Share this page:

Certification FAQs

Q.: Why should I certify my product?

A.: Possessing the Canada Health Infoway Mark of Conformity communicates to the market that your product has been independently assessed for its conformity to privacy and security standards and other optional certification modules such as those for interoperability, that have been derived from international and national normative documents. Vendors may also find that buyers will approach the market with a requirement to procure Infoway certified digital health solutions.

↑ back to top

Q.: Where can I find Infoway’s certification requirements?

A.: Infoway’s certification requirements are available by request. Please contact Certification Services.

↑ back to top

Q.: Why is the 2017 Edition being released?

A.: The 2017 Edition builds on the original set of criteria and harmonizes privacy and security certification requirements across Canada. Its development was undertaken over the past year with involvement from the vendor community, ITAC Health, jurisdictional Ministries of Health and eHealth agencies. This should help to reduce the cost and effort of testing digital health solutions for all stakeholders.

↑ back to top

Q.: What is different in 2017 Edition compared to the original criteria?

A.: Products will now be tested against a maximum of 108 requirements. Fifty-two new requirements have been added to 56 of the original criteria. The 2017 Edition has been expanded to reflect current standards for information security management and privacy of personal health information in addition to aligning with jurisdictional requirements. Infoway’s certification requirements are available by request. Please contact Certification Services.

↑ back to top

Q.: Will Infoway continue to certify solutions against national interoperability standards?

A.: Yes. Infoway’s interoperability certification requirements will continue to be offered to the marketplace enabling vendors to demonstrate their solution’s ability to meet functional specifications. Certifying for interoperability is optional and at an additional cost. Please contact Certification Services for more information.

↑ back to top

Q.: When will the 2017 Edition come into effect?

A.: Beginning February 2017, the new privacy and security certification requirements will be available for use. At this same time, the original criteria will no longer be offered for use by new clients.

↑ back to top

Q.: My product is currently engaged in Infoway’s certification review using the original requirement set.  How does the new release affect my product?

A.: Unless you choose to have your product tested for conformity the 2017 Edition, the certification process will continue to its conclusion using the original criteria set.

↑ back to top

Q.: My product is currently certified by Infoway.  How does the introduction of a new set of privacy and security certification criteria impact my product?

A.: Over time, all products will need to conform to the 2017 Edition of privacy and security requirements. However, you can choose to renew your product certification a maximum of two times under the original criteria set. Or, you can choose to test your product for conformity to the 2017 Edition. 

We will work with you to discuss your options and plan for the timing of the 2017 Edition certification for your product. Please contact Certification Services for more information.

↑ back to top

Q.: If my product is already certified by Infoway, will it automatically be certified under the 2017 Edition?

A.: No. The privacy and security criteria have changed – new requirements have been added. As such, conformity will need to be demonstrated to those new requirements.

However, products that have maintained their original Infoway certification will only be required to perform a gap assessment (i.e., demonstrate conformity to the new requirements that have been added to create the 2017 Edition).

↑ back to top

Q.: If I certify my product under the new requirements when does certification term expire?

A.: A solution certified under the 2017 Edition criteria will not expire unless 1) Infoway introduces a new version of requirements (e.g. 2020 Edition) or 2) product’s functionality that is within the scope of the certification requirements has been modified and product changes require assessment. Certification renewal and recertification processes have been eliminated.

↑ back to top

Q.: What is the cost to certify my product?

A.: The cost of certification depends on the product type. However, typically costs are in the range of $20,000 to $30,000. If a product has already been certified by Infoway, and it has maintained its certification status, then a reduced fee will be charged for 2017 Edition certification.

↑ back to top

Q.: How can I assess my product's ability to meet Infoway's certification requirements before formally committing to the application process?

A.: All of the requirements against which your product will be assessed are available for review prior to any commitments being required. Infoway will provide guidance to help you understand the requirements and respond to any of your questions.

↑ back to top

Q.: Which Canadian and International standards are used to inform the certification criteria?

A.: The standards used in the Certification Service include:

  • Privacy: Canada Health Infoway Electronic Health Record Infostructure (EHRi) Privacy & Security Conceptual Architecture; Government of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA); The Canadian Standards Association's Model Code for the Protection of Personal Information (CAN-CSA-Q830-03).ISO 29100: 2011 - Information technology — Security techniques — Privacy framework
  • Security: Canada Health Infoway Electronic Health Record Infostructure (EHRi) Privacy & Security Conceptual Architecture; ISO 17799:2005 - Code of Practice for Information Security Management - ; ISO 27001:2013 - Information Security Management Systems Requirements; ISO 27002:2013 - Code of Practice for Information Security Management; ISO 27005:2011 – Information security risk management; ISO 27018:2014 - Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors: ISO 27789: 2013 – Health Informatics – Audit Trail for EHR; ISO 27799:2008 - Information Security Management In Health.
  • Management: The Canadian Standards Association's Risk Management: Guideline for Decision Makers - CAN-CSA-Q850-97; The Information Systems Audit and Control Association's Control Objectives for Information and Related Technology (COBIT); The Information Technology Infrastructure Library (ITIL).
  • Interoperability: Health Level Seven International's - HL7v3, HL7v2, HL7 Clinical Document Architecture, Release 2, Canada Health Infoway pan-Canadian Standards and Conformance Profile Definitions for laboratory, drug, clinical reports, and demographic information.

↑ back to top

Q.: What do I have to submit and demonstrate to gain Infoway pre-implementation certification?

A.: The assessment consists of two parts:

  • Document Review: an expert review of your self-assessment, attestation and supporting documentation.
  • Demonstration: You must use scripted test scenarios (and test data) to demonstrate your product to the assessment team in a non-production environment. This is typically done via a web conference.

↑ back to top

Q.: Does Infoway publish the names of vendors that are going through the certification process?

A.: Names of products and/or vendors are not published or otherwise made available by Infoway at any time during the process. The Infoway assessment team is bound by strict non-disclosure agreements. In the case of pre-implementation certification for electronic medical records (EMR), vendors whose product is eligible for physician office system funding should anticipate that an application for certification will be shared with necessary jurisdiction representatives. Once a product has been certified, it is listed on Infoway's website.

↑ back to top

Q.: What happens if my product does not meet Infoway certification?

A.: You may make changes to address the non-conformant areas and re-initiate the process. You are also entitled to challenge the decision, which will initiate a formal review.

↑ back to top

Q.: How do I market my certified product?

A.: All certified products receive a Mark of Conformity which bears the Infoway logo. You can use this mark in your marketing and promotional material as long as certification is maintained.

↑ back to top

Q.: What is involved in maintaining my health information technology solutions certification?

A.: To maintain your certification, you are required to notify Infoway of adverse events as well as any product changes that may affect compliance to assessment criteria.

↑ back to top

Q.: How does Infoway pre-implementation certification relate to other licenses and evaluations?

A.:  Infoway's pre-implementation certification service complements other regulatory and procurement processes such as licensing by Health Canada's Medical Devices Bureau and conformance testing by the provincial and territorial physician office system programs. Infoway coordinates its certification activities with other organizations to provide a seamless process to reduce the number of times a vendor is required to demonstrate its product.

↑ back to top

For more information about Certification Services, please contact Infoway Certification Services.

To request a copy of certification criteria, please click here.


infoway logo

Digital Health Working for You.


Transforming health care in Canada through health information technology.

Contact Us

General Inquiries

T: (416) 979-4606
Toll Free: 1-888-733-6462

Media Inquiries

T: (416) 595-3167
Toll Free: 1-888-733-6462