Privacy Notice

OCINet as Health Information Network Provider (HINP)

OCINet is a health information network provider (HINP)—a type of service provider under Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) and O. Reg. 329/04—when it provides the technology services that enable participating hospitals and integrated community health services centres (ICHSCs, formerly independent health facilities) to securely store, access, and exchange patient clinical imaging information (e.g., X-rays, MRIs, CT scans, ultrasounds) and related diagnostic reports, including facilitating the disclosure of personal health information (PHI) between participant health information custodians for the purpose of providing, or supporting the delivery of, health care to patients.

More information on OCINet services can be found on our Services page (link to services overview); however key services we provide as a HINP include:

  • Enabling participants to collect and use prior imaging of patients to whom they are providing care directly through their local Picture Archiving Communication System (PACS) using our Foreign Exam Management service, or by accessing imaging via OCINet Diagnostic Imaging Repository (DIR) viewers.
  • Enabling specialist consultants to access patient imaging for consultation purposes where requested by participants via the OCINet ENITS system viewer.
  • Enabling authorized users of the Agfa EI Shared PACS system to share imaging for patients in common via the PACS.

OCINet also acts as a PHIPA agent of participant hospitals and ICHSCs when it uses PHI to deliver, operate, maintain, support, or improve the services it provides to each participant, or when it supports the transfer of a participant’s PHI to a designated recipient ad directed by participant. OCINet does not use PHI for its own purposes except as permitted or required by law.

Safeguards Protecting Your Personal Health Information

In order to securely protect the patient PHI stored, processed and transferred into and out from OCINet systems, OCINet has established best-practice technical, administrative and physical safeguards. OCINet utilizes the Ontario Health network and third-party solution and service providers to protect systems and PHI. We closely monitor these third-party providers to ensure they meet the same privacy obligations as OCINet. These safeguards include the following controls: 

Technical Safeguards

  • Access controls on OCINet information management systems (electronic and hard copy) to ensure that access to your PHI by employees and third-party service providers has been appropriately limited. 
  • Data protection measures, including encryption of PHI when transmitted among OCINet, hospitals, ICHSCs and third parties.  
  • Network security measures such as firewalls and intrusion detection, and active security monitoring of systems. 

Administrative Safeguards

  • Contents in agreements with participant organizations that define the services and required safeguards along with privacy and security obligations to be met by all parties. 
  • Assigned staff responsible for privacy and security compliance. 
  • Staff privacy and security training and signing of confidentiality agreements at onboard and annually thereafter. 
  • Enterprise privacy and security policies and procedures that govern privacy and security operations. 
  • A Participant Privacy Manual that includes shared policies establishing privacy expectations and means of communication and collaboration amongst participating hospitals and ICHSCs and OCINet . 
  • Auditing capabilities to support OCINet participants with audit of access to PHI and enable OCINet to meet it HINP obligations to produce records of access or transfer of PHI 

Physical Safeguards

  • Physical security mechanisms such as video monitoring and card reader access to detect and prevent unauthorized access in secured data centres 
  • Secure disposal of media, equipment and hard drives 

OCINet’s Enterprise Privacy Program

As a HINP, OCINet has an enterprise-wide privacy program that outlines how we meet our obligations under PHIPA as well as those established in our agreements with participants. The program aligns with recognized standards in privacy and information management along with guidance from the office of Ontario’s Privacy Commissioner to effectively manage privacy and safeguard the PHI we hold and process for our participants.

The foundation of our privacy program is the OCINet Corporate Privacy Policy, which establishes OCINet’s privacy management structure and defines how OCINet as a HINP and Agent will meet its obligations. The Policy addresses the following key domains:

  • A Privacy Advisory Committee with participant representatives to advise OCINet on privacy matters impacting participants as health information custodians and to foster trust and collaboration among participants.
  • Privacy and information management procedures to ensure that OCINet employees appropriately limit their access to and use, disclosure, and retention of your PHI for the purposes of providing and managing the services provided to our participants.
  • Privacy training and awareness for all new employees, with refresher privacy training provided on an annual basis and acknowledgement of a privacy code of conduct.
  • Processes for handling requests associated with patient privacy rights (e.g., privacy inquiries and complaints, privacy access and correction requests, and support for consent management).
  • Processes for handling privacy breaches caused by OCINet or by participants.
  • Processes for identification and management of privacy risks including conduct of privacy risk assessments and managing third party risk.
  • Processes for logging and creating electronic records of access to, or transfer of PHI for its own activities or to support the privacy auditing needs of participants
  • Privacy review activities to confirm that OCINet complies with its privacy requirements.

Participant Privacy Manual (for OCINet Participants) 

OCINet maintains a Participant Privacy Manual, which outlines the shared privacy policies, roles and responsibilities, and coordinated practices that apply to OCINet and its Participants under the OCINet Data Sharing Agreement. 

Although this Manual is intended for Participant Privacy Offices rather than patients, OCINet makes it available here in support of transparency about OCINet’s privacy governance framework: 

OCINet Participant Privacy Manual and Forms 

Your Privacy Rights

You must contact the hospital or ICHSC that captured and shared your diagnostic imaging information with OCINet for the following privacy matters:

  • To request a copy of your information in the DIR.
  • To request access to information about how the hospital or integrated community health services centre has been using, accessing, and sharing your information.
  • To request a correction to your diagnostic imaging information in the DIR.

To make a privacy inquiry or complaint about how the hospitals and health facilities are managing and ensuring the privacy of your information in the DIR.

Privacy Contact

If you have a general inquiry or complaint about the privacy or security aspects of the services OCINet provides to participating hospitals or ICHSCs, or about our privacy and security program, contact the OCINet Privacy Office:

7100 Woodbine Avenue, Suite 115 Markham, Ontario L3R 5J2

905-943-7790 ext. 8800

privacy@ocinet.ca

If you are not satisfied with how we resolve your question or concern, you may contact the Information and Privacy Commissioner of Ontario at:

Information and Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400

Toronto, Ontario M4W 1A8

416-326-3333

commissioner@ipc.on.ca www.ipc.on.ca