10 Fair Principles
OceanMD prides itself on its adherence to the “10 Fair Information Principles” as set out in Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal privacy law for the private sector. Such principles are internationally recognized and the concepts are found in privacy legislation across Canada and around the world.
OceanMD adheres to such principles as follows:
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
- OceanMD has a publicly-designated privacy officer to provide leadership on compliance with privacy accountability.
- All OceanMD employees and representatives sign a Privacy and Security agreement that describes their obligations under PHIPA.
2. Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- OceanMD / Ocean does not collect patient health information without providing a clear explanation of the intent in the system’s user interface.
- Patient information is encrypted prior to its transmission to Ocean using encryption keys known only to the health information custodians and providers (the clinics). This technology provides a strong safeguard against the unintentional collection of personal information.
- The personal information required for the fulfillment of specific Ocean services (such as the sending of an eReferral) is used only for the service and nothing else.
- In the rare cases where patient health information must be used directly by Ocean (such as the collection of a patient’s email for notification purposes), the system confirms with the health service provider that the patient has provided informed email consent for the purpose of clinical notifications.
The knowledge and consent of an individual are required for the collection, use, or disclosure of personal information, except where appropriate.
- Ocean’s patient engagement services may be used by health service providers to collect or disclose information to and from patients, such as Ocean Studies and the Ocean Online secure emailing service. Prior to using these services, the providers are required to obtain the appropriate consent from patients based on Ocean’s end-user license agreement (EULA) unless implicit consent is deemed appropriate by the health information custodian.
- When Ocean’s email services are used to send information to patients, the health service providers are reminded for each individual patient to ensure that they have obtained a signed, informed email consent policy.
4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- OceanMD / Ocean never attempts to collect personal information beyond what is clearly necessary to fulfill its primary use cases (such as the completion of a designated clinical questionnaire by a patient’s health service provider)
- All personal information is encrypted with private encryption keys prior to leaving the clinic. Since OceanMD personnel do not have these keys, it provides a strong safeguard against the unauthorized use.
- All collection and processing of information is in accordance with Canada’s and Ontario’s privacy laws.
5. Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
- OceanMD / Ocean indeed does not use personal health information for purposes other than those for which the information is collected.
- These purposes are limited to the use cases of its patient engagement and eReferral system, such as the completion of an Ocean tablet questionnaire or a secure message sent to the patient via email.
- The actual uses and disclosures by the system are directed by the health service providers to fulfill these use cases in accordance with our EULA.
Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used.
- The Ocean system typically interfaces with the patient’s electronic medical record system to obtain comprehensive and up-to-date clinical information for patients.
- Ocean regularly synchronizes its encrypted information with the primary electronic medical record to ensure it is reasonably up-to-date with regard to the email address and other relevant information.
- Safeguards are placed in the user interface to ensure important personal information is periodically confirmed by patients for accuracy. For example, patients may review their contact information for accuracy each visit on an Ocean tablet. “Check digit” tests are done for birth dates, phone numbers and health numbers to reduce the likelihood of error.
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- As a general safeguard, Ocean’s end-to-end public-private key encryption ensures that all patient health information is inaccessible to third parties including OceanMD’s own employees.
- Industry-standard techniques such as 256-bit encryption, strong password policy management and user access restrictions are universally used within OceanMD systems and are strictly enforced by the development and operations team.
- Source code reviews are regularly performed to limit the risk of unintentional disclosures of PHI.
- Third-party integrations with Ocean, including the Care Portal patient portal, have limited access to personal health information only within sites designated by the applicable health information network provider (HINP). These integrations are only permitted by OceanMD in contexts where the HINP has explicitly authorized such integrations with and on behalf of participating HICs, and HICs may disable such integrations for specific patients.
- A threat-risk assessment (TRA) was performed by MNP and deemed the safeguards to result in an overall “low” risk to personal health data.
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- OceanMD endeavours to publish its policies and procedures openly on its support site, which is publicly available (this article is an example).
9. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclose of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Individuals may consult our patient-facing support articles to learn more about the company’s policies on personal information usage.
- OceanMD / Ocean is unable to provide direct access to unencrypted personal health information, since it is merely an electronic service provider and not an agent with access to personal information (due to our end-to-end encryption).
- However, OceanMD will assist as necessary to connect these individuals with the applicable health service providers to ensure they can access and review their personal information encrypted within Ocean in a timely manner.
- (Note: Since Ocean typically pulls data from third-party electronic medical records systems as its primary information source for personal health information, individuals are likely to first request access to their electronic patient chart within these systems at their clinician’s office. They may choose to make corrections in these systems as necessary, whereupon the changes will be automatically updated in Ocean as well.)
- OceanMD may also, upon request, provide individuals with a full audit log of the use and disclosure of their personal information by its systems including Ocean
10. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designate individuals accountable for the organization’s compliance.
- The company’s senior leadership and its privacy officer pledge to create an open, supportive environment for individuals who have any concerns about the company’s compliance to the above principles.
- Health information network providers (HINPs) interacting with OceanMD as an electronic service provider are encouraged to contact OceanMD with any concerns as they arise.
- Individuals are also encouraged to contact OceanMD’s privacy officer with any concerns.
The company commits to providing a timely and appropriate response in these circumstances, including the provision of any organizational and technological changes deemed necessary to correct gaps in this compliance.