St. Joseph Healthcare Hamilton reported over 1,000 unauthorized disclosures in 2020
The Office of the Information and Privacy Commissioner of Ontario (IPC) has concluded its review of the high number of privacy breaches at St. Joseph’s Healthcare Hamilton due to misdirected faxes.
The IPC said misdirected faxes are the leading cause of unauthorized disclosure of personal health information (PHI) in Ontario. In 2020, St. Joseph’s submitted its annual statistical report revealing 1,006 unauthorized disclosures of PHI, with 981 disclosures due to misdirected faxes. Given the large number reported, the IPC has reviewed these incidents.
The hospital explained that the number of misdirected faxes was over-reported to the IPC. The hospital also claimed that a contributing factor to the increased use of fax transmissions in 2020 was the COVID-19 pandemic, which caused heightened demand for health information reports to be sent through fax to primary care providers.
Following IPC’s investigation of the privacy breaches, the hospital has made several changes to prevent the re-occurrence of these incidents, including improved breach management, patient notification, and reporting. The hospital has also started pursuing plans to eliminate or reduce the use of faxes. It has since implemented an “e-referral first” policy for referrals from primary care providers. The IPC is also actively working with other health system partners in the region to reduce the overall use of faxes in favour of more secure electronic solutions for transmitting personal health information.
“Fax machines have no place in modern health care delivery,” said Patricia Kosseim, information and privacy commissioner of Ontario. “Our report reveals the risks to personal health information from misdirected faxes and how to mitigate those risks through proper checks and balances. But more importantly, our report demonstrates the enormous potential for stakeholders to work proactively together, and in coordinated fashion with the ministry, to replace faxes with more secure communication technologies that will strengthen Ontarians’ trust in the health care sector.”
The IPC was satisfied that the hospital had made reasonable efforts to notify all the affected patients whose personal health information was breached. The IPC has also recognized the steps taken by the hospital to address the problem on a systemic basis.