Privacy Commissioner Elaine Keenan Bengts insists the NWT Health Authority needs to cut out faxing private health records.
Noting the authority’s “reluctance” to switch, she wrote the technology’s continued use to transfer health records was “worrisome,” in her annual report tabled in the Legislative Assembly in December.
“While human error will always be a factor which contributes to privacy breaches, the use of secure digital communication technology can significantly reduce the possibility of a breach as a result of such errors,” she wrote.
“I continue to encourage health information custodians in the Northwest Territories to prohibit the use of fax machines when dealing with documents containing personal health information, except where absolutely necessary.”
The commissioner also acknowledged two high-profile privacy cases — the theft of a laptop containing a large amount of NWT residents’ personal health information, and the discovery of other records at the Fort Simpson dump.
However, the majority of the 29 health-related files her office opened were minor privacy breaches, “most notably misdirected faxes and emails and the mishandling of communications with clients,” she wrote.
Northwest Territories Health and Social Services Authority did not respond after multiple requests and extensions for comment.
The commissioner’s concern with continued fax use has been expressed before: In her previous report, she said that she “simply cannot understand the apparent reluctance of the health sector to adopt the better technology.”
Also in this year’s report, the commissioner found an “alarming” number of instances where prescriptions were issued under the wrong name.
The commissioner also identified a number of issues and fixes concerning Hay River Health and Social Services Authority, which haven’t been implemented.
On Oct. 26, the report stated, the Hay River authority called the commissioner to report an improper disclosure, which was under investigation.
After originally discovering the breach in a performance review of staff, the authority did an audit dating back April 1, 2017, roughly six months before the finding. That’s when it found eight clients faced breaches of privacy between Oct. 10 and Oct. 30, 2017.
After she was notified, the Commissioner later found “unreasonable delays” while gathering further information on the breach from the authority. This led her to conduct a formal review.
In her annual report, the commissioner outlined the following issues with the Hay River authority:
- “the lack of clear and prescribed process,
- the deviation from expected process
- errors in directing files to the wrong specialists,
- the oversharing of information
- the lack of oversight by management,”
She also found that “the redundant manual processing of (personal health information) resulted in inappropriate use and/or disclosure of the personal health information of eight clients with associated risks to privacy and security of the information.”
She made several recommendations to address these issues, to which the authority said it agreed, but couldn’t implement any of them, according to the report.
Those recommendations included a review to ensure processing of personal health information are documented as formal, prescribed processes, and also “clearly reflect the expected information and handling requirements.”
She also called for oversight to ensure privacy principles are adhered to, and discrepancies to be addressed in a timely manner. All staff should be properly trained as well, she added.
Finally she said the authority should do a general privacy audit of its operations, finding, where it’s non-compliant with legislation, and determining risks to personal health information, while implementing solutions and plans to address the challenges.
Implementation of this has been delayed until a review of finances and staffing is completed, stated Erin Griffiths, CEO of the authority.
For the same reason, she told News/North over email that there is also a delay implementing the commissioner’s recommendation on operational oversight and responses to issues.
Recent steps include rolling out privacy policies provided by the Department of Health and Social Services as per the ministerial directives. She added staff are aware of and understand these policies.
Other efforts include ensuring staff undergo mandatory training upon hire. Additionally, a confidentiality policy review is done with each staff member annually, and is documented on their personal file.