Resolution outlines measures to strengthen privacy

TORONTO – Despite rapid digital advancements in the healthcare sector, using outdated and vulnerable technologies such as faxes and unencrypted email threatens to erode the public’s confidence that their personal health information is secure. In a joint resolution, Canada’s federal, provincial, and territorial privacy commissioners called for a concerted effort across the healthcare sector to modernize and strengthen the privacy and security of digital health communications.

The joint resolution outlines measures for adoption by governments, health institutions, and healthcare providers. They include:

• Putting in place a coordinated plan backed by government funding and other incentives to support phasing out fax machines and unencrypted email in the delivery of patient care across Canada as quickly as possible
• Promoting the adoption of secure digital technologies and responsible data governance frameworks to protect personal health information against unauthorized access or inadvertent disclosure

“My office urges the government, regulatory colleges, and health information custodians to work together to pull the plug on the use of fax machines and unencrypted email that expose individuals to unnecessary and potentially devastating privacy risks,” said Ontario’s Information and Privacy Commissioner Patricia Kosseim (pictured). “Retiring these outdated ways of sharing personal health information is long overdue, particularly when more trustworthy methods are readily available.”

In Ontario, misdirected faxes remain the leading cause of unauthorized disclosure of personal health information. In 2021, health information custodians reported 4,848 privacy breaches from misdirected faxes to the Office of the Information and Privacy Commissioner of Ontario (IPC).

In their joint resolution, the Privacy Commissioners called for hospitals and other healthcare providers to:

• Phase out the use of traditional fax and unencrypted email, as soon as reasonably possible, for communicating personal health information and replace them with modern, secure, and interoperable ways of transmitting personal health information – such as encrypted email services, secure patient portals, electronic referrals and electronic prescribing;
• Design, adopt and implement responsible data governance frameworks, including the adoption of standards such as those developed by ISO, NIST, or CIS that provide reasonable safeguards to protect personal health information, including constant monitoring of electronic systems, periodic audits of all sources of risks to privacy and security, and effective incident response plans and mitigation measures in the event of breach;
• In the process of modernizing means of communicating personal health information and before procurement, seek guidance from relevant experts to understand how to evaluate new digital health solutions;
• When evaluating digital health solutions, assess their compatibility with other digital assets, compliance with health information privacy laws, and how they facilitate the rights of individuals to access their own records of personal health information;
• Promote transparency by completing privacy impact assessments and proactively publishing a plain-language summary in a manner that is easily accessible to the public; and
• Use the procurement process to help ensure third-party compliance by establishing contractual requirements for vendors of health information software and services.

To learn more, see: Joint resolution: Securing Public Trust in Digital Healthcare