St. Joe’s to go ‘fully paperless’ after misdirected faxes, privacy breaches
St. Joseph's Healthcare Hamilton says it's working to become a fully paperless organization" in the wake of a review by Ontario's privacy commissioner that found misdirected faxes to be the driver behind hundreds of recent privacy breaches at the hospital.
The Information and Privacy Commissioner of Ontario (IPC) began probing St. Joe's last year after noticing the hospital reported an unusually high" number of patient file breaches in 2020.
In a report released Tuesday, the IPC said St. Joe's initially reported more than 1,000 unauthorized disclosures of personal health information in 2020, with a vast majority - 981 - coming from misdirected faxes.
But a months-long review later found that initial number to be greatly inflated because of an outdated tool the hospital used to identify misdirected faxed, the IPC said.
The true number of privacy breaches at St. Joe's in 2020 was in fact 708, with 563 stemming from health records being faxed to patients' primary-care providers who'd unknowingly changed numbers. Nearly a quarter of the misdirected faxes occurred because of a hospital staffing error, the IPC said.
The report underscores the risks fax machines have on personal health information and the need to replace them with more secure forms of communication technology, said Ontario privacy commissioner Patricia Kosseim.
Fax machines have no place in modern health-care delivery," Kosseim said in a release.
Misdirected faxes were just one in a string of several privacy-related blunders at St. Joe's last year that came under fire from experts, sparked an IPC probe and even led to an employee being fired.
The Spectator extensively reported on those incidents, raising pertinent questions about the hospital's transparency record and how they discipline insubordinate staff. One Spec analysis found St. Joe's reported 2,183 privacy breaches to the IPC between 2018 and 2020 - the second-most in Ontario.
The IPC said its joint review with St. Joe's had led to sweeping changes at the hospital. Most notably, St. Joe's created a new executive position exclusively dedicated to protecting patient privacy and installed a more secure electronic health record system. Other changes include:
- Increased governance over the collection, use and disclosure of personal health information;
- A protocol for responding to privacy breaches;
- Bimonthly reviews of fax incidents;
- Warnings of disciplinary consequences for noncompliance, up to and including termination;
- Mandatory privacy training for all staff, in addition to existing training requirements upon hire;
- And an annual requirement for all staff to attest to confidentiality.
The IPC lauded the changes at St. Joe's, referring to them in the report as meaningful improvements" that will significantly reduce misdirected faxes and protect patient privacy.
In a statement to The Spec, St. Joe's reiterated its commitment to discontinuing the use of fax machines and, eventually, becoming a fully paperless organization."
St. Joe's has since implemented a digital first, no fax' policy, which means, wherever possible, paper is no longer fed into a fax machine to communicate information," the hospital said.
Sebastian Bron is a reporter at The Spectator. sbron@thespec.com