How does Ocean keep PHI secure in email?

Ocean uses email to alert patients about new Ocean forms, messages and automated referral notifications.  In order to protect personal health information, Ocean takes a few precautions.

Patient Messages 

When a patient receives a patient message, they are provided a link that takes them to a secure site to view their messages, attachments, and any Ocean forms.  Before accessing the full content of the message, the patient is required to enter one or more security validators as selected by the sender. This can include:

  • a password (given to the patient in advance)
  • the patient’s birthdate (pre-populated using data from your EMR)
  • the patient’s health number (pre-populated from your EMR)
  • the patient’s chart ID number in your EMR (pre-populated from your EMR)

By default, Ocean uses the patient’s birthdate as a minimum requirement to access a Patient message.

Ocean eReferral Notifications

In Ocean eReferrals notifications, the following precautions are taken:

  • The email used is one either explicitly entered in the Send Referral dialog or on the EMR file;
  • The referrer must confirm that the patient has provided informed consent for email prior to sending the referral; if the patient feels no consent was given, this issue should be discussed with the health information custodian (the referring clinician);
  • Access to the referral information and personal health information is not available with the email beyond its basic content: patient's first name, referral health service offering, appointment date, time, and location;
  • The email only provides a link for the patient to confirm (and possibly cancel in the future), not a link to the actual referral with the personal health information.


Have more questions? Submit a request