Health Information Shouldn’t Be Shared Via Fax or Unsecured Email, Privacy Commissioners Urge

The practice of sharing sensitive health information via fax or unencrypted email needs to stop, according to a joint statement from Canada’s privacy commissioners.

On September 21, Philippe Dufresne, the Privacy Commissioner of Canada, endorsed a resolution along with his provincial and territorial counterparts calling on governments to implement a digital health communication infrastructure to replace faxes and unencrypted emails with more secure alternatives.

“Ensuring that the shift to digital health care is secured by reasonable administrative, technical and physical safeguards is critical to maintaining Canadians’ trust in the health system,” the resolution reads. “Furthermore, the adoption of secure digital technologies can provide relief from the administrative, financial and reputational costs associated with privacy breaches.”

Breaches Caused By Insecure Communications

The privacy commissioners said fax machines and unencrypted emails – along with snooping cases and ransomware attacks – have led to numerous privacy breaches in the health-care sector.

To reduce these breaches, the privacy commissioners are urging governments to:

  • develop a plan to phase out the use of fax machines and unencrypted emails and replace them with more secure methods of communication;
  • ensure that digital health infrastructure is available to all Canadians, including people in remote communities, marginalized groups and vulnerable populations;
  • promote the adoption of secure technologies and responsible data governance frameworks; and
  • amend laws and regulations to provide meaningful penalties for health-care providers that do not take meaningful measures to protect personal health information.

The privacy commissioners are also calling on health-care providers to:

  • replace fax machines and unencrypted emails with more secure methods of communication as soon as feasible;
  • develop data governance frameworks to protect personal health information;
  • seek guidance from experts to evaluate digital health solutions;
  • assess the compatibility of digital health solutions with existing digital assets and compliance with health and privacy laws;
  • complete a privacy impact assessment and publish a plain-language summary; and
  • use a procurement process that ensures third parties are compliant with applicable laws.

Breaches May “Set Back Public Trust in the Health System”

As we’ve discussed in previous blogs, the average cost of a data breach hit a record-high US$4.35 million this year and most breaches have the potential to cause significant harm to affected individuals.

“Furthermore, breaches can consume an inordinate amount of time and effort to contain and remediate, taking away valuable health resources from other important services,” the privacy commissioners warned in their resolution. “Misdirected communications and data breaches can also create delays in the delivery of care to individuals, cause harm to institutions’ reputations, and set back public trust in the health system.”

With so much at stake, health-care organizations would be well advised to act now to ensure they are taking the necessary steps to protect personal health information. The lawyers in the MLT Aikins Privacy, Data Protection and Cybersecurity group have extensive experience advising health-care providers on procurement processes, implementing data governance frameworks and conducting privacy impact assessments. Contact us to learn how we can help.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.