Our Approach to Privacy
CognisantMD provides software solutions designed to enable secure and private communication between patients, healthcare providers, and researchers. As a trusted provider to health information custodians, we are committed the most stringent approaches to data security and privacy and full compliance with PHIPA regulations.
The Ocean Platform was built from the ground up to maximize security and protect privacy. Ocean’s industry-leading security stems from our robust client-side patient encryption technology. All patient data sent to and stored within Ocean is encrypted end-to-end using the industry-standard 256-bit AES (Advanced Encryption Standard), the same technology used by financial institutions and other healthcare institutions.
To guard against any possible breach of personal health information on our Ocean servers, all patient encryption keys are kept secret to Ocean’s end-user clinicians. Encryption keys for patient data are never sent to the Ocean server and are never seen by CognisantMD. Since the encryption keys are kept private and stored locally within each individual clinic, no agent outside of the clinic can ever decrypt or read private patient information. Therefore, even if the Ocean server were to be compromised, or the data were to be intercepted en route, no unencrypted patient information would be accessible.
Our client-side encryption architecture provides a protective safeguard for personal health information that is unique in the industry.
The Personal Health Information Protection Act (PHIPA) is the Ontario provincial legislation that sets out rules for the collection, use and disclosure of personal health information. These rules apply to all health information custodians operating within the province of Ontario and to individuals and organizations that receive personal health information from health information custodians.
PHIPA incorporates some general principles that apply to the collection, use and disclosure of personal health information, based on the “10 Fair Information Principles” of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal privacy law for the private sector.
The 10 Principles are outlined below, followed by examples of our adherence to each principle:
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
- CognisantMD has a publicly-designated privacy officer to provide leadership on compliance with privacy accountability.
- All CognisantMD employees and representatives sign a Privacy and Security agreement that describes their obligations under PHIPA.
- Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
- CognisantMD / Ocean does not collect patient health information without providing a clear explanation of the intent in the system’s user interface.
- Patient information is encrypted prior to its transmission to Ocean using encryption keys known only to the health information custodians and providers (the clinics). This technology provides a strong safeguard against the unintentional collection of personal information.
- The personal information required for the fulfillment of specific Ocean services (such as the sending of an eReferral) is used only for the service and nothing else.
- In the rare cases where patient health information must be used directly by Ocean (such as the collection of a patient’s email for notification purposes), the system confirms with the health service provider that the patient has provided informed email consent for the purpose of clinical notifications.
The knowledge and consent of an individual are required for the collection, use, or disclosure of personal information, except where appropriate.
- Ocean’s patient engagement services may be used by health service providers to collect or disclose information to and from patients, such as Ocean Studies and the Ocean Online secure emailing service. Prior to using these services, the providers are required to obtain the appropriate consent from patients based on Ocean’s end-user license agreement (EULA) unless implicit consent is deemed appropriate by the health information custodian.
- When Ocean’s email services are used to send information to patients, the health service providers are reminded for each individual patient to ensure that they have obtained a signed, informed email consent policy.
- Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
- CognisantMD / Ocean never attempts to collect personal information beyond what is clearly necessary to fulfill its primary use cases (such as the completion of a designated clinical questionnaire by a patient’s health service provider)
- All personal information is encrypted with private encryption keys prior to leaving the clinic. Since CognisantMD personnel do not have these keys, it provides a strong safeguard against the unauthorized use.
- All collection and processing of information is in accordance with Canada’s and Ontario’s privacy laws.
- Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
- CognisantMD / Ocean indeed does not use personal health information for purposes other than those for which the information is collected.
- These purposes are limited to the use cases of its patient engagement and eReferral system, such as the completion of an Ocean tablet questionnaire or a secure message sent to the patient via email.
- The actual uses and disclosures by the system are directed by the health service providers to fulfill these use cases in accordance with our EULA.
Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used.
- The Ocean system typically interfaces with the patient’s electronic medical record system to obtain comprehensive and up-to-date clinical information for patients.
- Ocean regularly synchronizes its encrypted information with the primary electronic medical record to ensure it is reasonably up-to-date with regard to the email address and other relevant information.
- Safeguards are placed in the user interface to ensure important personal information is periodically confirmed by patients for accuracy. For example, patients may review their contact information for accuracy each visit on an Ocean tablet. “Check digit” tests are done for birth dates, phone numbers and health numbers to reduce the likelihood of error.
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
- As a general safeguard, Ocean’s end-to-end public-private key encryption ensures that all patient health information is inaccessible to third parties including CognisantMD’s own employees.
- Industry-standard techniques such as 256-bit encryption, strong password policy management and user access restrictions are universally used within CognisantMD systems and are strictly enforced by the development and operations team.
- Source code reviews are regularly performed to limit the risk of unintentional disclosures of PHI.
- Third-party integrations with Ocean, including the Care Portal patient portal, have limited access to personal health information only within sites designated by the applicable health information network provider (HINP). These integrations are only permitted by CognisantMD in contexts where the HINP has explicitly authorized such integrations with and on behalf of participating HICs, and HICs may disable such integrations for specific patients.
- A threat-risk assessment (TRA) was performed by MNP and deemed the safeguards to result in an overall “low” risk to personal health data.
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- CognisantMD endeavours to publish its policies and procedures openly on its support site, which is publicly available (this article is an example).
- Individual Access
Upon request, an individual shall be informed of the existence, use, and disclose of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Individuals may consult our patient-facing support articles to learn more about the company’s policies on personal information usage.
