PRIVACY COMPLAINT REPORT

 

 

PRIVACY COMPLAINT NO. PC-030034-1

 

 

Ministry of Health and Long-Term Care

 

 

 

 

 

 

 

 

PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT NO.                   PC-030034-1

 

MEDIATOR:                                                            Brian Bisson

 

INSTITUTION:                                            Ministry of Health and Long-Term Care

 

 

SUMMARY OF COMMISSIONER INITIATED COMPLAINT:

 

On September 3, 2003, the Office of the Information and Privacy Commissioner (the IPC) received a telephone call from the manager of the Public Health Laboratory of the Ministry of Health and Long Term Care (the Ministry) reporting a breach of the Freedom of Information and Protection of Privacy Act (the Act).  The manager explained that a patient’s lab results were inadvertently faxed to an incorrect fax number.

 

The Ministry subsequently advised that it was conducting an investigation into the matter and provided a written chronology of the events.

 

On the basis of this information the IPC initiated a privacy complaint under the Freedom of Information and Protection of Privacy Act (the Act).

 

Particulars Concerning the Incident:

 

The Public Health Laboratory (PHL) is a part of the laboratories branch of the Ministry.  The PHL provides laboratory testing and expertise for the prevention of disease and the protection and promotion of the public’s health in Ontario.  It consists of several regional health laboratories and a central public heath laboratory which carries out testing in support of public heath programs and issues, such as HIV/AIDS, prenatal and perinatal programs, institutional and community outbreak investigations, and surveillance of reportable, emerging and other important diseases.

 

The PHL clients include:  Public Heath Units, Public Health Branch, private physicians, hospital and private laboratories, STD clinics, universities and colleges and other provincial, federal and international laboratories/governments. 

 

On August 6, 2003 the PHL received a telephone request from a medical clinic for a copy of a patient’s lab report.  In accordance with PHL’s existing policy, the clinic was asked to fax the request on its letterhead and have the letter signed by the requesting physician.  The written request was faxed to the PHL the same day.  It should be noted that the physician specifically asked that a copy of the lab report be faxed to her office.  

On August 7, 2003, in response to the request, a staff member prepared the fax cover sheet in preparation of faxing the lab report.  The staff member inadvertently recorded the incorrect fax number on the fax cover sheet and subsequently dialled the incorrect number.  (The staff member recorded one of the fax digits incorrectly.  She recorded an “8” rather than a “5.”)

 

The PHL was first notified of the breach on September 3, 2003 when a physician from the medical clinic wrote to the PHL to notify it that the lab report was sent to the wrong fax number.  The physician noted that although it may have been a minor error — the incorrect fax number is only different by one digit — the consequence was considerable as the patient’s highly sensitive personal information was sent to a public location.  In this case, the incorrect fax number belonged to a local gas station. 

 

The gas station happened to be where another physician from the same medical clinic obtained his gas.  One day the physician stopped at the gas station and an attendant hand delivered him the misdirected fax.  This physician then forwarded the faxed report to the patient’s physician.

 

The physician also advised the Ministry that the attendant informed him that the gas station has received several other faxes addressed to the same medical clinic, but did not indicate whether these faxes originated from the PHL.

 

Action taken by the PHL in response to the Incident

 

On September 3, 2003, as soon as the PHL became aware of the breach, it immediately advised all staff to cease faxing medical reports pending a review of its policy on faxing sensitive information.

 

The PHL also advised both the IPC and the Ministry’s Freedom of Information and Privacy Co-ordinator that a privacy breach had occurred.

 

On September 10, 2003, the manager of the PHL spoke to the patient’s physician about the incident and about notifying the patient of the breach.  The physician confirmed that the misdirected fax was hand delivered to her.  The physician also explained that the patient could not be notified that his lab report was misdirected because he has left the country on a work assignment.

 

In a letter dated November 26, 2003, the Ministry provided a comprehensive response to the IPC outlining its investigation of this privacy breach.  In addition to a detailed letter addressing the incident, the Ministry provided the following attachments:

 

▪  A copy of the faxing policy that was in existence at the time of the incident;

▪  Public Health Laboratories incident report;

▪  A briefing note from the PHL to the Ministry;

▪  Letter of complaint from the medical clinic;

▪  Copy of the lab report that was inadvertently misdirected;

▪  Initial request received from the clinic asking that the lab fax the report;

▪  The fax coversheet that was misdirected with the incorrect fax number;

▪  Memo to staff advising to cease faxing – dated September 3, 2003;

▪  Revised faxing policy – effective November 6, 2003; 

▪  Internal “Faxing Investigation Form” a checklist for investigating misdirected faxes; and

▪  Training form for staff concerning the faxing policy.

