The Office of the Information and Privacy Commissioner of Ontario (IPC) has concluded its review of the high number of privacy breaches at St. Joseph’s Healthcare Hamilton due to misdirected faxes.

Misdirected faxes are the leading cause of unauthorized disclosure of personal health information in Ontario. This report provides important insights for health care providers about the risks of using fax machines and what can be done to address these risks, and reduce — or even eliminate — this form of communication altogether.

The IPC became aware of the issue at St. Joseph’s after noticing an unusually high number of reported incidents in the hospital’s 2020 annual statistical report. All health information custodians in Ontario are required by law to submit these reports to the IPC annually.

In response to questions from the IPC, and after months of working collaboratively with our office to get to the root cause of the issue, the hospital made great strides in reducing not only the risk of sending faxes to the wrong individuals, but its use of this outdated and insecure communication technology. The hospital has since put in place an “e-referral first” policy for referrals from primary care providers, and is actively working with other health system partners in the region to reduce overall use of faxes in favor of more secure electronic solutions for transmitting personal health information.

If a fax must be used to communicate with providers who have not yet adopted more secure electronic solutions, patients are asked to re-confirm the information on file for their primary health care provider when they visit the hospital. Staff are being trained on the importance of this critical step and additional tools are now available to them to check if a physician’s fax number is accurate before sending and to identify and respond to any potential errors in a much more timely way.

“Fax machines have no place in modern health care delivery,” said Patricia Kosseim, Information and Privacy Commissioner of Ontario. “Our report reveals the risks to personal health information from misdirected faxes and how to mitigate those risks through proper checks and balances. But more importantly, our report demonstrates the enormous potential for stakeholders to work proactively together, and in coordinated fashion with the ministry, to replace faxes with more secure communication technologies that will strengthen Ontarians’ trust in the health care sector.”

Trust in Digital Health is one of four strategic priorities guiding the work of the IPC. It’s the theme of the IPC’s free Privacy Day event on January 27, 2023, which includes a discussion with privacy and health care experts on replacing faxes with more secure forms of digital communication.

 Media inquiries:

 media@ipc.on.ca

Additional resources:

This post is also available in: French