Introduction
The Ocean Healthmap consists of listings that represent health service providers (HSPs) and health information custodians (HICs) as described under PHIPA law.
It is very important that the listings in the directory be accurate and up-to-date to prevent accidental or malicious leakage of personal health information to untrusted third parties by unwitting referrers to the listed services.
Consequently, safeguards must be in place to prevent individuals from masquerading as health service providers, so that referrers do not inadvertently send them their patient's personal health information. Policies should also exist to ensure listings have up-to-date contact information to prevent patient faxes and phone calls from sending to the wrong location.
Maintaining accurate and up-to-date information in a comprehensive health service directory is an ongoing challenge. To minimize the risks involved, OceanMD's policies are outlined below.
Prioritized Use of Official Sources
When possible, the directory listings in Ocean are directly pulled from "Official Sources", which contains a comprehensive list of physicians and other health service providers in the province. These registry services have their own well-developed and publicly-trusted mechanisms for validating listings.
Consequently, the information within these listings are transitively trusted by Ocean to be up-to-date and representative of a trustworthy real-world health information custodian. For example, the phone and fax numbers for physicians from the eHealth Ontario Provider Registry are presented in the directory as accurate information.
Information from these official sources is refreshed in Ocean on a regular basis to ensure the information remains up-to-date.
Official Sources as of May 2018:
Source | Governance | Synchronization Frequency |
---|---|---|
eHealth Ontario Provincial Provider Registry | Managed and vetted by eHealth Ontario | Daily |
Third Party HINPs Using Ocean
OceanMD also allows select not-for-profit organizations to act as their own Health Information Network Providers (HINPs). These organizations have their own policies for validating health information. An example of a HINP using Ocean is the CFFM Care Innovations organization based in the Waterloo Wellington LHIN in Ontario.
These third-party HINPs may validate and submit their own listings as a subset within the wider Ocean Health Service directory. OceanMD regularly reviews the policies of these HINPs as it pertains to Ocean and provides support to the HINPs to ensure they adhere to the company's own privacy policy.
Current 3rd Party HINPs as of May 2018:
Name |
---|
CFFM Care Innovations |
Listing Creation and Listing Claims
Listings representing Health Information Custodians (HICs) may be entered or updated in Ocean by either the HINP or the HIC itself:
- An authenticated user acting on behalf of an Ocean-affiliated HINP may manually enter a new health listing in Ocean under their own directory subset at any time. This process facilitates HINPs in creating their own comprehensive directory of trusted health services. When a HINP creates a listing, it assumes the responsibility for validating this listing using their own policies and procedures.
- Central Intake users, designated and validated as trustworthy by OceanMD, may manually enter a new health listing in Ocean, or update an unclaimed listing, at any time. The Central Intake user assumes the responsibility for validating this listing using their own policies and procedures. This will commonly be done at the time of transcribing inbound referrals, when importing and updating the referring provider’s information from the Healthmap.
- Alternatively, HICs may choose to independently create and claim their own listing within the OceanMD directory, or "claim" a listing as their own. These listings contain both identifying information and contact information for the HIC. Since these individuals in this circumstance are not yet validated by a HINP as trustworthy, the listing is flagged as such in the directory to warn referrers of a potential privacy breach if personal information were to be sent. HINPs may proceed to validate these claimed listings, after which the warning is removed and replaced with an appropriate indicator of the HINP's approval.
OceanMD's Listing Validation When Acting as HINP
In circumstances where OceanMD is acting as the HINP, the company directly assumes the responsibility of validating listings.
OceanMD's steps for validating listings are as follows:
- Listings that are flagged as requiring validation are reviewed on a daily basis by a designated HINP administrator.
- For each listing requiring validation:
- The administrator reviews the listing for any obvious initial inaccuracies or inappropriate information.
- In the event that the listing is considered unreliable or deemed to be "spam", it is deleted immediately.
- If the listing is felt to belong to another HINP, such as a regionally-funded program, the HINP's support representative is contacted and instructed to apply to the alternate HINP instead of OceanMD.
- An Internet search is also performed with two separate services (e.g. Google and Microsoft's Bing) to locate any publicly-accessible information regarding the listing to ensure consistency with the claimed information.
- If a website is found that aligns with the listing, it should be cross-referenced for consistency with the listing's information.
- The listing's contact information, including the phone, fax, website and email, is cross-listed with an official source. Official sources include:
- The official health profession's directory, e.g. CPSO for Ontario physicians
- An official regional directory for social services (such as centralhealthline.ca)
- An established vendor partner, such as TELUS, QHR, or WELL, who can vouch for the claim
- If an official source is not available: the validation must be escalated to management and/or the privacy officer to consider alternative means of validation as a special case, being mindful of the risk of a social engineering attack.
-
If the information passes this initial screening test, the administrator calls the phone number provided on the official source. During the phone call, the administrator identifies OceanMD and explains the purpose of the call, then proceeds to clearly enumerate all of the listing's information as submitted to confirm accuracy.
The administrator confirms with the clinic representative which user is claiming this listing and which Ocean site. To avoid affirmative miscommunication, the administrator shall confirm that the clinic representative is independently aware that the listing is being claimed by this particular Ocean user at this particular Ocean site.
-
- Up to two voicemails are left on separate days.
-
- If 7 days pass without the administrator successfully manually confirming the accuracy of this information, the listing is deleted.
- If the listing however is successfully confirmed, the validation is completed by the administrator and tagged in the directory accordingly. The time, date, administrator that approved the listing, and validation steps taken by the administrator are logged.
Reporting and Correction of Invalid or Out-of-Date Listing Information
All individuals interacting with Ocean should flag and report health service listings found to contain inaccurate information in a timely manner. Any user of the directory can quickly and easily alert OceanMD of the concern by clicking on a hyperlink contextually located next to the listing's information.
Once a listing has been flagged as potentially inaccurate, the listing is flagged for all users along with the user's suggested correction. OceanMD manually reviews such reports on a daily basis. In the event that a listing is managed by a separate HINP, OceanMD notifies the HINP of these reports so that the HINP may take appropriate action. If not, OceanMD follows the same validation steps as those used by initial listing validation to ensure the new information is accurate.