Privacy Commissioners call on Health Industry to phase out use of traditional fax and unencrypted email in shift to digital healthcare

( Disponible en anglais seulement )

31 octobre 2022 | Kathryn M. Frelick, Amanda Cutinha

On September 21, 2022, the Office of the Privacy Commissioner of Canada released a Joint Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombudspersons with Responsibility for Privacy Oversight entitled Securing Public Trust in Digital Healthcare (the “Joint Resolution”).

The Joint Resolution calls on governments and health industry organizations and providers to implement modern, secure and interoperable digital health communication infrastructure that reflects the sensitivity of personal health information of Canadians and protects against unauthorized access.

The Joint Resolution was written in the context of rapid digital advancements and innovation in the health sector, which have been accelerated by the COVID-19 pandemic. It also recognizes the significant resource constraints and staffing shortages that the health sector currently faces. These and other complex issues facing the health industry have resulted in fundamental changes to the delivery of health care services, including virtual health care, and other forms of digital health communications.

Digital health is a key enabler of health system integration and information sharing initiatives to enable seamless patient care continue to be a key area of focus for governments and health industry organizations. The use of digital health technologies, while providing innovative advancements in healthcare, raise privacy and security risks, including concerns about the possibility of data breaches, which must be appropriately reviewed and managed.

Despite rapid digital advancements, the use of traditional communication methods, including fax machines and unencrypted email are still widely used throughout the health industry. Privacy breaches as a result of insecure communication technologies, unauthorized access to health records by employees (so called “snooping”) continue to be significant issues. Health industry organizations and providers are particularly vulnerable to and are targets of cybersecurity attacks, especially in the form of ransomware.

Among other things, the harm caused by privacy breaches which include personal health information may be far-reaching in that individuals may lose trust in the health system and limit the sharing of their personal health information or avoid consulting health care practitioners, impacting the health and safety of Canadians writ-large. Responding to and remediating privacy and security breaches has significant financial, operational and reputational implications for health industry organizations, and take valuable resources away from other important services including the delivery of health care.

The Joint Resolution makes recommendations to both governments and health industry institutions and providers. Among other things, it calls on federal, provincial and territorial governments to:

  • Develop a strategic plan and provide appropriate supports, funding and coordination to phase out the use of traditional fax and unencrypted email and replace them with more modern, secure and interoperable digital alternatives
  • Ensure equitable access to digital health information sharing infrastructure and solutions, including those living in rural and remote areas, marginalized communities and within vulnerable populations
  • Promote the adoption of secure digital technologies and data governance frameworks that provide reasonable protection of personal health information against unauthorized access or inadvertent disclosures
  • Amend laws and regulations, as necessary, to ensure appropriate penalties for health industry organizations who do not take reasonable measures to protect personal health information and for individuals who unlawfully use, or disclose personal health information

The Joint Resolution calls on Health Industry organizations and providers to, among other things:

  • phase out traditional fax and insecure communication methods which pose privacy risks as soon as possible and replace with modern, secure digital technologies, for example, encrypted email, secure patient portals, electronic referrals and electronic prescribing
  • design, adopt and implement data governance frameworks that mitigate against the risk of data breaches. This includes the adoption of security standards that provide reasonable safeguards to protect personal health information, monitoring of electronic systems, periodic audits of privacy and security risks, and effective incident management plans and mitigation measures
  • seek guidance from relevant technology, cybersecurity and privacy experts early in process, before procurement, to understand how to evaluate and procure new digital health solutions and use the procurement process to help ensure third party-compliance by establishing contractual requirements for vendors
  • when assessing digital health solutions, assess compatibility with other digital assets, compliance with health information privacy laws and how they facilitate access rights of individuals
  • complete privacy impact assessments for public consumption to promote transparency and foster trust in health care institutions.

The Joint Resolution also identifies a role for Canada’s privacy commissioners and ombudspersons to collaborate with governments, regulatory colleges, health industry and other relevant stakeholders to provide privacy and security guidance and educate individuals about their digital health and privacy rights. The Joint Resolution also highlights that to the extent permitted by law, they may “take joint or collaborative enforcement action, as appropriate to address systemic practices in the health sector that are unreasonable because they create unacceptable and easily avoidable risks to the privacy and security of personal health information”.

Implications for health industry

The Joint Resolution provides a clear message to government and health industry organizations that the status quo is no longer acceptable as it relates to communication technologies, unauthorized access to personal health information and risks relating to cyber-attacks. Health industry organizations and providers are well advised to take proactive steps to identify whether any insecure communication technologies are currently in use, to consider alternative options and to develop plans to phase them out in favour of more modern, secure alternatives and to identify other risk areas.

There are many digital health initiatives underway across the country. Health industry organizations are encouraged to consult with their funders, government and industry stakeholders and community partners.

There are different considerations and roles and responsibilities under applicable privacy legislation when implementing secure communications technologies or other digital health solutions, whether on a stand-alone basis, as a lead organization, as a participant in a regional or provincial initiative or as a technology provider. For example, under Ontario’s Personal Health Information Protection Act, 2004 there are specific requirements for health information network providers that provide services primarily to custodians to enable two or more health information custodians to disclose personal health information with one another. This includes the requirement to carry out and share the results of a threat risk assessment and privacy impact assessment, and to enter into an agreement with each health information custodian.

Miller Thomson’s Health Industry Group would be pleased to assist health industry organizations and providers with carrying out the recommendations of the Joint Resolution. We can assist in the procurement, implementation and development of contractual frameworks to support digital health solutions, organizational data governance and privacy law compliance, and prevention and management of privacy and security breaches.

Avis de non-responsabilité

Cette publication est fournie à titre informatif uniquement. Elle peut contenir des éléments provenant d’autres sources et nous ne garantissons pas son exactitude. Cette publication n’est ni un avis ni un conseil juridique.

Miller Thomson S.E.N.C.R.L., s.r.l. utilise vos coordonnées dans le but de vous envoyer des communications électroniques portant sur des questions juridiques, des séminaires ou des événements susceptibles de vous intéresser. Si vous avez des questions concernant nos pratiques d’information ou nos obligations en vertu de la Loi canadienne anti-pourriel, veuillez faire parvenir un courriel à privacy@millerthomson.com.

© Miller Thomson S.E.N.C.R.L., s.r.l. Cette publication peut être reproduite et distribuée intégralement sous réserve qu’aucune modification n’y soit apportée, que ce soit dans sa forme ou son contenu. Toute autre forme de reproduction ou de distribution nécessite le consentement écrit préalable de Miller Thomson S.E.N.C.R.L., s.r.l. qui peut être obtenu en faisant parvenir un courriel à newsletters@millerthomson.com.