What are the privacy impacts of patient emails?

Providers can send out emails to patients through Ocean's Secure Online messaging platform, or have automated referral notifications sent out through the Ocean eReferral Network. In order to protect personal health information in the emails between the clinicians using Ocean and the patients who are receiving online messages or referral status updates, Ocean takes a few precautions.

In Online Messages, there is a level of Security Information required to be entered by the patient before they can access the secure message and form(s). This information could be one or more of the following:

  • a password (given to the patient in advance)
  • the patient’s birthdate (pre-populated using data from your EMR)
  • the patient’s health number (pre-populated from your EMR)
  • the patient’s chart ID number in your EMR (pre-populated from your EMR)

If you do not select any option, Ocean will default to using the patient’s birthdate as a minimum requirement.

In Ocean eReferrals, the following precautions are taken:

  • the email used is one either explicitly entered in the Send Referral dialog or on the EMR file
  • the referrer must confirm that the patient has provided informed consent for email prior to sending the referral; if the patient feels no consent was given, this issue should be discussed with the health information custodian (the referring clinician)
  • access to the referral information and personal health information is not available with the email beyond its basic content: patient's first name, referral health service offering, appointment date, time, and location
  • the email only provides a link for the patient to confirm (and possibly cancel in the future), not a link to the actual referral with the personal health information

 

permalink

How do I protect the privacy of my site's shared encryption key?

The shared encryption key is used by Ocean to encrypt a patient's personal health information (PHI) prior to leaving the circle of care. Beyond the standard strong security precautions implemented by Ocean, the privacy of the shared encryption key effectively prevents third parties (including CognisantMD) from eavesdropping on patient information. Without the shared encryption key, the patient's data cannot be decrypted and consequently cannot be viewed.

As a result (in the spirit of PIPEDA / PHIPA and our privacy policy), it is important for health information custodians (HICs) to take precautions to ensure the shared encryption key and its associated password remain private.

These precautions can unfortunately make it more difficult for clinicians to locate the shared encryption key when it is needed for legitimate clinical purposes. It is sometimes a very unfortunate situation when the shared encryption key is lost completely, because it prevents health service providers from viewing potentially important clinical information about patients in Ocean. For tips on recovering your site's shared encryption key, please refer to: "Recovering a Lost / Forgotten Shared Encryption Key".

General Precautions for Protecting the Shared Encryption Key

Ocean provides some automated mechanisms to protect the privacy of the shared encryption key:

  • The shared encryption key is never sent across the network
  • All requested viewings of the shared encryption key password in the Ocean Portal are logged.
  • The shared encryption key cannot be viewed in an electronic medical record without prior authorization as a clinical administrator.
    • e.g. in PS Suite, the user is prompted to enter their Ocean username and password and is subsequently validated as an Ocean site administrator prior to the key's presentation

Best Practices for Clinical Administrators

  • Follow standard "strong password" security guidelines when choosing a shared encryption key.
  • Keep the "hint" for your shared encryption key sufficiently vague such that a hacker could not easily use it to guess the key, find the key's physical location, or use social engineering to obtain it.
  • Do not write down the shared encryption key in a public location (especially not on a whiteboard or a yellow sticky next to the computer!)
  • Do not choose a hint that is merely a shortened or transformed version of the actual shared encryption key (e.g. using "P@ssw0rd" to describe password)
  • Do not enter the shared encryption key in browsers on publicly-accessible terminals
  • Do not email the shared encryption key.
  • Do not store the shared encryption key on an external drive or cloud server without appropriate privacy and security protocols to restrict access.
  • If you print the shared encryption key, keep a known, limited number of copies of the printout and store them in a secure, locked location.
  • Do not re-use a personal password for the key.
  • Do not re-use a clinic-wide password for the key.
  • Do not re-use a shared encryption key used at any other clinic.
  • Have a process to periodically change the key within a set timeframe.
  • Consider using a trusted secure password manager such as LastPass or 1Password to store the shared encryption key.

permalink

What personal health information (PHI) is stored in Ocean?

