulations as well as our agreements with the member and client sites. We follow recognized standards in privacy and information management to safeguard your PHI more broadly. Below is a summary of our privacy program and practices for PHI.

Accountability for Privacy

The Chief Privacy and Security Officer (CPSO) is accountable for ensuring that HDIRS complies with its privacy obligations.

HDIRS’ Privacy Program

The CPSO has developed and implemented an enterprise-wide privacy program through which HDIRS has defined and meets its privacy obligations.

The foundation of this program is HDIRS’ privacy policy, which defines how HDIRS as a service provider to hospitals and diagnostic imaging clinics protects the privacy of people whose information is in the repository.

The CPSO has developed and implemented the following measures to support HDIRS in meeting the requirements of its privacy policy:

  • Privacy and information management procedures to ensure that HDIRS employees appropriately limit their access to and use, disclosure, and retention of your PHI for the purposes of providing and managing the DIR services.
  • Privacy training and awareness for all new employees, with refresher privacy training provided on a periodic basis.
  • Processes for identification and management of privacy risks.
  • Privacy review activities to confirm that HDIRS complies with its privacy requirements.


Getting your consent to collect, use, and disclose your diagnostic images and reports is the responsibility of the hospital or health facility that captures, accesses, and shares your diagnostic images in the DIR.

If you want to withdraw your consent for your images and related reports to be accessed or shared, you must contact the hospital or health facility that created your diagnostic images.



HDIRS has implemented information security safeguards to protect your PHI in the DIR from unauthorized collection, use, disclosure, and retention. Key safeguards include, but are not limited to:

  • Access controls on HDIRS information management systems (electronic and hard copy) to ensure that access to your PHI by employees and third-party service providers has been appropriately limited.
  • Data protection measures, including protection (e.g., encryption) of your PHI when transmitted between HDIRS, the hospitals, the independent health facilities, and third parties.
  • Network protections, including firewalls, intrusion detection and prevention measures, and anti-malware protections.

Your Privacy Rights

You must contact the healthcare provider that ordered or reviewed your diagnostic tests and results for the following privacy matters:

  • Request a copy of your information in the DIR.
  • Request access to information about how the hospitals or health facilities have been using, accessing, and sharing your information in the DIR.
  • Request a correction to your diagnostic image and/or report in the DIR.
  • Make a privacy inquiry or complaint about how the hospitals and health facilities are managing and ensuring the privacy of your information in the DIR.

If you contact HDIRS regarding any of the above, we will forward your request to the hospital or health facility that placed your information in the DIR.

Contacting the HDIRS CPSO

If you have a general inquiry or complaint about the service that we provide to hospitals and diagnostic imaging clinics or our privacy and security program, contact us.