How should my HINP validate that a health service directory listing can safely receive secure electronic messages sent by other providers?

Note: This article provides advice for HINPs as they validate sites and directory listings in Ocean. It is awaiting feedback from privacy officers at our partner organizations. Please review this information with your organization's privacy officer before following any advice in this article and contact CognisantMD with any unresolved privacy-related questions.

Ocean's health service directory helps providers locate other health service providers who can provide services for their patients.

Each provider has a corresponding listing in the health service directory ( that lists the provider's contact information, along with various options for inter-provider communication.

The primary channels of communication used by these providers include the following mediums:

  • Phone
  • Fax
  • Physical Address
  • Email
  • Secure electronic communication using Ocean (for eReferrals, eConsults, Website Forms and so on)

Since the communication between providers usually involves the exchange of a patient's personal health information (PHI) for the purpose of providing care, from a privacy perspective, it is crucial that these listings provide an accurate contact information and a secure means of communication.

As an electronic service provider, CognisantMD follows a number of strategies to ensure the integrity of listings in Ocean's health service directory.

Health Information Network Providers (HINPs) may assist in the validation and maintenance of listings under their jurisdiction. HINPs are encouraged to use the following strategies, along with their own best practices, to protect patient privacy.

Validating Basic Listing Contact Information

As a HINP facilitating this communication for a specific set of providers using Ocean, you are assuming some responsibility to ensure your providers in the directory have correct, up-to-date contact information.

It is very important to keep the listings' information up-to-date. Otherwise, providers may use incorrect or outdated information for sending personal health information, such as an old fax number used for a patient referral, potentially leading to a privacy breach.

Your HINP must develop and implement a dedicated and ongoing process to safely maintain this contact information. For tips on developing this process, please see this article:

How does CognisantMD validate health service directory listings as legitimate healthcare providers?

When the listing contact information is validated successfully, it may be used as a reasonably safe reference for traditional means of communication (phone, fax, mail etc.).

However, the endorsement to use listings for electronic communication (such as eReferral), entails some additional privacy considerations. Additional steps are required for completely validating providers who provide these electronic services.

Validating Listings for Receiving Electronic Communication Using Ocean

Prior to permitting providers to participate in the secure exchange of personal health information using Ocean, it is important for your HINP to ensure that these providers not only have up-to-date contact information in the listing, but that you also:

  1. Ensure that the providers are truly represented in the real world by the Ocean user accounts and the Ocean site that are claiming to act on behalf of the listing (through the process of identity validation)
  2. Ensure that these providers have provided informed consent to participate as care providers within the Ocean network, along with the commitment to process electronic communications sent through Ocean in a safe, secure and timely manner. This consent is typically provided with a signed HINP-specific participant agreement.

1. Identity Validation

It is important to be aware that any malicious user on the Internet could attempt to sign up for an Ocean account and impersonate a real-world healthcare provider by claiming a listing in the directory. Unlike a public phone, a published fax number or a physical mailing address, this user could directly receive personal health information (for example, in the form of an eReferral sent by an unwitting referrer), unless appropriate safeguards are in place.

For pragmatic reasons related to clinician onboarding, this initial sign-up and claiming process is permitted by Ocean, despite the possibility of an illegitimate claimant. To alert referrers and other healthcare providers to this risk, these listings are considered "unvalidated" and are marked with a warning in the directory:


As a HINP, you are able to validate that the user's listing claim is legitimate. To be confident in this validation step, at a minimum:

  • You must have spoken with an individual in person or on the phone and verified their recent intent to claim this listing in Ocean.
  • You must have objective evidence that this individual has the authority to act on behalf of the clinic (e.g., by calling them using the clinic's public phone number)
  • You must have validated the listing's contact information using an external source such as a public Internet page or the CPSO directory (in the aforementioned article)
  • You must ensure the Ocean username and the Ocean site claiming this listing matches this individual's out-of-band communication of this same information.

2. Provider Consent and Commitment

Prior to validating a listing claim, your HINP should have a standard agreement in place with the provider. The agreement should include, at a minimum:

  • Roles and responsibilities of the provider acting as an Ocean message recipient.
  • A review of how the services may affect the privacy of the individuals who are subject of the information (e.g., a PIA).
  • An agreement to comply with the restrictions and conditions in accordance with PIPEDA and/or local provincial privacy law.
  • A review of their responsibility to monitor for Ocean messages and respond to these messages in a reasonably timely manner (similar to the standard of care for specialists with regard to responding to faxed referrals within mandated deadlines)

If the above criteria are met in accordance with your own organization's policy (as determined by your privacy officer), you may proceed to validate the listing's claim.

Validating Listing Claims in Ocean for Electronic Communication

Once the above requirements have been reviewed and approved, as a specially-designated HINP-representative Ocean user, you may proceed to validate the listing as a directory administrator.

To validate the listing, go to the Ocean site managing the listing, update the relevant information, and click Save Changes. If the listing has not already been validated to receive eReferrals, you will see a prompt asking you to verify that the site is valid (along with a link to this article). Once you confirm, the listing will be considered validated and the warning shown in the Ocean health map will no longer be visible.



Have more questions? Submit a request