All personal health information is encrypted prior to storage within Ocean using an encryption password known only to the patient's care providers (not Ocean / CognisantMD). This "client-side encryption" goes beyond the protections provided even by the banking industry, since it ensures that even system administrators and third parties cannot view it.

The Ocean kiosks, tablets, questionnaires, secure messages and referrals require the use of personal health information to ensure they can provide a functional and convenient user interface for its users.

Use Cases Requiring Personal Health Information

  • Reviewing contact information on a kiosk or tablet
  • Automatically triggering questionnaires to display based on patient-specific clinical criteria (such as a flu shot that only shows for patients over 18 who have not yet had one)
  • Pre-populating questionnaire and referral forms with lab values and health indicators
  • Storing and uploading questionnaire answers into the electronic medical record
  • Obtaining email consent using a patient's current email address
  • Assisting with the collection of block fee payments
  • Displaying a patient's medication list for medication reconciliation
  • Sending and receiving textual clinical messages and attachments to the patient via a secure email link
  • Sending electronic referrals containing relevant clinical and contact information for patients and their providers

Field List

To successfully provide these use cases for Ocean users, Ocean must temporarily store the following fields in an encrypted format:

  • Electronic medical records ID
  • Source site / clinic
  • Demographics including birthdate, sex / gender, spoken language, associated comments
  • Patient's family doctor, clinic-specific doctor, and primary provider/clinician
  • Patient roster status
  • Clinic block fee payment status
  • Contact information including address, email, phone, emergency contact, email consent status, preferred pharmacy
  • Health number, health number province, health number version code, health number expiry date
  • Cumulative patient profile fields including health problems, past medical history, family health history, social history, allergies, active treatments, immunizations
  • Pertinent lab values: Cr, eGFR, Hb A1C, ACR, FBS, RBS, OGTT, TG, HDL, LDL, Chol:HDL, Ketones, Na, K, CO2
  • Vitals: Latest height, weight, blood pressure
  • Upcoming appointments: date, time, reason, type, location
  • Patient-specific Ocean form/questionnaire queue
  • For Ocean Online Messaging: Secure messages, associated attachments, and patient responses to questionnaires
  • For referrals: referral note, referral source and destination, requested health services, booking information, associated notification emails, associated clinical notes and attachments, associated messages

In accordance with our privacy policy and PHIPA / PIPEDA, even though the information is in an unidentifiable encrypted format, the personal health information is scrubbed from Ocean servers as soon as the associated use case(s) are considered complete.

For more information on CognisantMD's commitment to protecting privacy, please refer to: "How does CognisantMD adhere to the 10 Privacy Principles of PHIPA?".

permalink

How does CognisantMD validate referrers as legitimate health service providers (HSPs)?

Introduction

The Ocean eReferral Network provides a convenient and secure mechanism for health service providers to send electronic referrals containing personal health information for patients to trusted health information custodians, in accordance with PHIPA / PIPEDA privacy laws.

In this context, CognisantMD acts as a electronic service provider (ESP) that interacts with a designated health information network provider (HINP) to transfer the personal health information necessary for the referral.

It is important for the HINP to ensure that the referrers interacting with its network are legitimate health service providers (HSPs) with accurate, up-to-date contact information. Otherwise, the risk of unintentional disclosure of personal health information is increased during the natural back-and-forth communication regarding a referral.

Specific risk scenarios related to invalid referrers include:

  • Malicious users masquerading as real-world HSPs who send eReferrals in Ocean with false patient or referrer contact information.
  • Referrers with out-of-date contact information, including email addresses, phone, and fax numbers.

In the event that the referrer's contact information is faulty, there is a risk that the referral recipient may inadvertently disclose personal health information to an untrusted third party as part of the follow-up communication. For example, the recipient may call or fax back information to this third party indicating that the patient has "been seen here recently", presuming that the source is a valid HIC for the patient. This information disclosure would constitute a privacy breach of the patient's personal health information.

