Legally Speaking
March 2023
By Evan Thompson Legal Counsel, CPSS

Personal Health Information and the Fax Machine: Risky Business?

Fax machines are an increasingly rare sight in private enterprise but can still be found in just about every health care provider’s office (lawyers’ offices too, for that matter).

Once seen as a highly secure method of communication, some provinces are now pushing to remove fax machines from public service entirely, citing the unacceptable risks of misdirected faxes containing private information.

Here at home, the Office of the Saskatchewan Information and Privacy Commissioner (OIPC) recently reported on a misdirected Saskatchewan Health Authority (SHA) fax message that contained a patient’s personal health information.

The matter was not an isolated incident; the OIPC has investigated more than 40 misdirected fax incidents involving the SHA since 2018.

Physicians are required under the Canadian Medical Association (CMA) Code of Ethics to protect the personal health information of their patients, and may have specific duties as a Trustee under the Health Information Protection Act

Whether working in SHA facilities or otherwise, physicians must ensure that they and their staff adopt safeguards to prevent disclosure of personal health information. Faxes are a common problem area because of the potential for human error at multiple steps, including entry of the recipient’s phone number or using a fax number that is out of date.

One of the suggestions made by the OIPC, when sending a fax to a physician, is to check the recipient’s profile on the CPSS website  [available from the Physician Search function here], as physicians are required to keep that contact information up to date.

While difficulties in sharing electronic medical records may mean the fax machine isn’t going away anytime soon, proper precautions can prevent the disclosure of personal information and avoid a report to the OIPC and/or a complaint to the CPSS.

The CPSS documents Privacy of Health Information  and Physician Use of Electronic Communications provide additional information, and the OIPC website provides detailed guidelines for sending personal health information via fax.  The OIPC has also previously published a Checklist for Trustees: Misdirected faxes that provides supplementary resources.

  Evan Thompson is Legal Counsel at the College of Physicians and Surgeons of Saskatchewan.