The Ocean Network Flow Diagram can be viewed or downloaded using the link below.
Common questions related to Ocean security and encryption.
All personal health information is encrypted prior to storage within Ocean using an encryption password known only to the patient's care providers (not Ocean / OceanMD). This "client-side encryption" goes beyond the protections provided even by the banking industry, since it ensures that even system administrators and third parties cannot view it.
The Ocean kiosks, tablets, questionnaires, secure messages and referrals require the use of personal health information to ensure they can provide a functional and convenient user interface for its users.
To successfully provide these use cases for Ocean users, Ocean must temporarily store the following fields in an encrypted format:
For more information on OceanMD's commitment to protecting privacy, please refer to: "How does OceanMD adhere to the 10 Privacy Principles of PHIPA?".
All patient health information is encrypted using a shared encryption key, providing an extra level of protection for PHI stored in Ocean. This key is not accessible to OceanMD employees and is never transmitted to third parties.
As a result, even OceanMD employees are unable to see PHI, providing additional security beyond the usual minimum standard of server-side encryption-at-rest.
All Ocean data, including client-side encrypted PHI, is stored in our primary storage facility located in Montreal (AWS Canada Availability Zone 1) with additional copies of the data kept in a warm failover disaster recovery facility also in Montreal. (AWS Canada Availability Zone 2)
Our data centers are SSAE 16 certified - this means they are locked, guarded, and monitored through closed-circuit television systems, with on-site security teams, military-grade pass card access, and biometric finger scan units to provide additional security. You can read about the security measures in place at our data storage facilities in this SSAE 16 Overview.
Ocean uses email to alert patients about new Ocean forms, messages and automated referral notifications. In order to protect personal health information, Ocean takes a few precautions.
When a patient receives a patient message, they are provided a link that takes them to a secure site to view their messages, attachments, and any Ocean forms. Before accessing the full content of the message, the patient is required to enter one or more security validators as selected by the sender. This can include:
By default, Ocean uses the patient’s birthdate as a minimum requirement to access a Patient message.
Ocean eReferral Notifications
In Ocean eReferrals notifications, the following precautions are taken:
PHIPA is the Ontario provincial legislation that protects personal information, including health information. It outlines out ten principles that organizations, individuals, associations, partnerships and trade unions must follow when collecting, using and disclosing personal information in the course of a commercial activity.
The shared encryption key (SEK) is used by Ocean to encrypt a patient's personal health information (PHI) prior to leaving the circle of care. Beyond the standard strong security precautions implemented by Ocean, the privacy of the shared encryption key effectively prevents third parties (including OceanMD) from eavesdropping on patient information. Without the shared encryption key, the patient's data cannot be decrypted and consequently cannot be viewed.
These precautions sometimes make it more difficult for clinicians to locate the shared encryption key when it is needed for legitimate clinical purposes. It could lead to a very unfortunate situation when the shared encryption key is lost completely, because it prevents health service providers from viewing potentially important clinical information about patients in Ocean. For tips on recovering your site's shared encryption key, please refer to: "Recovering a Lost / Forgotten Shared Encryption Key".
General Precautions for Protecting the Shared Encryption Key
Ocean provides some automated mechanisms to protect the privacy of the shared encryption key:
Best Practices for Clinical Administrators
When sending a referral for a patient, it is important to understand if the site receiving the referral is a Health Information Custodian (HIC), under the Personal Health Information Protection Act (PHIPA), or not.
PHIPA law applies to HICs, who are responsible for the Personal Health Information (PHI) in its custody or control, and must take certain steps to fulfill that responsibility.
If sending a referral to a site that is clearly labeled as a non-HIC, referring providers must ensure they have express consent from the patient and must be careful not to disclose of any unnecessary PHI.
As defined in PHIPA, a HIC is responsible for collecting, using and disclosing personal health information on behalf of clients.
Individuals or organizations must be specifically named in PHIPA s. 3 or O.Reg 329/04 s. 3 in order to be considered HICs. However, PHIPA also sets out some specific examples of persons not considered HICs for the purposes of the act:
Persons who are not health information custodians should consider the application of the Act to
them in a few contexts. Generally, except as permitted or required by law, such persons cannot use or disclose that information for any purpose other than the purpose for which the custodian disclosed the information to them under the Act, or for the purpose of carrying out a statutory or legal duty.
