Primary Care and Person-Centered Measurement Interactive Symptom Assessment and Collection (ISAAC) Application PIA Summary

Background 

As required by the Personal Health Information and Protection Act (PHIPA) and by the Ontario Health (Cancer Care Ontario) Privacy Policy, PIAs were completed for the Interactive Symptom Assessment and Collection (ISAAC) Application.  

This document provides is a summary of PIAs conducted on the ISAAC solution. This PIA summary includes background on the ISAAC Application and also notes Ontario Health's progress in implementing the recommendations contained in the PIA addendum. 

Key Findings

This PIAs concluded that Ontario Health has the authority to carry out the operations of the ISAAC Application as a Health Information Network Provider (HINP) pursuant section 6(2) of O.Reg. 329/04 and may collect and use the personal health information in ISAAC Replication Database as a Prescribed Entity pursuant to section 45 of PHIPA. In addition, Ontario Health is an Electronic Service Provider (ESP) pursuant to section 6(1) of O.Reg. 329/04 and section 10(4) of PHIPA with respect ePREM services it provides to ISAAC sites through its third-party service provider NRC Health. Lastly, Ontario Health is a PHIPA Agent pursuant to section 17 of PHIPA with respect to consent management (fulfilling patient request to no longer participate in ISAAC); Fulfilling individual access request; and Request related to corrections.

The ISAAC Application captures information on the patients' symptoms and functional status using various self assessment tools such as PROMs. Self-assessment information may be entered directly by a patient into an ISAAC kiosk at an ISAAC Site or using personal devices such as home computers through a secure website, through TeleISAAC (though Tele-ISAAC functionality is currently not in use) or recorded on paper and subsequently entered into the ISAAC Application by health care providers. Functional status scores may also be entered into the ISAAC application by clinicians/administrators. Updates to scores may be performed manually by health care workers or ISAAC Site staff using the ISAAC Application.

The ISAAC Application enables the systematic collection PROMs from patient populations at participating sites for a variety of purposes, including the support of local quality improvement and research initiatives, and the evaluation of the appropriateness and effectiveness of surgical interventions.

ISAAC is integrated with Admission Discharge Transfer (ADT) which has helped automated the patient enrolment as well as updates to patient demographic information. The automation will occur through the integration of the hospital's Health Information System (HIS) or Electronic Medical Record (EMR) through the HL7 message. HL7 integration with ISAAC has enabled bi-directional and ini-directional data transfers between ISAAC and the ISAAC site's HIS or EMR.

Risks & Recommendations 

This PIA summary identifies several privacy risks and recommends certain actions be taken by Ontario Health to manage these risks. The recommendations are summarized in below.  

Ontario Health has implemented all of the recommendations from the following PIAs: 

• Patient Reported Outcomes - EPIC Prostate Cancer Pilot Project Privacy Impact Assessment (Updated October 31, 2014 re: Implementation of Recommendations), version 1.0;
• Interactive Symptom Assessment and Collection (ISAAC) Addendum to the 2010 Provincial Palliative Care Integration (PPCIP) Privacy Impact Assessment Report, Admission, Discharge and Transfer(ADT) Integration, version 0.5, November 3, 2014;
• Interactive Symptom Assessment and Collection (ISAAC) Addendum to the 2007 Provincial Palliative Care Integration (PPCIP) Privacy Impact Assessment Report, version 1.1, August 10, 2010;
• Interactive Symptom Assessment and Collection (ISAAC) Addendum to the 2007 Provincial Palliative Care Integration (PPCIP) Privacy Impact Assessment Report, version 1.3, November 2009; and
• Provincial Palliative Care Integration Project Privacy Impact Assessment Report, version 4, January 12, 2007

Ontario Health is currently in the process of implementing the recommendations made in the following PIAs: 

• Expanded ISAAC Application Functionality Privacy Impact Assessment Addendum, version 1.4, August 23, 2019;
• Interactive Symptom Assessment and Collection (ISAAC) Application eClaims Integration Conceptual PIA, version 1.0, August 27, 2019; and
• Hip and Knees PROs in ISAAC Privacy Impact Assessment Addendum, version 1.6, March 2, 2018

The following is a summary of the recommendations currently in the process of being implemented: 

• Agreements should be updated and executed with the relevant stakeholders to ensure roles and responsibilities of the parties are more clearly set out and to protect against unauthorized collection, use and disclosure of personal information and personal health information (PI/PHI);
• In the context of enhancements that will be made to ISAAC that will allow patient's access their own ISAAC data, additional safeguards should be implemented with respect to login; and
• ISAAC procedural documents and FAQs to be updated.

In addition, Ontario Health has put in place a documented procedure for removing patients from ISAAC production database in the event that they no longer wish to participate. Removing the patient from ISAAC will make their information inaccessible to the ISAAC sites. Ontario Health is also logging all access to ISAAC data including (but not limited to) the following: 

• User who accessed the ISAAC data;
• Date and time of access;
• What was accessed; and
• The hospital associated with patient/provider access ISAAC data.

The following security assessments have been completed on ISAAC: 

• Cancer Care Ontario ISAAC Threat Risk Assessment (TRA) (Project 1), June 2010, Final Report;
• Interactive Symptom Assessment & Collection (ISAAC) 2.0 Solution Threat Risk Assessment (TRA), May 2013, Final; and
• Addendum to the ISAAC Threat & Risk Assessment (TRA), November 18, 2014, version 1.2