"Axe the fax": Ontario privacy commissioner pushes to discontinue fax machines in health care settings

8 minute read
17 March 2023


The Ontario Ministry of Health's commitment to "axing the fax"

On Feb. 2, 2023, the Ontario Ministry of Health released its new health care plan, entitled Your Health: A Plan for Connected and Convenient Care. As part of the plan, the Ministry of Health committed to "axing the fax," and replacing antiquated fax machines with digital communication alternatives at all Ontario health care providers within the next five years. The plan expressly notes that this commitment has its roots in improving patient privacy.

Because of this commitment, Ontario health care providers may soon be required to replace fax machines with more secure digital communication technologies.

Joint resolution of the privacy commissioners on Securing Public Trust in Digital Healthcare

This commitment by the Ontario Ministry of Health does not come as a surprise. In recent months, privacy concerns associated with fax machines have risen to the forefront. Privacy Commissioners across Canada have taken a clear and consistent public position with respect to the use of fax and other unsecure technologies in communicating personal health information.

On September 21, 2022, a joint resolution on Securing Public Trust in Digital Healthcare was released by the federal, provincial and territorial privacy commissioners. In this joint resolution the commissioners called on governments, health sector institutions and health providers to show concerted effort, leadership and resolve in implementing modern, secure and interoperable digital health communication infrastructure. 

This included a call for health care providers to phase out and replace traditional fax and unencrypted email systems for communicating personal health information with modern, secure and interoperable systems "as soon as reasonably possible." Examples provided included encrypted email services, secure patient portals, electronic referrals and electronic prescribing.

On March 7, 2023, the Office of the Privacy Commissioner of Canada also updated its guidance on how to reduce privacy risks when utilizing fax machines, recommending first and foremost that the technology be discontinued. Their guidance highlights that the risks from using fax machines are not limited to the health sector.

The Ontario Information and Privacy Commissioner's report on St. Joseph Healthcare Hamilton's misdirected faxes

This call by the privacy commissioners, and the responding commitment of the Ontario Ministry of Health is not unfounded. According to the Ontario Information and Privacy Commissioner (IPC), misdirected faxes are the leading cause of unauthorized disclosure of personal health information in Ontario.[1]

Indeed, an IPC report released on January 17, 2023, highlights the high number of fax-related privacy breaches at just one Ontario health care institution alone,  St. Joseph's Healthcare Hamilton. The report also provided an opportunity for the IPC to clarify its position with respect to the ongoing discussion among Canadian privacy commissioners on the use of fax machines in health care settings.

"Fax machines have no place in modern health care delivery," said Ontario Information and Privacy Commissioner Patricia Kosseim in the report's accompanying press release. "Our report reveals the risks to personal health information from misdirected faxes and how to mitigate those risks through proper checks and balances. But more importantly, our report demonstrates the enormous potential for stakeholders to work proactively together, and in coordinated fashion with the ministry, to replace faxes with more secure communication technologies that will strengthen Ontarians' trust in the health care sector."[2]

The IPC's report discloses that St. Joseph's experienced 708 total privacy breaches arising from misdirected faxes. Of these incidents, the hospital advised that 563 were the result of out-dated provider information remaining in the hospital's system, and 124 arose as a result of miscommunication regarding provider contact information with registration and clinic staff, or human error. The IPC was satisfied that St. Joseph's took adequate steps to notify the 124 individuals affected by those misdirected faxes.

While not convinced that there was no breach at all with respect to the remaining 563 misdirected faxes, the IPC did not determine whether each particular transmission was authorized due to the large number of incidents. The IPC was nonetheless satisfied that the matter was sufficiently addressed through the hospital's detailed review of the incident, its report outlining all of its efforts to prevent future misdirected faxes and its clear commitment to reducing its reliance on fax technology.

The hospital committed to making several process improvements to facilitate identifying and correcting incorrect health care provider information in their system. The most "impressive and impactful result" of the hospital's remediation efforts identified by the IPC, however, was the 6,600 additional care providers who had been set up on a secure electronic portal to receive patient records and reports since 2020.

In addition to an array of enhanced breach response measures, governance and oversight on privacy generally, and process improvements in relation to faxes, the hospital also committed to pursuing a number of initiatives to reduce the use of fax machines, both internally and in partnership with other health care organizations and providers in the region. For example, the hospital implemented an e-referral first approach for referrals in several clinical areas. It is also conducting a review of the transfer of records, particularly those transferred between primary care providers and the hospital.

What does this mean for health care organizations?

If you are a health care provider or an organization that relies on fax machines as a core means of receiving and sharing personal health information, or other highly sensitive personal information, the need to transition away from this technology should be on your radar. The positive comments of the IPC in its report regarding St. Joseph's commitment to reducing its reliance on fax machines show that a commitment to "axing the fax" may help health care providers and organizations avoid the kind of breaches these machines have become known for.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.