Responsibilities for the Receiving Health Information Custodian

It is important to keep in mind that the risks related to untrustworthy referrers are not unique to electronic referrals. In theory a malicious individual may masquerade as a referrer using a faxed referral to create the same risk scenario.

Consequently, referral recipients are responsible for taking the same reasonable precautions with electronic referrals as they do with faxed and phone referrals today. These precautions include adherence to simple procedures, such as the general avoidance of any personal health record disclosure without reasonable assurances that the referrer is trustworthy and is acting under the patient's consent. When these precautions are used, the risk of serious personal health information disclosures is relatively low.

HICs must formally commit to following these precautions prior to using Ocean by agreeing to Ocean's mandatory end-user license agreement (EULA).

Ocean Features that Facilitate the Validation and Accuracy of Referrer Contact Information

Although the responsibility for the referrer validation ultimately lies with the referral recipient, Ocean has several features available (now or in the near future) that can assist HINPs and HICs with the identification and validation of a referrer's contact information:

  • Confirmation of referrer contact information with each referral
    • Referrers are prompted to review for accuracy (and correct if necessary) their contact information prior to submitting each referral.
  • Mandatory referrer information required with referrals
    • Referrers must enter their professional ID and billing number when applicable. These fields are relatively private pieces of information often known only by the referrer.
  • Ocean account linkage
    • Referrers may sign in with an Ocean account prior to sending an eReferral. The Ocean account provides a mechanism for basic user identification including a valid email address.
  • Live updates of referrer contact information
    • Referrers may update their Ocean account's contact information (such as their email) at any time. Ocean will use the updated email for future referral notification and communication, even for previously-submitted referrals.
  • Federated identity provider account linkage
    • Where available, Ocean users can link their accounts to regional federated identity providers. Referral recipients may subsequently review the referrer's information and gauge its trustworthiness based on the presence of the federated identity.
  • Referrer account enforcement by the HINP
    • HINPs will be able to restrict the sending of referrals to only users with accounts provided by a federated identity provider or Ocean
  • Referrer account enforcement by the referral recipient HIC
    • HICs will be able to restrict the acceptance of referrals at their site to only users with accounts provided by a federated identity provider or Ocean
  • HINP-specific agreement enforcement
    • HINPs can specify a customized referral user agreement outlining its privacy policy and usage terms and force referrers to agree prior to sending referrals.

Access Restrictions for Referrers

Regardless of the individual HINP's policy, referrers are strongly encouraged (but not forced for the referrer's convenience) by CognisantMD to sign in with a valid Ocean account prior to sending the referral. Subsequently, the referrer must sign in again with their Ocean account (or their designated federated identity provider when available) to access the referral's information.

Note: When an Ocean account is not used to send the referral, access to the referral is nonetheless still protected and restricted under PHIPA using a one-time anonymous referrer account represented by a secure hyperlink and encryption key. The referrer must authenticate using this secure link in the future to view the referral's information.

permalink

How does CognisantMD validate health service directory listings as legitimate healthcare providers?

Introduction

The Ocean Healthmap consists of listings that represent health service providers (HSPs) and health information custodians (HICs) as described under PHIPA law.

It is very important that the listings in the directory be accurate and up-to-date to prevent accidental or malicious leakage of personal health information to untrusted third parties by unwitting referrers to the listed services.

Consequently, safeguards must be in place to prevent individuals from masquerading as health service providers, so that referrers do not inadvertently send them their patient's personal health information. Policies should also exist to ensure listings have up-to-date contact information to prevent patient faxes and phone calls from sending to the wrong location.

Maintaining accurate and up-to-date information in a comprehensive health service directory is an ongoing challenge. To minimize the risks involved, CognisantMD's policies are outlined below.

