OCINet as Health Information Network Provider (HINP)
OCINet is a health information network provider (HINP), a type of service provider under Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) and related regulation, O. Reg. 329/04, when it works on behalf of hospitals and integrated community health services centres (also known as independent health facilities) to store and share your clinical imaging information (e.g., X-rays, MRIs, CT scans, ultrasounds) and related reports available through the solutions and services.
Safeguards protecting your personal health information
As part of the services offered by OCINet to enable sharing of PHI among hospitals and integrated community health services centres (or independent health facilities), OCINet has established best-practice technical, administrative and physical safeguards to protect your PHI and coordinate the secure transmission of your PHI over the Ontario Health network with the support of third-party service providers. OCINet closely monitors these third-party providers to ensure they meet the same privacy obligations as OCINet.
Technical safeguards
- Access controls on OCINet information management systems (electronic and hard copy) to ensure that access to your PHI by employees and third-party service providers has been appropriately limited.
- Data protection measures, including protection (e.g., encryption) of your PHI when transmitted among OCINet, hospitals, integrated community health services centres (or independent health facilities), and third parties.
- Network security measures such as firewalls and intrusion detection, active security monitoring of systems.
Administrative safeguards
- Contents in agreements with participant organizations that define the services and required safeguards along with privacy and security obligations to be met
- Assigned staff responsible for privacy and security compliance
- Staff privacy and security training and signing of confidentiality agreements
- Enterprise privacy and security policies and procedures that govern privacy and security operations, which are regularly reviewed
Physical safeguards
- Physical security mechanisms such as video monitoring and card reader access to detect and prevent unauthorized access
- Secure disposal of media, equipment and hard drives
OCINet’s enterprise privacy program
As a HINP, OCINet has an enterprise-wide privacy program to support our compliance with the requirements of PHIPA and its regulations as well as our agreements with hospitals and integrated community health services centres (or independent health facilities). We also follow recognized standards in privacy and information management to safeguard your PHI more broadly. Below is a summary of our privacy program and practices for PHI:
- The foundation of this program is the OCINet Corporate Privacy Policy, which defines how OCINet as a HINP and Agent to hospitals and integrated community health services centres (or independent health facilities) protects the privacy of people whose information is stored, processed, managed and shared among participating healthcare organizations through OCINet solutions and services.
OCINet has implemented the following measures to meet the requirements of its privacy policy:
- Privacy and information management procedures to ensure that OCINet employees appropriately limit their access to and use, disclosure, and retention of your PHI for the purposes of providing and managing the clinical imaging services.
- Privacy training and awareness for all new employees, with refresher privacy training provided on an annual basis and acknowledgement of a privacy code of conduct.
- Processes for handling requests associated with patient privacy rights
- Processes for identification and management of privacy risks.
- Processes for logging and creating electronic records of access to, or transfer of PHI for its own activities or to support the privacy auditing needs of participants
- Privacy review activities to confirm that OCINet complies with its privacy requirements.
Your privacy rights
You must contact the hospital or integrated community health services centre (or independent health facility) that captured and shared your diagnostic imaging information with OCINet for the following privacy matters:
- Request a copy of your information in the DIR.
- Request access to information about how the hospital or integrated community health services centre has been using, accessing, and sharing your information.
- Request a correction to your diagnostic imaging information in the DIR.
- Make a privacy inquiry or complaint about how the hospitals and health facilities are managing and ensuring the privacy of your information in the DIR.
Privacy contact
If you have a general inquiry or complaint about the service that OCINet provides to hospitals and integrated community health services centres (or independent health facilities) or our privacy and security program, contact the OCINet Privacy Office:
7100 Woodbine Avenue, Suite 115
Markham, Ontario L3R 5J2
905-943-7790 ext. 8800
privacy@ocinet.ca
If you are not satisfied with how we resolve your question or concern, you may contact the Information and Privacy Commissioner of Ontario at:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario
M4W 1A8
416-326-3333
commissioner@ipc.on.ca
www.ipc.on.ca