- CognisantMD / Ocean is unable to provide direct access to unencrypted personal health information, since it is merely an electronic service provider and not an agent with access to personal information (due to our end-to-end encryption).
- However, CognisantMD will assist as necessary to connect these individuals with the applicable health service providers to ensure they can access and review their personal information encrypted within Ocean in a timely manner.
- (Note: Since Ocean typically pulls data from third-party electronic medical records systems as its primary information source for personal health information, individuals are likely to first request access to their electronic patient chart within these systems at their clinician’s office. They may choose to make corrections in these systems as necessary, whereupon the changes will be automatically updated in Ocean as well.)
- CognisantMD may also, upon request, provide individuals with a full audit log of the use and disclosure of their personal information by its systems including Ocean.
- Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designate individuals accountable for the organization’s compliance.
- The company’s senior leadership and its privacy officer pledge to create an open, supportive environment for individuals who have any concerns about the company’s compliance to the above principles.
- Health information network providers (HINPs) interacting with CognisantMD as an electronic service provider are encouraged to contact CognisantMD with any concerns as they arise.
- Individuals are also encouraged to contact CognisantMD’s privacy officer with any concerns.
- The company commits to providing a timely and appropriate response in these circumstances, including the provision of any organizational and technological changes deemed necessary to correct gaps in this compliance.
CognisantMD is committed to protecting your privacy and providing a safe online experience. This statement of privacy applies to the CognisantMD website and governs data collection and usage. By using the CognisantMD website, you consent to the data practices described in this statement.
CognisantMD.com Terms of Service
By accessing the website at http://www.cognisantmd.com, you are agreeing to be bound by these terms of service, all applicable laws and regulations, and agree that you are responsible for compliance with any applicable local laws. If you do not agree with any of these terms, you are prohibited from using or accessing this site. The materials contained in this website are protected by applicable copyright and trademark law.
2. Use License
- Permission is granted to temporarily download one copy of the materials (information or software) on CognisantMD’s website for personal, non-commercial transitory viewing only. This is the grant of a license, not a transfer of title, and under this license you may not:
- modify or copy the materials;
- use the materials for any commercial purpose, or for any public display (commercial or non-commercial);
- attempt to decompile or reverse engineer any software contained on CognisantMD’s website;
- remove any copyright or other proprietary notations from the materials; or
- transfer the materials to another person or “mirror” the materials on any other server.
- This license shall automatically terminate if you violate any of these restrictions and may be terminated by CognisantMD at any time. Upon terminating your viewing of these materials or upon the termination of this license, you must destroy any downloaded materials in your possession whether in electronic or printed format.
- The materials on CognisantMD’s website are provided on an ‘as is’ basis. CognisantMD makes no warranties, expressed or implied, and hereby disclaims and negates all other warranties including, without limitation, implied warranties or conditions of merchantability, fitness for a particular purpose, or non-infringement of intellectual property or other violation of rights.
- Further, CognisantMD does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on its website or otherwise relating to such materials or on any sites linked to this site.
In no event shall CognisantMD or its suppliers be liable for any damages (including, without limitation, damages for loss of data or profit, or due to business interruption) arising out of the use or inability to use the materials on CognisantMD’s website, even if CognisantMD or a CognisantMD authorized representative has been notified orally or in writing of the possibility of such damage. Because some jurisdictions do not allow limitations on implied warranties, or limitations of liability for consequential or incidental damages, these limitations may not apply to you.
5. Accuracy of materials
The materials appearing on CognisantMD’s website could include technical, typographical, or photographic errors. CognisantMD does not warrant that any of the materials on its website are accurate, complete or current. CognisantMD may make changes to the materials contained on its website at any time without notice. However CognisantMD does not make any commitment to update the materials.
CognisantMD has not reviewed all of the sites linked to its website and is not responsible for the contents of any such linked site. The inclusion of any link does not imply endorsement by CognisantMD of the site. Use of any such linked website is at the user’s own risk.
CognisantMD may revise these terms of service for its website at any time without notice. By using this website you are agreeing to be bound by the then current version of these terms of service.
8. Governing Law
These terms and conditions are governed by and construed in accordance with the laws of Ontario, Canada and you irrevocably submit to the exclusive jurisdiction of the courts in that province.
Your privacy is important to us. It is CognisantMD’s policy to respect your privacy regarding any information we may collect from you across our website, http://www.cognisantmd.com, and other sites we own and operate.
We only ask for personal information when we truly need it to provide a service to you. We collect it by fair and lawful means, with your knowledge and consent. We also let you know why we’re collecting it and how it will be used.
We only retain collected information for as long as necessary to provide you with your requested service. What data we store, we’ll protect within commercially acceptable means to prevent loss and theft, as well as unauthorised access, disclosure, copying, use or modification.
We don’t share any personally identifying information publicly or with third-parties, except when required to by law.
Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and practices of these sites, and cannot accept responsibility or liability for their respective privacy policies.
You are free to refuse our request for your personal information, with the understanding that we may be unable to provide you with some of your desired services.
Your continued use of our website will be regarded as acceptance of our practices around privacy and personal information. If you have any questions about how we handle user data and personal information, feel free to contact us.
This policy is effective as of 6 June 2018.
If you have a complaint, question or concern regarding CognisantMD’s privacy policies and procedures, please contact:
4040 – 3080 Yonge Street
Toronto, Ontario M4N 3N1
Tel: 1-888-864-8655 xt. 701
Or by email: privacy.officer (at) cognisantmd.com