“Based on our evaluation, implementing HIPAAT’s consent management solution for our Electronic Patient Record would enable us to meet our consent management obligations, without unduly impacting clinical workflow.

We've found no other software solution that provides the kind of privacy functionality that this product delivers to an electronic health record."

- Jeff Curtis, Privacy Office Coordinator
Sunnybrook Health Sciences Centre

In many jurisdictions, health privacy legislation enables patients to restrict access to their personal health information (PHI). As a result, care delivery organizations must be able to implement patient privacy directives, controlling the use and disclosure of patient information in an increasingly electronic environment.

Sunnybrook Health Sciences Centre in Toronto, Ontario recently tested HIPAAT’s solution to these challenges during a technical and administrative review of HIPAAT's consent management software.

Snapshot of the Evaluation


To integrate HIPAAT’s consent management software with Sunnybrook’s Electronic Patient Record (EPR) to determine its degree of interoperability, functionality and potential impact to clinical workflow.


HIPAAT's Software

The solution includes:

Privacy eSuite
The server (service-oriented architecture) where consent directives are created, recorded and validated

Privacy Manager
Point-of-service software that enforces consent directives

Universal Audit Repository
Stand-alone central repository of IHE-ATNA audit events

The Process


Integrate HIPAAT’s software with Sunnybrook’s EPR


Perform technical analysis and testing to operate with and without single sign-on (SSO) and context management


Conduct usability testing (without SSO or context management) with a range of clinical staff and obtain feedback


User Feedback

The user experience was positive. Clinicians appreciated the software's simplicity and ease of use.

"…no impact to workflow.”
- patient care manager

"I see no barrier to acceptance of the
'lock box' software in my unit."

- nurse practitioner

"This is good - it puts patients in control of their privacy.”
- nurse involved with quality and patient safety



Integrating HIPAAT's consent management solution into the Sunnybrook environment would allow them to:

implement and enforce privacy consent directives in the EPR

control access to PHI at various levels of record granularity

notify users of the presence of a consent directive prior to accessing locked/restricted information

permit users to access unrestricted information without having to override a lock

access restricted PHI using 'emergency override'

audit access to locked PHI within the EPR

receive immediate notification of record access via email alerts to the privacy officer



Sunnybrook’s Privacy Office was pleased with the functionality and administrative convenience of the HIPAAT consent management solution for managing patient consent within its Electronic Health Record (EHR)

HIPAAT's solution demonstrated best practice methods for EHR consent management

HIPAAT’s software combines flexibility of implementation with ease of use for both administrators and users

find out more...

Release date: December 6, 2007

Transforming health care through the dedication of its more than 11,000 staff, physicians, volunteers and students, Sunnybrook Health Sciences Centre is committed to discovering new treatments, ensuring the health and safety of our patients, and teaching current and future healthcare leaders. Our commitment to women's health and the care of veterans continues to be a priority for us and we have defined strategic programs in cancer, cardiovascular, neurosciences, musculoskeletal, perinatal & gynaecology, trauma and critical care and aging and population health. These programs are leaders in their field and are helping us achieve our vision of transforming healthcare. Sunnybrook Health Sciences Centre is fully affiliated with the University of Toronto.

HIPAAT provides patient-centric consent management solutions to the healthcare industry. Our interoperable, scalable web services approach – with software that aggregates patient privacy directives and organizational / jurisdictional policies – enables privacy-sensitive access control to PHI across healthcare organizations and regions.