Prioritized Use of Official Sources

When possible, the directory listings in Ocean are directly pulled from "Official Sources", which contains a comprehensive list of physicians and other health service providers in the province. These registry services have their own well-developed and publicly-trusted mechanisms for validating listings. Consequently, the information within these listings are transitively trusted by Ocean to be up-to-date and representative of a trustworthy real-world health information custodian.

For example, the phone and fax numbers for physicians from the eHealth Ontario Provider Registry are presented in the directory as accurate information, along with indicators to show users the source of the information.

Information from these official sources is refreshed in Ocean on a regular basis to ensure the information remains up-to-date.

Official Sources as of May 2018:
Source Governance Synchronization Frequency
eHealth Ontario Provincial Provider Registry Managed and vetted by eHealth Ontario Daily

Third Party HINPs Using Ocean

CognisantMD also allows select not-for-profit organizations to act as their own Health Information Network Providers (HINPs). These organizations have their own policies for validating health information. An example of a HINP using Ocean is the CFFM Care Innovations organization based in the Waterloo Wellington LHIN in Ontario.

These third-party HINPs may validate and submit their own listings as a subset within the wider Ocean Health Service directory. CognisantMD regularly reviews the policies of these HINPs as it pertains to Ocean and provides support to the HINPs to ensure they adhere to the company's own privacy policy.

Current 3rd Party HINPs as of May 2018:
Name
CFFM Care Innovations

Listing Creation and Listing Claims

Listings representing Health Information Custodians (HICs) may be entered or updated in Ocean by either the HINP or the HIC itself:

  1. An authenticated user acting on behalf of an Ocean-affiliated HINP may manually enter a new health listing in Ocean under their own directory subset at any time. This process facilitates HINPs in creating their own comprehensive directory of trusted health services. When a HINP creates a listing, it assumes the responsibility for validating this listing using their own policies and procedures.
  2. Alternatively, HICs may choose to independently create and claim their own listing within the CognisantMD directory, or "claim" a listing as their own. These listings contain both identifying information and contact information for the HIC. Since these individuals in this circumstance are not yet validated by a HINP as trustworthy, the listing is flagged as such in the directory to warn referrers of a potential privacy breach if personal information were to be sent. HINPs may proceed to validate these claimed listings, after which the warning is removed and replaced with an appropriate indicator of the HINP's approval.

CognisantMD's Listing Validation When Acting as HINP

In circumstances where CognisantMD is acting as the HINP, the company directly assumes the responsibility of validating listings.

CognisantMD's steps for validating listings are as follows:

  1. Listings that are flagged as requiring validation are reviewed on a daily basis by a designated HINP administrator.
  2. For each listing requiring validation:
    • The administrator reviews the listing for any obvious initial inaccuracies or inappropriate information.
    • In the event that the listing is considered unreliable or deemed to be "spam", it is deleted immediately.
    • The listing's contact information is cross-listed with official sources when possible (such as the CPSO directory for physicians or a regional directory for social services such centralhealthline.ca)
    • An Internet search is also performed with two separate services (e.g. Google and Microsoft's Bing) to locate any publicly-accessible information regarding the listing to ensure consistency with the claimed information.
    • If a website is found that aligns with the listing, it is also cross-referenced for consistency with the listing's information.
  3. If the information passes this initial screening test, the administrator calls the phone number provided on the listing's information. During the phone call, the administrator identifies CognisantMD and explains the purpose of the call, then proceeds to clearly enumerate all of the listing's information as submitted to confirm accuracy.
    • Up to two voicemails are left on separate days.
  4. If 7 days pass without the administrator successfully manually confirming the accuracy of this information, the listing is deleted.
  5. If the listing however is successfully confirmed, the validation is completed by the administrator and tagged in the directory accordingly. The time, date and administrator that approved the listing is logged.

