PET E-tool Privacy for Healthcare Providers
Here we set out our privacy roles and responsibilities related to the PET Scans Ontario program, and describe how we meet them. This information is intended for healthcare providers, and hospital privacy officers, administrators and security officers.
The PET E-tool
The PET E-tool provides web-based forms to physicians to request PET scans for their patients. It also provides web-based forms to PET centres to submit results from PET scans performed at their institutions.
CCO uses the PET scan data collected from physicians and PET centres to analyze and report on the use and effectiveness of PET scans. We provide aggregate-level reports to the Ministry of Health and Long-Term Care and the PET Steering Committee.
Information Collected in the PET E-tool
Physicians collect the following personal health information about patients through the PET E-tool:
- Demographic Information: Patient’s name, birth date, gender, health card number, phone number, province and postal code
- Provider Information: Referring physician name, phone number, fax number, email and CPSO number, PET scan reading physician name
- Healthcare Facility Information: PET centre
- Clinical Information: Disease information, diagnosis, clinical and pathological stage, purpose for PET scan, prior imaging studies, biomarkers, and other relevant clinical documentation
- PET Scan Result Information: PET scan date, PET scan findings, and source and type of radiopharmaceutical used
This information is kept in a secure database at CCO.
CCO’s Legislative Authority to Collect, Use and Disclose Personal Health Information
CCO has 3 different types of legislative authority under the Personal Health Information Protection Act, 2004 (PHIPA).
Health information custodians
The collection, use, and disclosure of personal health information (e.g. patient name, health card number and PET scan results) by healthcare providers and CCO is governed under the Personal Health Information Protection Act, 2004 (PHIPA). This Act establishes the rules that “health information custodians” and other parties in the healthcare continuum must comply with in managing the confidentiality of patient information. Referring physicians and PET centres, for example, are classified as “health information custodians” under section 3(1) of PHIPA.
Health information network provider
In providing the PET E-tool to health information custodians so they can share information about their patients, CCO is acting as an agent, as the term is defined in section 2 of PHIPA, of the health information custodians, and as a “health information network provider” as defined in section 6(2) of the Regulation to PHIPA. This section describes a health information network provider as a person who enables 2 or more health information custodians (e.g., physicians and PET centres) to use electronic means to share personal health information. In this capacity, our use of personal health information collected through the PET E-tool is strictly limited to that which is necessary to support the provision of information technology services.
CCO manages the PET Access Program domain. This includes facilitating an adjudicative process to determine patient eligibility to receive a PET scan. Under the PET Access Program domain, on behalf of the physicians and with a patient’s express consent, we anonymize PET scan request packages received through the PET E-tool and provide the packages to a clinical expert panel. The panel reviews each PET scan request and determines a patient’s eligibility to receive a PET scan.
CCO is listed as a “prescribed entity” under section 18 of the Regulation to PHIPA. Prescribed entities are organizations permitted under PHIPA to collect personal health information without a patient’s consent from health information custodians (e.g., referring physicians and PET centres) for the purposes of analysis or compiling of statistical information with respect to the evaluation, monitoring, management or planning of all or part of the healthcare system, or for allocating resources, including the delivery of health services (per section 45(5) of PHIPA).
Part of our mandate, for example, is to plan and coordinate Ontario's cancer services. Section 45(6) of PHIPA permits prescribed entities to use personal health information (without the patient’s consent) for the same purpose. This means that we are permitted to collect personal health information about cancer patients from healthcare providers and use this information to plan and coordinate cancer services in the province.
PET Registry and PET Insured Services Domains
Healthcare providers may assume they have a patient’s implied consent to collect, use and disclose personal health information to provide or help provide healthcare, unless they know a patient has specifically withheld or withdrawn consent for this purpose.
The express instructions of a patient to withhold or withdraw consent for the use or disclosure of personal health information for purposes related to healthcare are described in sections 20(2), 37(1)(a) and 38(1)(a) of PHIPA. They are commonly called the “lock box.” This means that healthcare providers can assume they have their patient’s consent to submit and/or access the patient’s information through the PET E-tool for the purpose of providing care under the PET Registry and PET Insured Services domains. However, patients may “lock” their personal health information from use by or disclosure to a particular provider or organization.
When a patient chooses to “lock” their information, the information should not be entered into the PET E-tool (or, where applicable, will be removed from it).
PET Access Program Domain
Under the PET Access Program domain, healthcare providers must have the patient’s express consent to provide their information to CCO through the PET E-tool for the purpose of determining their eligibility to receive a PET scan.
Privacy Roles and Responsibilities of PET E-tool Users
Physicians and PET centres are defined as “health information custodians.” That means they are subject to specific privacy requirements outlined in PHIPA. These include requirements to:
- appoint a privacy contact person
- have a privacy program
- notify affected patients if their personal health information is lost or stolen
CCO hosts the PET E-tool to give referring physicians and PET centres a secure way to share patient data relating to PET scans with one another for the purposes of completing PET scans for patients. The shared data includes personal health information. In this role, we are a “health information network provider.” We must comply with specific requirements set out in section 6(3) of the PHIPA Regulation. For a detailed description of how we comply with these requirements, see the Privacy page or email the CCO Legal & Privacy Office.
Physicians and PET centres also use the PET E-tool to disclose information related to PET scans to CCO for the purposes of planning, managing and coordinating PET scan services in the province. As a “prescribed entity” under PHIPA, we are required to make publicly available a description of our functions and the privacy practices in place to protect the personal health information we collect (per section 18(2) of the PHIPA Regulation). Our Statement of Information Practices meets this requirement.
The Information and Privacy Commissioner/Ontario must review and approve our privacy practices every 3 years (per section 45(4) of PHIPA).
Access to the PET E-tool – Audit Log
The PET E-tool includes a role-based administrative function so privacy officers (or their delegates) can produce an audit log of accesses to and transfers of information held in the PET E-tool. The CCO Service Desk will support users in this function upon request.
Threat Risk Assessment
CCO conducted a threat risk assessment that included an analysis of the PET E-tool, and the servers and network supporting it. A copy of the assessment is available to hospital privacy or security officers who sign a non-disclosure agreement. For more information, please email the CCO Legal & Privacy Office.
More About the PET E-tool and Privacy
Also see PET E-tool Privacy for Patients for information to share with patients, and details about these topics:
- Access to personal health information in the PET E-tool
- Safeguards to protect personal health information in the PET E-tool
For more information about the PET E-tool, call the PET Information line at 1-877-473-8411.
View the Privacy page to learn more about our privacy practices and Privacy Program.