Ca: Commissioner’s investigation determines that faxing failures put sensitive mental health information at risk.
From the Information and Privacy Commissioner for Nova Scotia:
HALIFAX – Three separate breaches of sensitive mental health information have led Nova Scotia’s Information and Privacy Commissioner, Catherine Tully, to call for improvements in how the health system transmits personal health information. In a new report issued today, the Office of the Information and Privacy Commissioner (OIPC) examined three separate incidents in 2015 and 2016 in which mental health referral forms were mistakenly faxed to a private business. The report draws attention to the obligations private practice physicians and the Nova Scotia Health Authority (NSHA) have to ensure that personal health information in their control is transmitted carefully.
Following news reports in April 2016, the OIPC began investigating the breaches. Each occurred when a private practice physician mis-dialed the fax number for the Bedford-Sackville Community Mental Health Clinic. The faxes ended up at a Bedford business, in part because the fax numbers were only one digit different from each other. The report found a number of additional factors increased the likelihood of similar breaches.
“Without some change to the way the referrals are sent to and received at this Clinic, sensitive mental health information will continue to be improperly faxed to the business,” Tully said. The report highlighted the fact that the overwhelming majority of health information privacy breaches reported to the OIPC are either the result of mis-sent faxes or wrong names selected from a pick-list in an electronic communications tool. These three privacy breaches are part of this larger issue.
“Individuals seeking help for mental health issues place a significant amount of trust in their health care custodians to protect that information. When a custodian fails to actively guard this trust, it creates a negative impact that is outside the affected individuals’ control,” Tully said in the report. “By implementing the recommendations in this report, physicians and the NSHA can demonstrate their willingness to protect that important public trust, and reassure individuals that their personal health information will be actively and vigorously protected.”
The OIPC’s initial reaction was to suggest to the NSHA that the Clinic needed to change its fax number. In the end, the OIPC found that changing the Clinic’s fax number was both an incomplete solution and was likely to have such a significant impact on service to patients that communicating good fax practices and pushing for longer-term change was the more reasonable approach.
Commissioner Tully made three recommendations in her report:
Recommendation #1: That the NSHA red flag the Clinic’s fax number
The Commissioner recommends that the NSHA post a warning notice on the Clinic’s website and revise the referral form to include the warning notice. The notice needs to identify that faxing to the Clinic includes a significant risk of a mis-dial. The NSHA has agreed to take this step.
Recommendation #2: That the NSHA move away from the use of faxed referrals
As a longer-term solution, the Commissioner recommends that the NSHA prioritize the development of an electronic referral system.
Recommendation #3: That physicians implement reasonable security for faxing guidelines
The Commissioner recommends that, to address the risks identified in this report, the approximately 353 physicians who have referred patients to the Clinic in the last year implement the following four best faxing practices:
- Develop a systematic approach for sending faxes, document it and communicate it with all staff. Normally, this will include identifying one person designated to send faxes.
- Enter the Clinic’s correct fax number into the fax machine’s pre-sets and send a test fax to the Clinic.
- Set a reminder to conduct biannual reviews to be sure the Clinic’s fax number hasn’t changed.
- Use cover sheets when sending faxes.