Commissioner expressed support to phase out fax and unencrypted email usage in healthcare sector
The Information and Privacy Commissioner of Ontario has joined federal, provincial, and territorial privacy commissioners’ mounting call to modernize and strengthen the privacy and security of digital communications in the healthcare sector.
During their meeting last month, Privacy Commissioner of Canada Philippe Dufresne and his provincial and territorial counterparts endorsed a resolution to ensure that a secured digital health infrastructure is available to all Canadians, including those living in remote areas, among marginalized communities, and within vulnerable populations.
The resolution entitled “Securing Public Trust in Digital Healthcare” notes that Canada’s health sector continues to experience serious resource constraints and staff shortages aggravated by more than two years of surges in demand for emergency care brought on by the ongoing COVID-19 pandemic, and these problems have spurred innovation in the delivery of services, including through virtual care visits and other forms of digital health communications.
The resolution also stresses that despite the rapid digital advancements in the healthcare sector, breaches still occur due to the use of unsecured communication technologies, such as traditional fax machines and unencrypted emails, unauthorized access to health records by employees, and cybersecurity attacks.
Accordingly, the resolution outlines several measures for adoption by governments. They include:
- Developing a strategic plan and providing appropriate supports, funding, or other incentives to phase out the use of traditional fax and unencrypted email and replace them with “more modern, secure, and interoperable” digital alternatives;
- Promoting the adoption of secure digital technologies and responsible data governance frameworks that provide reasonable protection of personal health information against unauthorized access or inadvertent disclosures;
- Amending laws and regulations to further provide for penalties, including administrative ones, for healthcare institutions and providers not taking reasonable measures to protect personal health information and individuals unlawfully collecting, using, or disclosing personal health information.
Moreover, the resolution urges healthcare institutions and providers to phase out the use of traditional fax and unencrypted email for communicating personal health information and replace them with “modern, secure, and interoperable” ways of transmitting personal health information, such as encrypted email services, secure patient portals, electronic referrals, and electronic prescribing.
“My office urges the government, regulatory colleges, and health information custodians to work together to pull the plug on the use of fax machines and unencrypted email that expose individuals to unnecessary and potentially devastating privacy risks,” Commissioner Patricia Kosseim said. “Retiring these outdated ways of sharing personal health information is long overdue, particularly when more trustworthy methods are readily available.”
The resolution also encourages healthcare institutions and providers to promote transparency by completing privacy impact assessments and proactively publishing a plain-language summary in a manner that is easily accessible to the public. In addition, they are advised to seek guidance from relevant experts to learn how to evaluate new digital health solutions while modernizing the means of communicating personal health information and before procurement.