Note: This document is provided for general information purposes only and does not constitute legal advice. Additional information is available in the document Frequently Asked Questions - Personal Health Information Protection Act published by the Information Privacy Commissioner of Ontario.
The Ocean eReferral Network provides a convenient and secure mechanism for health service providers to send electronic referrals containing personal health information for patients to trusted health information custodians, in accordance with PHIPA / PIPEDA privacy laws.
In this context, OceanMD acts as a electronic service provider (ESP) that interacts with a designated health information network provider (HINP) to transfer the personal health information necessary for the referral.
It is important for the HINP to ensure that the referrers interacting with its network are legitimate health service providers (HSPs) with accurate, up-to-date contact information. Otherwise, the risk of unintentional disclosure of personal health information is increased during the natural back-and-forth communication regarding a referral.
Specific risk scenarios related to invalid referrers include:
In the event that the referrer's contact information is faulty, there is a risk that the referral recipient may inadvertently disclose personal health information to an untrusted third party as part of the follow-up communication. For example, the recipient may call or fax back information to this third party indicating that the patient has "been seen here recently", presuming that the source is a valid HIC for the patient. This information disclosure would constitute a privacy breach of the patient's personal health information.
It is important to keep in mind that the risks related to untrustworthy referrers are not unique to electronic referrals. In theory a malicious individual may masquerade as a referrer using a faxed referral to create the same risk scenario.
Consequently, referral recipients are responsible for taking the same reasonable precautions with electronic referrals as they do with faxed and phone referrals today. These precautions include adherence to simple procedures, such as the general avoidance of any personal health record disclosure without reasonable assurances that the referrer is trustworthy and is acting under the patient's consent. When these precautions are used, the risk of serious personal health information disclosures is relatively low.
HICs must formally commit to following these precautions prior to using Ocean by agreeing to Ocean's mandatory end-user license agreement (EULA).
Although the responsibility for the referrer validation ultimately lies with the referral recipient, Ocean has several features available (now or in the near future) that can assist HINPs and HICs with the identification and validation of a referrer's contact information:
Regardless of the individual HINP's policy, referrers are strongly encouraged (but not forced for the referrer's convenience) by OceanMD to sign in with a valid Ocean account prior to sending the referral. Subsequently, the referrer must sign in again with their Ocean account (or their designated federated identity provider when available) to access the referral's information.
Note: When an Ocean account is not used to send the referral, access to the referral is nonetheless still protected and restricted under PHIPA using a one-time anonymous referrer account represented by a secure hyperlink and encryption key. The referrer must authenticate using this secure link in the future to view the referral's information.
The Ocean Healthmap consists of listings that represent health service providers (HSPs) and health information custodians (HICs) as described under PHIPA law.
It is very important that the listings in the directory be accurate and up-to-date to prevent accidental or malicious leakage of personal health information to untrusted third parties by unwitting referrers to the listed services.
Consequently, safeguards must be in place to prevent individuals from masquerading as health service providers, so that referrers do not inadvertently send them their patient's personal health information. Policies should also exist to ensure listings have up-to-date contact information to prevent patient faxes and phone calls from sending to the wrong location.
Maintaining accurate and up-to-date information in a comprehensive health service directory is an ongoing challenge. To minimize the risks involved, OceanMD's policies are outlined below.
When possible, the directory listings in Ocean are directly pulled from "Official Sources", which contains a comprehensive list of physicians and other health service providers in the province. These registry services have their own well-developed and publicly-trusted mechanisms for validating listings. Consequently, the information within these listings are transitively trusted by Ocean to be up-to-date and representative of a trustworthy real-world health information custodian.
For example, the phone and fax numbers for physicians from the eHealth Ontario Provider Registry are presented in the directory as accurate information, along with indicators to show users the source of the information.