Reporting and Correction of Invalid or Out-of-Date Listing Information

All individuals interacting with Ocean should flag and report health service listings found to contain inaccurate information in a timely manner. Any user of the directory can quickly and easily alert CognisantMD of the concern by clicking on a hyperlink contextually located next to the listing's information.

Once a listing has been flagged as potentially inaccurate, the listing is flagged for all users along with the user's suggested correction. CognisantMD manually reviews such reports on a daily basis. In the event that a listing is managed by a separate HINP, CognisantMD notifies the HINP of these reports so that the HINP may take appropriate action. If not, CognisantMD follows the same validation steps as those used by initial listing validation to ensure the new information is accurate.

permalink

Privacy Policy: How does CognisantMD adhere to the 10 Privacy Principles of PHIPA?

PHIPA is the Ontario provincial legislation that protects personal information, including health information. It outlines out ten principles that organizations, individuals, associations, partnerships and trade unions must follow when collecting, using and disclosing personal information in the course of a commercial activity.

To learn more about how CognisantMD adheres to these principles, please refer to our Privacy Policy.

permalink

What is CognisantMD/Ocean's Role Under PHIPA?

CognisantMD generally acts as a Electronic Service Provider (ESP) under PHIPA, particularly in the capacity of providing hosted software to facilitate patient engagement technology. We do not handle PHI, which is protected by client-side encryption.

In some cases, we act as a Health Information Network Provider (HINP), specifically in the context of Ocean eReferrals, which allow Health Information Custodians (HICs) to share Personal Health Information (PHI) with other HICs. 

A special case exists for the System Coordinated Access Program out of the Waterloo Wellington LHIN in Ontario. In this eReferral project, Ocean's role is as an ESP with HINP responsibilities residing with the CFFM Care Innovations, a not-for-profit organization.

permalink

How do Ocean customers avoid privacy and/or security risks when using Ocean?

All patient health information is fully encrypted using a shared encryption key that never leaves the customer site.

As a result, even CognisantMD employees are unable to see PHI persistent or even in transit, providing much better security than server-side encryption.

permalink

How long are patient records (with PHI) kept in Ocean?

First of all, Ocean is not an EMR/EHR and not a long term repository of health information for a patient. All patient records are eventually deleted from Ocean. It only holds encrypted patient records for a limited time to support the various ways clinics use Ocean. 

For example, if a patient is coming in for an appointment, the patient record is encrypted and uploaded into Ocean a day or two before their appointment time, and then it is deleted after the EMR downloads the generated note. Total time in Ocean might be 3-4 days.

For a contrasting example, if a newly pregnant patient registers for a new baby pediatric appointment, the patient might be sent an Ocean Online web questionnaire months prior to the birth and be asked to complete the form upon delivery. In this case, the patient record might be stored in Ocean for 5 months.

There are a few reasons we do it this way. First of all, privacy guidelines recommend that PHI be kept in as few places as possible for as short a time as possible; the master copy for clinics is generally the EMR. Second, the patients in Ocean are "snapshots" of a patient at a point in time (when the patient was uploaded). Although the patients can be updated by the EMR/EHR easily, having multiple copies of patient records is generally problematic.

Caveats:

  • You can "lock" a patient in Ocean to request that Ocean leave the record alone and stored within Ocean, although this should be reserved for special situations only.
  • Ocean Study data captured for a patient is kept indefinitely (until it is deleted by the owning Ocean site).
  • The audit trail maintained by Ocean lives indefinitely, which allows you to map the EMR ID of the patient to an Ocean reference number to tablet access, web questionnaire access, form completion audit records, etc. for audit purposes.
  • Encrypted PHI will be maintained in Ocean database backups for up to one year. Ocean backups are maintained at a secure facility with all access logged.  Access is limited to CognisantMD operations staff.

Detailed time frames in which PHI is kept within Ocean:

  • For patients with forms pending: 30 days
  • For patients with notes that haven't been downloaded: 90 days (if you have patients in this situation, the following will occur: "What do I do if I see 'Warning from Ocean: Notes Require Download?'")
  • For patients that have all notes downloaded and no forms pending: 14 days
  • For patients with a scheduled appointment with no forms or updates pending: 14 days after their scheduled appointment date

For eRequests/eReferrals:

  • Ocean eReferrals/eRequests are kept for 60 days in the "New" folder.
  • If accepted, the retention time becomes 365 days from the creation date.
  • If an appointment is scheduled, the referral is retained until the appointment date plus 30 days.
  • If an estimated wait time is entered, the referral is retained until the end of the date range.
  • When an eRequest/eReferral is scheduled for deletion, it moves to the "Deletion Warnings", which appears in red. A user can "extend" the retention time for additional blocks of 60 days.
  • As above, Ocean will notify you with an alert if you have deletion warnings.
  • eReferral analytic data captured by Ocean is kept indefinitely.
  • More details about lifetime of eReferral storage can be found in: "How long will my eReferrals be stored in Ocean?".

permalink

Does patient data reside on the tablet?

The only patient data (i.e. patient health information) held in the Ocean tablet app is that belonging to the current patient. Once a patient is done completing their form(s) (specifically, when the finish/reset button is pressed), the patient data is deleted from the tablet.

In other words, at most one patient's data is on the device at any point in time.

permalink

Where is Ocean data stored?

All Ocean data, including client-side encrypted PHI, is stored in our primary storage facility located in Montreal, with additional copies of the data kept in a warm failover disaster recovery facility in Toronto.

Our data centers are SSAE 16 certified - this means they are locked, guarded, and monitored through closed-circuit television systems, with on-site security teams, military-grade pass card access, and biometric finger scan units to provide additional security. You can read about the security measures in place at our data storage facilities in this SSAE 16 Overview.

Data Storage History

May 2018
Our primary storage facility was relocated from Toronto to Montreal.
Our disaster recovery facility was relocated from Montreal to Toronto.
February 2018
Our disaster recovery facility was relocated from Vancouver to Montreal.

permalink

Do CognisantMD employees have access to patient data/personal health information (PHI)?

CognisantMD employees (including system administrators) never have access to our customers' encryption keys and therefore, cannot see any PHI. Neither the tablet nor the EMR ever send encryption keys to our server.

permalink

Does Ocean comply with accessibility regulations / guidelines? (e.g. OADA)

Yes, we spend a lot of time on accessibility:

  • We use large fonts with high contrast (dark on white). Fonts can be made even larger, if desired.
  • We use very large buttons and simple touch screen elements, designed to make user interaction as simple as possible.
  • We recommend and design our product for 10.1” tablets, the largest standard tablet size available, for ease of use.
  • On some tablet models, you can use colour inversion (specifically Samsung tablets), so text can be white on black.

permalink

Does CognisantMD maintain a test server? What is the build environment?

CognisantMD maintains a continuous build process in its Toronto office, where a build / autotest cycle runs continuously.

No "live data" (i.e. patient health information) is ever included in the test environment - only demo data is used for testing.

permalink

How is the Ocean Platform maintained and how is PHI protected during maintenance?

System maintenance is normally done Tuesday nights between 9pm and 11pm ET.

There is never any impact on patient privacy, as all PHI is encrypted using private encryption keys that are not shared with CognisantMD staff.

permalink

Has CognisantMD completed any privacy audits, security audits or Privacy Impact Assessments for Ocean?

Yes, CognisantMD has completed the following privacy/security audits for Ocean:

  1. Assessment by St. Michael's Hospital - completed and passed: July 2013.
  2. Assessment by Sunnybrook Health Sciences Centre - completed and passed: April 2014.
  3. Threat Risk Assessment (TRA) by MNP - completed and passed: May 2016 (see attached).
  4. CognisantMD Privacy Impact Assessment (PIA) - completed: June 2018 (see attached).

permalink