4,848 Reasons to Retire Your Fax Machine and Other Unsecure Communication Methods
Canada’s privacy commissioners call on health care providers to replace fax machines and unencrypted emails with modern, secure, and interoperable ways of transmitting personal health information.
Although the use of fax machines in the health sector is widespread, this may soon no longer be the case. Noting that in 2021 in Ontario alone, almost 5,000 reported health information privacy breaches were due to misdirected faxes, the Information and Privacy Commissioner of Ontario (IPC) has stated:
It is high time for all custodians to phase out their dependence on fax machines and to encrypt email communications in service delivery. More modern and trusted communication methods are now reasonably affordable and amply available. As technologies evolve, so too should our response to privacy risks.
According to the IPC, the technology that revolutionized the office environment back in the 1980s, which is considered outdated today due to its lack of security, is among the most notable threats to privacy. As reported in Access and Privacy: Cornerstones of a Digital Ontario, the IPC’s 2021 Annual Report, 4,848 unauthorized disclosures of personal health information due to misdirected faxes were reported to the IPC by health information custodians in 2021. This figure includes every reported misdirected fax, which may include cases where misdirected faxes were sent to many recipients, or to individuals.
Misdirected emails were also a common source of privacy breaches, and the numbers are growing: in the health sector, the number of reported breaches resulting from such incidents grew from just over 430 in 2018 to nearly 1,200 in 2021, representing a whopping 271 per cent increase. Other, more serious sources of privacy breaches include employee snooping (accounting for 21 per cent of self-reported health privacy breaches) and cyberattacks (24 of which were reported to the IPC in 2021, double the number of reported attacks in 2020).
In a recent statement, Philippe Dufresne, the Privacy Commissioner of Canada, along with provincial and territorial counterparts, endorsed “Securing Public Trust in Digital Healthcare”, a resolution calling on governments to implement a plan to ensure a secure digital health infrastructure that is accessible to all Canadians including those living in remote areas, among marginalized communities and within vulnerable populations (the “Resolution”). Ontario’s Privacy Commissioner, Patricia Kosseim, supported the effort rallying government, regulatory colleges, and health information custodians to work together to “pull the plug” on devices that expose individuals to privacy risks [1].
Greater penalties proposed for those who don’t take meaningful preventative measures
The Resolution reminds us that PHI is among the most sensitive types of information about an individual and that privacy breaches can cause significant harm to those affected by way of stigmatization, discrimination, financial and psychological distress. To help minimize such harms, the Resolution calls for amendments to laws and regulations in order to provide significant penalties for those who do not take proper preventative measures. The Resolution calls on health care providers to:
Phase out traditional fax machines and unencrypted email as soon as reasonably possible and replace with modern, secure, and interoperable ways of transmitting such as encrypted email services, patient portals, electronic referrals, and electronic prescribing
Develop responsible data governance frameworks to protect personal health information
Seek guidance from experts to help evaluate digital health solutions
Assess the compatibility of digital health solutions with existing digital assets and compliance with health and privacy laws
Promote transparency by completing a privacy impact assessment and publishing a plain-language summary that is accessible to the public
Use a procurement process that ensures third compliance with applicable laws
We have extensive experience assisting health care providers prevent and manage privacy breaches. Please contact us to find out more about how we can help you meet the Federal and Provincial Privacy Commissioners’ new expectations.
By Rebecca Field Jager
[1] Enano, K. (2022). Privacy Commissioner joins call to strengthen privacy and security of digital health communications. Law Times. http://www.lawtimesnews.com
