Virtual Visits Requirements For Small Practices
Microsoft has published a 14-item configuration guide for Ontario practices that want to run virtual visits through Microsoft Teams and Bookings, covering how to meet Ontario Health’s Virtual Visits Verification requirements. If you are looking at this document and need help making sense of it for your small practice on Ontario, this post is for you.
The short version: if you are a clinic with fewer than 300 staff running Microsoft 365 Business Premium, most of those 14 requirements are already met by the licensing you have. A handful need deliberate configuration. A few are billing workflow questions that belong with your EMR vendor, not your IT team.
Here is how to think through it clearly.
First, an important update: the Virtual Appointments app is gone.
If your practice previously used the Virtual Appointments app inside Microsoft Teams, that app is no longer available. Microsoft has transitioned virtual visit scheduling to Microsoft Bookings, which is included in Microsoft 365 Business Premium licensing. The core functionality carries over, and for most small to mid-sized practices, Bookings handles everything needed for virtual visit scheduling, including patient-facing booking pages, calendar coordination, and Teams meeting links generated automatically per appointment.
For advanced features like SMS appointment reminders and a scheduled appointment queue, Microsoft requires a Teams Premium license as an add-on. Whether you need those features depends on your clinic’s workflow, not on Ontario Health requirements.
What your Business Premium license already covers.
Microsoft’s configuration guide lists 14 requirements, and when you read through it carefully alongside what Microsoft 365 Business Premium actually provides, most of them resolve without additional cost or configuration work. Business Premium covers clinical record keeping and data extraction requirements, electronic audit trails, retention support at the license level, secure calendar export through Outlook and Teams, audio-only meeting capability, iCal import, and secure messaging between clinical users.
The unified audit log, which records access and activity across your Microsoft 365 environment, is active by default on Business Premium. Worth verifying that it is on, but it does not require separate setup for most practices.
This matters because the Microsoft document, by necessity, has to account for practices running enterprise-level licensing like Microsoft 365 E3 or E5. When you see references to E5 Compliance licenses for enhanced record keeping, or Azure Sentinel for advanced audit services, those are upgrade paths available to larger health systems, not necessarily requirements your clinic has to meet.
If your practice has under 300 staff and you are running Business Premium, you are almost certainly already covered for the vast majority of what Ontario Health requires.
What actually needs to be set up.
Two things require deliberate configuration.
The first is your Bookings calendar. This does not set itself up. Someone needs to create the calendar, configure the service types, set staff availability, and establish the patient-facing booking page. This is straightforward work, but it takes time and attention to get right. The clinic owner or practice manager will typically own ongoing management of the calendar once it is built.
The second is confirming your Teams meeting policies allow audio-only join. Most default Teams configurations do allow this, but it is worth a quick verification rather than assuming.
Beyond those two, properly configuring Microsoft Intune, conditional access policies, and identity management through Entra ID is foundational to the security posture that underpins everything else. A clinic handling patient health information needs more than a licensed Microsoft tenant. It needs the tenant properly secured. Conditional access policies that enforce device compliance and location verification are what protect patient data in practice, not just on paper. For practices that also want to control how sensitive patient information moves across SharePoint, Teams, and email, Microsoft Purview Information Protection provides the classification and data loss prevention tools to do that. We cover how that works in detail here: https://tucu.ca/protecting-sensitive-data-in-microsoft-365-with-purview/
These are not Ontario Health Virtual Visits Verification requirements specifically. They are the baseline for any healthcare practice running Microsoft 365, and they are the kind of configuration that requires a technician who knows what they are doing, not a checkbox exercise.
Two decisions you need to make before you can scope the rest.
Some items in the Virtual Visits Verification requirements cannot be configured until your practice makes a decision about what you actually want.
Retention policies are the first decision.