 

The PHL explained that its usual practice is not to provide results over the phone or by fax.  There are, however, circumstances when lab results have to be reported on an urgent basis and reports have to be sent out immediately, for example, local Health Units (and the local community) have to be notified when there are adverse drinking water results.  The PHL provided the IPC with a policy that lists which type of test results require immediate reporting.

 

At the time of the incident, the PHL had a detailed faxing policy in place, which included sending a test fax to the requester and following up with a phone call.  Had the policy been followed, it is unlikely that the fax would have been misdirected.  Once the breach was discovered, the PHL and the Ministry took immediate action to address the breach.

 

Although the PHL concluded that the reason for the breach was inadvertent human error, it conducted a detailed review of its faxing policy with the view to making improvements.  As a result, the PHL created a new faxing policy that included the following additional step. 

 

A new fax cover sheet must now be faxed by the PHL to the requester before any report will be faxed out.  The requester will be required to complete the fax cover sheet by including their address and fax number.  Then the requester must fax the cover sheet back to the PHL.  The PHL will verify the fax number and then dial the fax number that the requester has written on the cover sheet.  

 

To ensure that all staff are aware of the revised faxing policy the PHL introduced a corresponding training program.  The training program ensures that all staff are verified as being competent in the new procedure.   The staff must read, understand and sign the training form and perform a test to ensure they can perform the revised faxing procedure unassisted five times with 100% accuracy.  The employee, trainer and the employee’s manager must sign the training form.

 

I commend the Ministry and the PHL for the prompt action taken when they discovered the breach and the steps taken to address it.  

 

DISCUSSION:

 

Issue A            Was the information in question "personal information" as defined in            section 2(1) of the Act?

 

Section 2(1) of the Act defines "personal information" as recorded information about an identifiable individual, including,

(a)        information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

(b)        information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

...

(d)       the address, telephone number, fingerprints or blood type of the individual,

...

(h)        the individual's name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

 

The record at issue in this investigation contains a lab report addressed to the patient’s physician, which contains the patient’s name, date of birth and the test results.  The lab report clearly contains the "personal information" of the patient as defined in the subsections of section 2(1) of the Act set out above.  The Ministry does not dispute this finding. 

 

Issue B:           Was the personal information disclosed in compliance with section 42 of the Act?

 

Section 42 of the Act sets out a number of circumstances under which an institution may disclose personal information.

 

In this case, the Ministry acknowledges that the report was inappropriately disclosed.  As a result, none of the circumstances outlined in section 42 of the Act apply.  The disclosure, therefore, was not in accordance with the Act. 

 

CONCLUSIONS:

 

I have reached the following conclusions based on the results of my investigation:

 

1.      The information in question was personal information as defined in section 2(1) of the Act.

 

2.      The disclosure of the information was not in compliance with section 42 of the Act.

 

3.      The disclosure of personal information by the PHL was the result of inadvertent human error.

 

4.      The Ministry and the laboratory took prompt action in resolving the issue as soon as they were notified of the breach.  

 

OTHER MATTERS:

The IPC has issued a paper that offers practical guidelines on how to contain a privacy breach.  The paper is entitled, “What to do if a privacy breach occurs: Guidelines for government organizations.” It outlines that the first two priorities for an institution faced with a potential disclosure of personal information:  to identify the scope of the disclosure and take steps to contain it; and to identify those individuals whose personal information may have been disclosed and, barring exceptional circumstances, to notify those individuals accordingly.  In order to identify the scope of disclosure the institution must arrange for the safe return of the disclosed information and to ensure that the recipient has not retained any copies, nor passed along the information to any other individual.  Retrieving the document will not only assist the institution in trying to determine how the error occurred and whether corrective measures are required, but will also assist in providing proper notice to the individuals whose privacy has been compromised.

Although the two priorities noted above were both addressed, I would like to comment on one of the documents the PHL provided to this office during the processing of this complaint.

 

The PHL provided this office with a document entitled Faxing Investigation, which is a checklist that an investigator must follow to help determine why a fax was misdirected.  The checklist is a detailed document and demonstrates that the PHL is committed to ensuring personal information is protected, faxes are not misdirected and that staff can learn from previous errors.  The checklist outlines eleven steps that should be followed as part of the investigation.  Although the document outlines a detailed investigation process, it does not address the issues of containment and notice as described above.

 

Accordingly, I will include a recommendation for the PHL to add these steps to the checklist. 

 

RECOMMENDATION:

 

I recommend that the PHL revise its Faxing Investigation document by adding an additional step to the checklist addressing the issues of containment of the privacy breach and notice to affected persons.

 

By June 18 2004, the Ministry should provide the Office of the Information and Privacy Commissioner/Ontario with proof of compliance with the above recommendation.

 

 

 

 

 

 

 

                                                                                                March 18, 2004

Brian Bisson Mediator