Information from these official sources is refreshed in Ocean on a regular basis to ensure the information remains up-to-date.
|eHealth Ontario Provincial Provider Registry||Managed and vetted by eHealth Ontario||Daily|
OceanMD also allows select not-for-profit organizations to act as their own Health Information Network Providers (HINPs). These organizations have their own policies for validating health information. An example of a HINP using Ocean is the CFFM Care Innovations organization based in the Waterloo Wellington LHIN in Ontario.
|CFFM Care Innovations|
Listings representing Health Information Custodians (HICs) may be entered or updated in Ocean by either the HINP or the HIC itself:
In circumstances where OceanMD is acting as the HINP, the company directly assumes the responsibility of validating listings.
OceanMD's steps for validating listings are as follows:
All individuals interacting with Ocean should flag and report health service listings found to contain inaccurate information in a timely manner. Any user of the directory can quickly and easily alert OceanMD of the concern by clicking on a hyperlink contextually located next to the listing's information.
Once a listing has been flagged as potentially inaccurate, the listing is flagged for all users along with the user's suggested correction. OceanMD manually reviews such reports on a daily basis. In the event that a listing is managed by a separate HINP, OceanMD notifies the HINP of these reports so that the HINP may take appropriate action. If not, OceanMD follows the same validation steps as those used by initial listing validation to ensure the new information is accurate.
OceanMD generally acts as a Electronic Service Provider (ESP) under PHIPA, particularly in the capacity of providing hosted software to facilitate patient engagement technology. We do not handle PHI, which is protected by client-side encryption.
In some cases, we act as a Health Information Network Provider (HINP), specifically in the context of Ocean eReferrals, which allow Health Information Custodians (HICs) to share Personal Health Information (PHI) with other HICs.
A special case exists for the System Coordinated Access Program in Ontario. In this eReferral project, Ocean's role is as an ESP with HINP responsibilities residing with the CFFM Care Innovations, a not-for-profit organization.
Ocean is not an EMR/EHR and not a long term repository of health information for a patient. All patient records are eventually deleted from Ocean. Ocean only holds patient records in an encrypted format for a limited time to support the various ways clinics use the system. After this time has passed, the patient record is permanently deleted from the Ocean database, although it will be available in database backups for a year.
For example, when a patient is scheduled for an appointment, the patient record is encrypted and uploaded into Ocean a day or two before the appointment time. It is deleted after the EMR downloads the generated note. The total time in Ocean may be 3-4 days.
For a contrasting example, if a newly pregnant patient registers for a new baby pediatric appointment, the patient might be sent an Ocean Online web questionnaire months prior to the birth and be asked to complete the form upon delivery. In this case, the patient record might be stored in Ocean for 5 months.
Ocean's behaviour is guided by the PIPEDA privacy principle of "Limiting Use, Disclosure and Retention". Privacy guidelines recommend that PHI be kept in as few places as possible for as short a time as possible. The principal record of personal health information for clinics is the EMR/EHR. Furthermore, the patients in Ocean are "snapshots" of a patient at a point in time (when the patient was uploaded). Although the patients can be updated by the EMR/EHR easily, having multiple copies of patient records is generally problematic due to the potential for stale data.
The only patient data (i.e. patient health information) held in the Ocean tablet app is that belonging to the current patient. Once a patient is done completing their form(s) (specifically, when the finish/reset button is pressed), the patient data is deleted from the tablet.
In other words, at most one patient's data is on the device at any point in time.
OceanMD employees (including system administrators) do not have access to our customers' encryption keys without the direct immediate authorization of the health information custodian. Therefore, employees are unable to see or disclose any PHI.
OceanMD is committed to accessibility for all public website content, which we consider to be all patient-facing interfaces.
OceanMD maintains a continuous build process in its Toronto office, where a build / autotest cycle runs continuously.
No "live data" (i.e. patient health information) is ever included in the test environment - only demo data is used for testing.
System maintenance is normally done Thursday nights between 9pm and 11pm ET.
The system maintenance does not compromise patient privacy, since all PHI is kept encrypted during the maintenance period using private encryption keys that are not accessible to OceanMD staff.
Yes, OceanMD has completed or participated in the following privacy/security audits for Ocean:
Note that this is not an exhaustive list; other healthcare organizations have done assessments in which we have either not been be directly involved or have been asked not to disclose.
* As per industry best practice, we do not publish or send full TRA documents electronically. Stakeholders who have a legitimate need to review the full TRA document may do so on site in our Toronto office after signing a non-disclosure agreement.