Duties and responsibilities

Expectations of physicians in practice

10 ways physicians can prevent privacy breaches when using fax with other healthcare professionals

Originally published July 2014
W14-008-E

When a fax is inadvertently sent to an unintended location, the sender could be in breach of privacy requirements and potentially face legal consequences. Yet, according to privacy experts, faxes are quite commonly misdirected. Physicians and others who have custody or control of personal health information can take steps to prevent privacy breaches stemming from the use of fax. 
 

Misdirected faxes in healthcare settings

The fax remains a frequently used means to communicate patient information among health professionals. However, reported incidents showcase the issue of misdirected faxes and resulting privacy breaches in Canadian healthcare.  Among the more egregious breaches occurred when  60 faxes containing personal health information intended for a medical clinic — but ending up at an unrelated private business — were sent by physicians, pharmacies, and healthcare organizations in Saskatchewan.1  The clinic to which the faxes were sent had been previously closed and its old fax number was reassigned by the phone company — as is the routine practice. In response, the province's privacy commissioner launched an investigation and proposed a set of recommendations to help prevent similar breaches in future. 

Faxes may be misdirected due to factors such as: 

  • cancelled fax numbers that are reassigned to other individuals or businesses, as happens when a medical practice moves or closes
  • errors when manually entering a fax number
  • incorrectly programmed or outdated fax numbers stored in information systems (e.g. electronic medical records)
  • incorrect fax numbers published in medical directories

Privacy legislation generally requires physicians to adopt reasonable safeguards to protect personal health information under their control. When a fax is received in error, the recipient is encouraged to take reasonable precautions to safeguard the information and notify the sender of the error. When a medical practice moves or closes, or the fax number changes for any reason, physicians have a responsibility to provide adequate notification of the change to their business contacts and to update their office's contact information wherever it is known to appear.    
 

Tips to mitigate risks

Faxing personal information presents a confidentiality risk. Even when a fax arrives at the correct fax number, privacy may still be breached if the information is viewed by unauthorized individuals as may occur if the received fax is left unattended in a common area.

Physicians may want to consider more secure methods to transmit patient information if these are available (e.g. secure web mail that transmits data using encryption and is accessible only by authorized users).  Meanwhile, the following practices may help mitigate the privacy risks associated with faxes.2 3

  1. Delegate an employee to be responsible for sending and receiving faxes, and ensure they are trained in faxing procedures and their duty to protect confidential information.
  2. Pre-program frequently used fax numbers. Update numbers as soon as you are notified of any changes.  
  3. Where possible, phone the intended recipient to confirm with that you have the correct fax number before sending sensitive information.
  4. Use a fax cover sheet that clearly identifies you as the sender and your contact information, the intended recipient, the number of pages sent, and a confidentiality statement.4
  5. Check the fax confirmation report to confirm that the fax was received by the intended recipient.
  6. Retrieve materials from the fax machine promptly.
  7. If your fax number changes or is discontinued, send a notification to all your contacts and directory listings. Update your fax cover sheet, website, stationary, and so on. 
  8. Control physical access to faxes and locate the fax machine in a secure area. If using a fax modem, ensure access is password protected.
  9. If you mistakenly send a fax to the wrong location, contact the recipient promptly and request that they destroy the fax in a secure manner (e.g. shredding). Investigate the cause of the error and undertake corrective actions as appropriate to prevent recurrences. Contact the CMPA for advice about notifying the affected patient and your privacy officer (if applicable).
  10. Whenever a privacy breach has occurred, document the actions you have taken to mitigate the situation.

If your office receives a misdirected fax containing patient information:

  1. Contact the sender to advise them of the breach and to help ensure continuity of patient care.
  2. Discuss with the sender how best to dispose of the fax. Do not keep a copy of the fax and do not attempt to forward it to the intended recipient (i.e. leave that to the sender). 
  3. Consider notifying your institution's privacy officer, if applicable.


References

 

1 Saskatchewan Information and Privacy Commissioner. "Report on systemic issues with faxing personal health information", Nov 23, 2010. Retrieved Feb 4 2014 from: http://www.oipc.sk.ca/What's%20New/FINAL-%20Report%20on%20Misdirected%20Faxes%20-%20NOV%2023,%202010.pdf

2 Saskatchewan Information and Privacy Commissioner, "Checklists for Trustees: Misdirected Faxes." Oct. 3, 2013. Accessed Feb. 11 2014 at:  http://www.oipc.sk.ca/Resources/Checklists%20for%20Trustees%20-%20MISDIRECTED%20FAXES%20-%20October%203,%202013.pdf

3 Saskatchewan Information and Privacy Commissioner, "Privacy Considerations: Faxing Personal Information and Personal Health Information." Accessed Feb. 11 2014 at:    http://www.oipc.sk.ca/What's%20New/Faxing%20PI%20and%20PHI%20Guidelines%20-%20June%204%202009%20-%20FINAL.pdf

4 Example of a confidentiality statement: "This fax message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message."   

 


DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.