No place for faxes in healthcare: Ontario IPC

TORONTO – The Office of the Information and Privacy Commissioner of Ontario (IPC) has concluded its review of the high number of privacy breaches at St. Joseph’s Healthcare Hamilton due to misdirected faxes. The IPC became aware of the issue at St. Joseph’s after noticing an unusually high number of reported incidents in the hospital’s 2020 annual statistical report. All health information custodians in Ontario are required by law to submit these reports to the IPC annually.

Misdirected faxes are the leading cause of unauthorized disclosure of personal health information in Ontario. This report provides important insights for health care providers about the risks of using fax machines and what can be done to address these risks and reduce – or even eliminate – this form of communication altogether.

Statistical reports submitted by St. Joseph’s Healthcare Hamilton to the Information and Privacy Commissioner of Ontario for the year 2020, showed 1,006 unauthorized disclosures of personal health information (PHI), with 981 of those disclosures due to misdirected faxes.

Given the large number reported, the IPC opened a file to gather more information about these incidents. In response to the IPC’s request for additional information regarding the circumstances of the misdirected faxes, the hospital conducted a comprehensive review of all the reported instances of misdirected faxes. The IPC learned that the hospital introduced a fax reporting tool, which included a form for staff to report misdirected faxes, in preparation for the mandatory breach reporting requirement under the Act that went into effect in late 2018.

The introduction of the centralized fax incident reporting tool resulted in an increase in the number of fax-related mishaps reported and enabled the hospital to identify the cause of misdirected faxes. As a result of the hospital’s subsequent review, it explained that the number of misdirected faxes was over-reported to the IPC in 2020. It advised that there were 708 incidents in total and that 563 resulted from primary healthcare provider contact information being changed and not updated in its system. 124 instances of the misdirected faxes were caused by hospital error.

In response to questions from the IPC, and after months of working collaboratively with our office to get to the root cause of the issue, the hospital made great strides in reducing not only the risk of sending faxes to the wrong individuals, but its use of this outdated and insecure communication technology.

The hospital has since put in place an “e-referral first” policy for referrals from primary care providers and is actively working with other health system partners in the region to reduce overall use of faxes in favor of more secure electronic solutions for transmitting personal health information.

If a fax must be used to communicate with providers who have not yet adopted more secure electronic solutions, patients are asked to re-confirm the information on file for their primary healthcare provider when they visit the hospital. Staff are being trained on the importance of this critical step and additional tools are now available to them to check if a physician’s fax number is accurate before sending and to identify and respond to any potential errors in a much more timely way.

“Fax machines have no place in modern healthcare delivery,” said Patricia Kosseim (pictured), information and privacy commissioner of Ontario. “Our report reveals the risks to personal health information from misdirected faxes and how to mitigate those risks through proper checks and balances. But more importantly, our report demonstrates the enormous potential for stakeholders to work proactively together, and in coordinated fashion with the ministry, to replace faxes with more secure communication technologies that will strengthen Ontarians’ trust in the healthcare sector.”

Trust in Digital Health is one of four strategic priorities guiding the work of the IPC. It’s the theme of the IPC’s free Privacy Day event on January 27, 2023, which includes a discussion with privacy and health care experts on replacing faxes with more secure forms of digital communication.