Business Premium meets the license requirement, but the actual retention durations need to match your PHIPA and CPSO record-keeping obligations. For adult patient records, CPSO policy requires a minimum of ten years from the date of the last entry. That duration has to be explicitly configured in your Microsoft 365 compliance settings. It is not set automatically, and the default Microsoft behavior will not meet PHIPA requirements out of the box.
If you want more background on how Microsoft 365 maps to Canadian privacy law before making those decisions, this is a useful starting point: https://tucu.ca/is-microsoft-365-pipeda-compliant/. The shared responsibility model it describes applies equally to PHIPA-governed health information.
If your clinic has not yet decided on retention schedules, the configuration needs to wait until it has, then gets scoped as a follow-on once the main setup lands.
Clinician-to-patient messaging between visits is the second decision.
Microsoft Bookings handles in-visit chat during a scheduled appointment natively. If your physicians also want patients to be able to message them through Teams outside of scheduled visits, that is a different conversation. It involves different configuration paths, different risk considerations under PHIPA, and different clinical workflows.
It is not a small addition to a Bookings setup. If your practice wants to offer that capability, it should be scoped separately once you have decided on the workflow.
What is not an IT configuration question.
Three items in the document are regularly confused for IT work when they are not. The following are billing workflow integrations, not IT configurations.
- Identifying virtual visits eligible for OHIP claims submission
- Automated OHIP number verification
- Unique video visit exports for billing reporting
Microsoft’s documentation points practices to fee-for-service Microsoft Partners for this work, and for good reason. These involve your electronic medical record system, your billing workflows, and OHIP-specific data requirements.
Most practices in Ontario handle billing identification through the EMR rather than a custom Teams export. If you are opening a new practice and your EMR vendor has not yet addressed how virtual visits will be flagged for billing, that conversation needs to happen with them before scoping any custom Teams work.
How this actually comes together for a new clinic.
When we set up Teams and Bookings for a new medical practice in Ontario, the project typically covers the Bookings calendar build and configuration, license verification, audit log confirmation, Teams meeting policy review, Intune device management for all staff devices, conditional access setup, and Entra ID identity management. The security and identity work is not an Ontario Health requirement per se. It is what a healthcare practice needs in order to actually protect patient health information in a cloud environment, and it belongs in the same engagement rather than being treated as a separate project.
The requirements that need decisions from the clinic, retention policies and patient messaging, get documented and scoped as follow-on work once the practice is up and running and the clinical team has had time to work through those choices.
It is a more manageable project than the virtual visits configuration document makes it look. The document has to account for every Ontario Health practice at every scale, from a solo family physician to a large hospital system. When you are a smaller practice on Business Premium, most of the complexity in that document simply does not apply to you.
A note on security for healthcare practices.
There is sometimes an assumption that because a practice is small, it is not a meaningful target for a security incident. Healthcare is consistently among the most targeted sectors for ransomware and credential-based attacks, and Ontario practices are not exempt from that reality. Often, these types of incidents do not happen because the practice lacked some advanced enterprise tool. They happen because the foundational controls, conditional access, endpoint management, identity verification, were not in place.
Running Microsoft 365 without those controls configured is not the same as running a properly secured Microsoft 365 environment, even if the licensing is current. A new clinic is in a good position to do this right from day one rather than retrofitting it later, which can be far more costly.
What to do next.
If you are in need of IT support for a medical practice in Toronto or Durham Region, that understands the clinical environment, you can see how we work with healthcare providers here:
If your clinic is in the process of setting up for virtual visits and you want clarity on where you actually stand against the virtual visit requirements, or your IT compliance management in Micrososft 365, a discovery conversation is the right starting point. We can review your current Microsoft 365 environment, identify what is already in place, scope the configuration work that is outstanding, and separate out the billing and clinical workflow decisions that need to come from the practice.
You should not need to read a 14-item technical document and figure this out on your own. That is exactly the kind of work we are here to handle.
Schedule a consultation with our team at tucu.ca or call us at (416) 292-3300.
