Nova Scotia’s privacy commissioner is urging the provincial health authority to stop allowing doctors to send faxes with sensitive information and move to an electronic system after discovering physicians have been sending documents with personal information for years to business instead of a mental health clinic.
The cause: Mis-dialing the clinic’s fax number.
It’s another example of how simple mistakes made by employees do more to turn the hair of chief security and privacy offers grey than anything else. Everything from misconfiguring devices, clicking on attachments, sharing passwords and mis-spelling a name on an email address can cause a security breach.
So, too, can mis-dialing phone numbers on fax machines. Yes, a number of organizations still use fax machines for sending data, particularly in the health care field where paper is the most trusted form of documentation. But a fax sent to the wrong number can cause a major privacy breach.
That’s what has been happening in Nova Scotia, where for years a private business has been receiving faxes from family doctors referring patients to a mental health clinic with a similar fax number. It got bad enough that Catherine Tully, the Information and Privacy Commissioner, stepped in to investigate.
Her report, issued Wednesday, is clear: Employees have to take time when sending electronic or paper documents. That means defining best practices and making sure employees know and respect them.
But, she added, in the long term doctors in the province have to stop using faxes to send sensitive information and turn to a secure electronic system.
“Faxing requires careful attention to detail,” Tully wrote. “The more sensitive the information, the more care is required. In this case it was momentary inattention – essentially human error by three different individuals that resulted in exactly the same error occurring. We conclude that the likelihood of this error occurring again is heightened by the fact that the two fax numbers of the two organizations are so similar.”
But it also raised the question of whether the days of using faxes for sending sensitive information are numbered.
The issue came to her attention in April when CBC News reported that the owner of a Bedford, N.S., business had been receiving mental health referral information on her fax machine instead of going to the Bedford-Sackville Mental Health Clinic. The clinic’s fax number is 902-865-xxxx. The fax number at the business is 902-835-xxxx.
An investigation by the regulator found a recurring pattern: The private business had been getting between nine and 15 faxes each year for at least the last 13 years. The business owner tried calling the sending physicians and the health authority to complain in vain. Meanwhile, she shredded most of the records, keeping only a few recent ones to prove the incidents were happening. All three came from different doctors’ offices, suggesting the mis-dialing wasn’t just one person’s mistake.
Initially privacy investigators thought the Nova Scotia Health Authority should just order the clinic to change its fax number, but the authority and the clinic’s telecom provider convinced the regulator that posed a number of problems, including posing a significant risk to service delivery for patients of the clinic. So it focussed instead on training to highlight the importance of good fax practices. The commissioner’s office will contact the 353 physicians who referred patients to the clinic within the last year to remind them and their staff of the importance of being careful when faxing sensitive personal health information.
This isn’t the first privacy report on the perils of faxing sensitive information, Tully noted. In fact, she said, tip sheets and policies on faxing best practices are easily found on a number of Canadian privacy commissioners’ Web sites.
One of the first best practices is: “Faxing is not preferred and should be used only if necessary” because by its nature it is not reasonably secure.
If it necessary, there should be policies to make it as secure as possible, including locating a fax machines in a closed and monitored area; using encryption, key locks and confidential mailboxes.
Tully made three recommendations:
–The Nova Scotia Health Authority post a warning notice on the Bedford clinic’s website and revise the patient referral form to include a warning notice that that faxing the clinic poses a significant risk of a mis-dial. The NSHA has agreed to take this step.
–the authority should move away from allowing faxed referrals and to an electronic referral system. In a statement the authority said the recommendation “is being reviewed”;
–and Nova Scotia physicians should implement reasonable security faxing guidelines.
Those should include developing a systematic and documented approach for sending faxes, which would then be communicated with all staff. Normally, this will include identifying one person designated to send faxes; entering the Bedford clinic’s correct fax number into a fax machine’s pre-sets; conducting biannual reviews to be sure the clinic’s fax number hasn’t changed; and using cover sheets when sending faxes.
“Privacy is fundamentally important to patients and the delivery of health care and service,” the authority said in its statement. “Although the breaches that underlie this report were not actions by staff of Nova Scotia Health Authority, the authority has worked with the OPIC (office of the information privacy commissioner) on the review of these breaches and on the search for ways to remedy the issue.”