Ocean's health service directory helps providers locate other health service providers who can provide services for their patients.
Each provider has a corresponding listing in the health service directory (OceanHealthMap.ca) that lists the provider's contact information, along with various options for inter-provider communication.
The primary channels of communication used by these providers include the following mediums:
- Physical Address
- Secure electronic communication using Ocean (for eReferrals, eConsults, Website Forms etc.)
Since the communication between providers typically involves the exchange of a patient's personal health information (PHI) for the purpose of providing care, from a privacy perspective, it is crucial that these listings provide accurate contact information and a secure means of communication.
As an electronic service provider, CognisantMD follows a number of strategies to ensure the integrity of listings in Ocean's health service directory.
Health Information Network Providers (HINPs) may assist in the validation and maintenance of listings under their jurisdiction. HINPs are encouraged to use the following strategies, along with their own best practices, to protect patient privacy.
Validating Basic Listing Contact Information
As a HINP facilitating this communication for a specific set of providers using Ocean, you are assuming responsibility to reasonably ensure that the providers in the directory have accurate, up-to-date, contact information.
It is very important to keep the listings' information current. Otherwise, providers may use incorrect or outdated information for sending personal health information (PHI), such as an old fax number used for a patient referral, potentially leading to a privacy breach.
Your HINP must develop and implement a dedicated and ongoing process to safely maintain the accuracy and currency of this contact information. For tips on developing this process, please see this article:
When the listing contact information is validated successfully, it may be used as a reasonably reliable reference for traditional means of communication (phone, fax, mail etc.).
However, the endorsement to use listings for electronic communication (such as eReferral), entails some additional privacy considerations. Additional steps are required for completely validating providers who provide these electronic services.
Validating Listings for Receiving Electronic Communication Using Ocean
Prior to permitting providers to participate in the secure exchange of PHI using Ocean, it is important for the HINP to ensure that these providers not only have up-to-date contact information in the listing, but that it also:
- Ensures that the providers are truly represented in the real world by the Ocean user accounts and the Ocean site that they are claiming acts on behalf of in the listing (through the process of identity validation)
- Ensures that these providers have provided informed consent to participate as care providers within the Ocean network, along with the commitment to process electronic communications sent through Ocean in a safe, secure, and timely manner. This consent is typically provided with a signed HINP-specific participant agreement.
1. Identity Validation
It is important to be aware that any malicious user on the Internet could attempt to sign up for an Ocean account and impersonate a real-world healthcare provider by claiming a listing in the directory. Unlike a public phone, a published fax number or a physical mailing address, this user could directly receive personal health information (for example, in the form of an eReferral sent by an unwitting referrer), unless appropriate safeguards are in place.
This initial sign-up and claiming process is permitted by Ocean (for the sake of ease-of-use when onboarding on new clinicians), despite the possibility of an illegitimate claimant. To alert referrers and other healthcare providers to this risk, these listings are considered "unvalidated" and are marked with a warning in the directory:
A HINP is able to validate that the user's listing claim is legitimate. To be confident in this validation step, at a minimum, the HINP must first:
- Speak with an individual in person or on the phone and verified their recent intent to claim this listing in Ocean.
- Have objective evidence that this individual has the authority to act on behalf of the clinic (e.g., by calling them using the clinic's public phone number)
- Validate the listing's contact information using an external source such as a public Internet page or the CPSO directory (in the aforementioned article)
- Ensure that the Ocean username and the Ocean site claiming this listing within Ocean matches this individual's information as it was conveyed outside of Ocean (i.e., to ensure it matches the same information that was conveyed over the phone or in-person).
2. Provider Consent and Commitment
Prior to validating a listing claim, the HINP should have a standard agreement in place with the provider. The agreement should include, at a minimum:
- Roles and responsibilities of the provider acting as an Ocean message recipient.
- A review of how the services may affect the privacy of the individuals who are subject of the information (e.g., a Privacy Impact Assessment).
- An agreement to comply with the restrictions and conditions in accordance with PIPEDA and/or local provincial privacy law.
- A review of their responsibility to monitor for Ocean messages and respond to these messages in a reasonably timely manner (similar to the standard of care for specialists with regard to responding to faxed referrals within mandated deadlines)
If the above criteria are met in accordance with your own organization's policy (as determined by your privacy officer), you may proceed to validate the listing's claim.
Validating Listing Claims in Ocean for Electronic Communication
Once the above requirements have been reviewed and approved, a representative of the HINP may proceed to validate the listing (once the representative's Ocean user account has been granted this privilege by CognisantMD).
To validate the listing, go to the Ocean site managing the listing, update the relevant information, and click Save Changes. If the listing has not already been validated to receive eReferrals, you will see a prompt asking you to verify that the site is valid (along with a link to this article). Once you confirm, the listing will be considered valid and the warning shown in the Ocean health map will no longer be visible.