■ Safety of care:
Improving patient safety and reducing risks
Using fax in your practice? Ten ways to reduce privacy risks
Published: July 2023
The information in this article was correct at the time of publishing
Fax machines continue to be widely used in healthcare, primarily because of the ease and speed of transmitting information. However, faxing personal health information increases the risk of privacy breaches, owing to the fact that faxes are more vulnerable to being inadvertently sent to the wrong number or inappropriately accessed.
Physicians have an obligation to maintain the confidentiality of patient information and must comply with applicable privacy requirements. Privacy legislation generally requires physicians to adopt reasonable safeguards to protect personal health information under their control.
If you use fax in your practice consider taking these steps to reduce privacy risks:1
- Delegate an employee to be responsible for sending and receiving faxes, and ensure they are trained in faxing procedures and are fully aware of their responsibility to protect confidential information.
- Where possible, choose a machine that encrypts transmissions and requires users to key in a password to access and print faxes. If using a fax modem, ensure access is password protected.
- Keep the fax machine in a secure area to prevent unauthorized people from seeing faxed documents.
- Always check that the receiver’s number is correct before faxing a document, and pre-program frequently used fax numbers. Update numbers as soon as you are notified of any changes.
- Send only personal information by fax that you would feel comfortable discussing over the telephone.
- Use a fax cover sheet that clearly identifies you as the sender and includes your contact information, the intended recipient, the number of pages sent, and a confidentiality statement that states the information is confidential and that the recipient should advise the sender if the fax was received in error.
- Check the fax confirmation report to confirm that the fax was received by the intended recipient. If in doubt, phone the intended recipient to verify receipt.
- If your fax number changes or is discontinued, send a notification to all your contacts. Update your fax cover sheet and other business correspondence.
- If you mistakenly send a fax to the wrong recipient, contact the recipient promptly and request that they destroy the fax in a secure manner (e.g. shredding). Investigate the cause of the error and undertake corrective actions as appropriate to prevent recurrences. Contact the CMPA for advice about notifying the affected patient and privacy commissioner.
- If a privacy breach has occurred, document the actions you have taken to mitigate the situation.
If your office receives a misdirected fax containing patient information:
- Contact the sender to advise them of the breach and to ensure the information is redirected to the correct recipient.
- Confirm with the sender that the fax will be destroyed in a secure manner (e.g. shredded). Do not keep a copy of the fax and do not attempt to forward it to the intended recipient (i.e. leave that to the sender).
The end of the fax era?
Privacy commissioners and governments across Canada are urging that the use of fax machines be phased out in healthcare. The Ontario government, for example, has said it intends to phase out faxes in the healthcare system within the next five years.2 The Office of the Privacy Commissioner of Canada, together with its provincial and territorial counterparts, are encouraging organizations handling personal health information to replace fax with more secure channels such as encrypted email, patient portals, electronic referrals, and electronic prescribing.3
While the transition to all-digital communication in the healthcare system will clearly take some time and involve many parties including medical offices, hospitals, labs and pharmacies, the momentum for such a change continues to grow.
Office of the Privacy Commissioner of Canada. OPC; 2023 Mar 7. Consider the risks: Faxing personal information [cited 2023 May 24]. Available from: https://www.priv.gc.ca/en/privacy-topics/technology/02_05_d_04/
Government of Ontario. 2023 Feb 8. Your Health: A Plan for Connected and Convenient Care [cited 2023 May 24]. Available from: https://www.ontario.ca/page/your-health-plan-connected-and-convenient-care
Office of the Privacy Commissioner of Canada. OPC; 2022 Sept 21. Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombudspersons with Responsibility for Privacy Oversight [cited 2023 May 24]. Available from: https://priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/joint-resolutions-with-provinces-and-territories/res_220921/