Health

NWT fax privacy breaches continue after calls for change


The Northwest Territories’ healthcare system is again under scrutiny for the longstanding practice of inadvertently faxing sensitive records to the wrong place.

For years, privacy professionals have asked the territory’s health authority to find other means of disseminating records. The authority maintains faxes are still sometimes the simplest, most timely option.

Infamously, healthcare workers accidentally faxed medical records to CBC North in both 2010 and 2012. In 2018, then-privacy commissioner Elaine Keenan Bengts said nine out of 22 reported health privacy breaches in the preceding year had involved faxes ending up in the wrong hands.

Advertisement.

Andrew Fox, Keenan Bengts’ successor as the NWT’s information and privacy commissioner, returned to the issue in his 2020-21 annual report, tabled in the legislature in late November this year.

In one recent incident, a Yellowknife medical clinic faxed a patient’s referrals to Walmart’s pharmacy when the patient had said they would pick up the referrals themselves.

In another mix-up, a health authority employee in Yellowknife faxed someone’s health information to the DMV instead of the Workers’ Safety and Compensation Commission.

“Not infrequently, personal health information has been unlawfully disclosed when using fax machines to transmit personal health information,” Fox wrote, though he added email – on its face a more advanced technology – had also “led to a number of privacy breaches.”

Advertisement.

In his report, Fox said there were 66 privacy breach notifications under the the Health Information Act in 2020-21. Of those, he said, “a concerning number” were connected to fax machines.

He called on the health authority to update its policies and implement better guidelines for faxing if the technology must be used.

Fox reiterated his predecessor’s call for health professionals to stop using fax machines to handle people’s health information.

The territorial government has committed to decreasing its use of fax machines and recently agreed a plan is necessary to eventually stop using faxes in the health sector.

Faxes lead to more privacy breaches

Though the number of reported privacy breaches has not declined compared to previous years, Fox did say he had “observed real improvement of public bodies’ awareness of privacy issues and best practices for appropriate handling of personal information and personal health information.”

The incident in which records intended for the WSCC instead reached the DMV dates to 2018. It appears in the 2020-21 annual report as the commissioner’s final report on the matter was only filed in April 2020.

The information faxed included “a medical progress report including a description of the functional abilities of the individual and a statement made by a medical practitioner that the individual was currently not able to work,” that report states.

The health authority said the employee responsible for the breach had a high workload, was rushing, and forgot to clear the last number they had faxed before sending the next document. 

The authority said it retrieved the information once the error was noticed, notified the person whose information had been faxed, and reviewed faxing protocols with the staff member who made the mistake.

Keenan Bengts, who was still the NWT’s privacy commissioner at the time, questioned why the health authority took more than six months to report the error to her office. Despite many attempts to clarify details of the incident, she wrote, her office never received a sufficient response.

Fox had taken on the commissioner’s role by the time a clinic in Yellowknife accidentally faxed a patient’s referrals to Walmart’s pharmacy.

The referrals were for a medical massage and custom orthotics, but were mixed in with other prescriptions sent to the pharmacy.

When the patient asked the clinical assistant why their referrals had been faxed, the assistant first denied knowing anything about it and then suggested a new staff member in training may have made a mistake.

The workers involved did not report the incident to managers at the health authority. The authority found out only when the patient asked Fox’s office to investigate.

Once that happened, the authority asked Walmart’s pharmacy to seal the referrals in an envelope until they could be picked up.

“This was a commendably quick response,” Fox wrote. “However, this retrieval happened about three weeks after the breach occurred, which means the documents had been in the possession of a non-authorized third party for a significant period of time.”

Fox determined the assistant who faxed the records made an error and the second assistant, who identified the error, did not handle the unauthorized disclosure properly. He said insufficient training contributed to the mistakes.

He also questioned why Walmart’s pharmacy scanned the referrals into its system rather than realizing they had arrived in error.

“Pharmacies are obliged to protect the privacy of individuals and that obligation requires taking the time and making the effort to consider the content of documents received,” he wrote, encouraging pharmacies to be proactive in identifying and dealing with potential privacy breaches.

Advertisement.