Wednesday, December 22, 2004

Canadian Privacy Firsts: Misdirected faxes leads to joint investigation and report by Alberta and Federal Commissioners

Canada suffers under a tangle of privacy laws, some of which overlap and others that leave gaping holes. In some cases, a number of privacy laws may apply. Misdirected faxes with sensitive information in Alberta over the summer engaged both the Alberta Health Information Act and the Personal Information Protection and Electronic Documents Act, resulting in the first joint investigation and report from the federal and Alberta privacy commissioners. The report is also notable as the Federal Commissioner's report "names names".

The Federal Commissioner's finding is here:

Report: Misdirected faxes containing health information end up in apartment managers' hands - December 21, 2004

Incident

In July 2004, it was reported in the Edmonton Journal that a couple who managed an apartment building had received facsimile transmissions in error from various sources. These transmissions contained personal medical information.

The Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta collaborated in investigating this incident. It was determined that the couple received 10 facsimile transmissions from seven different companies. Some of these transmissions came under the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA). Two companies were responsible for these transmissions:

  • Dynacare
  • Viewpoint

The following is a summary of the investigation into the incidents.

Summary of Investigation — Dynacare

One facsimile was sent erroneously by Dynacare, which operates medical laboratories, on January 19, 2004. It contained such personal information as the name, age, height, smoking habits, and patient number of an individual who had undergone testing by the company. Also included was a diagnosis and specific medical test results for the individual.

Once the company had been alerted to the privacy breach, it investigated the incident but was unable to determine who was directly responsible for the transmission. It was able to narrow responsibility, however, down to one of five individuals. Our Office confirmed that the facsimile was sent via manual transmission, in other words, the person who sent the facsimile manually keyed in the number.

All five individuals had signed an oath of confidentiality at the time of hiring, and were aware of the confidential nature of the medical records and the need to ensure that they are not inappropriately disclosed. These oaths had not been reviewed since they were signed. The company has developed a new form and will ensure that employees review and sign it annually.

Dynacare also implemented an electronic auto fax function on its computers. Facsimile numbers are entered into the system and checked for accuracy. If an employee wishes to send a facsimile, he or she will use the automated system. Such a measure should minimize the risk of regularly used numbers being misdialed. For numbers that are used infrequently or on a one-time basis (they are not programmed into the system), Dynacare provided employees with a set of instructions that are intended to ensure that they confirm the accuracy of the fax numbers before transmission.

Dynacare is in the process of revising its policies and procedures to ensure full compliance with all applicable legislation, including Alberta's Health Information Act and the PIPEDA.

Although Dynacare had not notified the individual whose personal information was on the facsimile, it indicated that it would consider doing so.

Conclusion

The Assistant Privacy Commissioner concluded that Dynacare disclosed personal information without consent, contrary to the provisions of PIPEDA.

Summary of Investigation — Viewpoint

Viewpoint is a medical organization that provides diagnosis consultation services. The facsimile in question, sent on April 14, 2004, was a medical evaluation. It contained the patient's name, age, occupation, detailed medical history, and also included information about the patient's children. The evaluation was sent by a medical consultant to a Viewpoint physician, who reviewed and made comments on the report. It was then supposed to be sent back to the consultant via facsimile. Two of the numbers, however, were transposed, and the facsimile was sent to the incorrect place. Although the Viewpoint physician made notes to the report, he was not responsible for its transmission and Viewpoint has not been able to determine who in fact sent the facsimile to the wrong number.

When the recipients of the facsimile contacted Viewpoint regarding the transmission they were told to destroy the documentation. Viewpoint indicated to our Office that in future, should any facsimile transmissions containing personal information be sent to the wrong number, Viewpoint will dispatch a courier to retrieve any such records. The company has also taken steps to have all facsimile numbers verified before transmission and has implemented measures to have any incidents reported to management.

As for the patient in question, Viewpoint indicated that it would be more appropriate for the medical consultant to contact the patient regarding the disclosure as they have a doctor-patient relationship.

Conclusion

The Assistant Commissioner concluded that Viewpoint contravened PIPEDA when it disclosed personal information without consent.

Recommendations made to Dynacare and Viewpoint

The Assistant Commissioner made the following recommendations to both companies:

  • That the organizations implement and follow the OPC's recommendations with respect to the transmission of facsimiles as set out in the fact sheet Faxing Personal Information.
  • That the organizations implement measures to notify individuals whose personal information has been inadvertently disclosed via misdirected facsimiles.
  • That the organizations review and update employee confidentiality/privacy agreements on a yearly basis.

The press release from the Alberta Information and Privacy Commissioner is available in PDF at http://www.oipc.ab.ca/ims/client/upload/NR_H2004_IR_001_2.pdf and his report is here: http://www.oipc.ab.ca/ims/client/upload/H2004-IR-001.pdf

From the Edmonton Journal:

Clinics, doctors criticized for fax foul-ups: Privacy commissioner puts onus on offices to ensure information sent to correct number:

"EDMONTON - A new report from Alberta's privacy commissioner is a sharp reminder to health workers that careless faxes can put patient privacy in jeopardy.

Each day, hundreds of fax machines in medical clinics send patient information from one place to another. It's the standard way information is shared among doctors, therapists, laboratories and consultants.

On Tuesday, the commissioner's office released a 16-page report that found two local doctors and three clinics violated the Health Information Act by not handling faxes correctly.

The investigation was launched after The Journal reported in July that a local woman received more than 20 faxes with confidential medical information that were supposed to go to LifeMark Health Institute, a private medical consulting company. Nese Premakumran's fax number was one digit different from LifeMark's...."

No comments: