Store keeps receiving faxed health records

REGINA – Saskatchewan’s privacy commissioner wants the Saskatoon Health Region to ensure its employees follow the rules when it comes to faxing personal health information after a patient’s test results were sent to a computer store – for the second time.

Details of the privacy breach are outlined in an October decision released by Saskatchewan Information and Privacy Commissioner Ron Kruzeniski (pictured).

On Sept. 7, Kruzeniski said someone from Kelly’s Computer Works, a store located in North Battleford, contacted his office saying that it had received a fax from the non-invasive cardiology unit at St. Paul’s Hospital, located in the Saskatoon Health Region.

The report says the fax was addressed to a doctor and contained results from a patient’s exercise tolerance test.

The patient’s name, health card number, date of birth and type of medication they were taking were among the “highly sensitive” personal health information included in the fax, Kruzeniski found.

“I find that [health region’s] faxing practices do not follow its internal policy and procedure regarding faxing personal health information,” he wrote.

The report says staff at the computer store deleted the fax and the health region contained the breach, compiled an internal investigation report and notified the patient about the breach.

According to Kruzeniski’s report, the health region indicated it was a medical office assistant who sent the fax. The employee entered the number manually and had one digit wrong.

“This is not the first instance in which the Non-Invasive Cardiology Department at St. Paul’s Hospital inadvertently sent a fax to Kelly’s Computer Works,” intended for a specific doctor, the report reads.

Kelly’s Computer Works had previously received a misdirected fax from the same department in January 2017.

To prevent future breaches, Kruzeniski recommends the health region follow its existing policies when it comes to sending internal faxes.

The health region says it sends faxes to too many different numbers to program them, and that its fax machine is unable to block outgoing fax numbers like the computer store’s.

The report also called for mandatory privacy training for Saskatoon Health Region employees, but the health region said that was a tall order considering the ongoing amalgamation from 12 health regions into one.