All patient health information is fully encrypted using an encryption key that never leaves the customer site.
As a result, even CognisantMD employees are unable to see PHI persistent or even in transit, providing much better security than server-side encryption.
Yes, we spend a lot of time on accessibility:
- We use large fonts with high contrast (dark on white). Fonts can be made even larger, if desired.
- We use very large buttons and simple touch screen elements, designed to make user interaction as simple as possible.
- We recommend and design our product for 10.1” tablets, the largest standard tablet size available, for ease of use.
- On some tablet models, you can use colour inversion (specifically Samsung tablets), so text can be white on black.
The only patient data (i.e. patient health information) held in the Ocean tablet app is that belonging to the current patient. Once a patient is done completing their form(s) (specifically, when the finish/reset button is pressed), the patient data is deleted from the tablet.
In other words, at most one patient's data is on the device at any point in time.
Nothing except the EMR ID, which is meaningless outside the EMR context.
Encrypted using the clinic's private encryption key (never even sent off premises):
Most of the patient’s demographics (name, phone, email) and conditions of the patient as stored in the EMR.
First of all, Ocean is not an EMR/EHR and not a long term repository of health information for a patient. All patient records are eventually deleted from Ocean. It only holds encrypted patient records for a limited time to support the various ways clinics use Ocean.
For example, if a patient is coming in for an appointment, the patient record is encrypted and uploaded into Ocean a day or two before their appointment time, and then it is deleted after the EMR downloads the generated note. Total time in Ocean might be 3-4 days.
For a contrasting example, if a newly pregnant patient registers for a new baby pediatric appointment, the patient might be sent an Ocean Online web questionnaire months prior to the birth and be asked to complete the form upon delivery. In this case, the patient record might be stored in Ocean for 5 months.
There are a few reasons we do it this way. First of all, privacy guidelines recommend that PHI be kept in as few places as possible for as short a time as possible; the master copy for clinics is generally the EMR. Second, the patients in Ocean are "snapshots" of a patient at a point in time (when the patient was uploaded). Although the patients can be updated by the EMR/EHR easily, having multiple copies of patient records is generally problematic.
- You can "lock" a patient in Ocean to request that Ocean leave the record alone and stored within Ocean, although this should be reserved for special situations only.
- Ocean Study data captured for a patient is kept indefinitely (until it is deleted by the owning Ocean site).
- The audit trail maintained by Ocean lives indefinitely, which allows you to map the EMR ID of the patient to an Ocean reference number to tablet access, web questionnaire access, form completion audit records, etc. for audit purposes.
Detailed time frames in which PHI is kept within Ocean:
- For patients with forms pending: 30 days
- For patients with notes that haven't been downloaded: 90 days (see here for what happens if you get into this situation)
- For patients that have all notes downloaded and no forms pending: 3 days
- Ocean eReferrals/eRequests are kept for 60 days in the "New" folder.
- If accepted, the retention time becomes 180 days from the creation date.
- If an appointment is scheduled, the referral is retained until the appointment date plus 30 days.
- If an estimated wait time is entered, the referral is retained until the end of the date range.
- When an eRequest/eReferral is scheduled for deletion, it moves to the "Deletion Warnings", which appears in red. A user can "extend" the retention time for additional blocks of 60 days.
- As above, Ocean will notify you with an alert if you have deletion warnings.
- eReferral analytic data captured by Ocean is kept indefinitely.
All Ocean data, including client-side encrypted PHI, is stored in our primary storage facility located in Toronto, with additional copies of the data kept in a warm failover disaster recovery facility in Vancouver.
Our data centers are SSAE 16 certified - this means they are locked, guarded, and monitored through closed-circuit television systems, with on-site security teams, military-grade pass card access, and biometric finger scan units to provide additional security. You can read about the security measures in place at our data storage facilities here.
CognisantMD maintains a continuous build process in its Toronto office, where a build / autotest cycle runs continuously.
No "live data" (i.e. patient health information) is ever included in the test environment - only demo data is used for testing.
System maintenance is normally done Tuesday nights between 9pm and 11pm ET.
There is never any impact on patient privacy, as all PHI is encrypted using private encryption keys that are not shared with CognisantMD staff.
Yes, CognisantMD has completed the following privacy/security audits for Ocean:
- Assessment by St. Michael's Hospital - completed and passed: July 2013.
- Assessment by Sunnybrook Health Sciences Centre - completed and passed: April 2014.
CognisantMD employees (including system administrators) never have access to our customers' encryption keys and therefore, cannot see any PHI. Neither the tablet nor the EMR ever send encryption keys to our server.