PRIVACY COMPLAINT REPORT

 

 

PRIVACY COMPLAINT NO. PC-030036-1

 

 

Ministry of Health and Long-Term Care

 

 

 

 

 

 

 

 

PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT NO.                   PC-030036-1

 

 

MEDIATOR:                                                            Brian Bisson

 

 

INSTITUTION:                                            Ministry of Health and Long-Term Care

 

 

SUMMARY OF COMMISSIONER INITIATED COMPLAINT:

 

The Office of the Information and Privacy Commissioner (the IPC) was notified by the Ministry of Health and Long-Term Care (the Ministry) concerning a breach of the Freedom of Information and Protection of Privacy Act (the Act).  The Ministry explained that a letter from the Drug Programs Branch (DPB) discussing the drug treatment of a patient was inadvertently faxed to an incorrect fax number.

 

Particulars Concerning this Incident

 

The Ministry explained that section 8 of the Ontario Drug Benefit Act (the ODBA) grants access, in limited circumstances, to unlisted drugs where listed ODB Formulary/Comparative (Formulary) Index drugs have been tried and are ineffective or not tolerated, or when there is no listed Formulary drug alternative available. 

 

Physicians are required to submit their requests in writing to the DPB in order for unlisted drugs to be considered for reimbursement under this mechanism.  The Ministry’s expert advisor committee, the Drug Quality and Therapeutic Committee (DQTC), reviews each request based on clinical and scientific evidence in accordance with current guidelines. 

 

In the current case, a patient mailed a letter on behalf of her physician requesting coverage for an unlisted drug under the ODBA.  The request was reviewed by the DQTC and was rejected due to insufficient medical evidence to conduct an appropriate evaluation.

 

To follow-up on her request, the patient called the DPB to clarify if a response had been sent out.  The patient was informed that a response was faxed to her physician several days earlier.  At this point the patient became concerned because the physician had not received the DPB’s response. 

 

When the DPB investigated the matter it confirmed that a rejection letter was faxed to the patient’s physician.  The person sending the fax used a fax number that was previously recorded in the DPB database for this physician from a previous unrelated section 8 ODBA request. 

 

To investigate the matter further, the DPB contacted the physician directly to clarify the matter.  The physician confirmed that the fax number listed in the DPB’s database was not his fax number.  The physician explained that although he now uses a private fax machine, in the past he used a “shared” fax machine at a private mailbox service.  The DPB confirmed that the fax number that was entered into the DPB’s database for this physician was the fax number of the mailbox service that this physician used to send in a previous request.  Once the error was discovered, the DPB database was updated with the correct fax number and the letter was re-faxed to the physician. 

 

During discussions with the DPB, the physician volunteered to retrieve the original fax from the mailbox service as it is close to his office.  The physician later advised that he was unable to do so because the mailbox service had changed ownership and the previous owners could not be located.

 

Subsequently, the DPB sent a letter to the patient expressing its concerns about the privacy breach.  It also advised the patient that it was taking steps to investigate the matter and summarized the events that lead to the breach.  The DBP’s letter confirmed that the fax number used to communicate with the physician was the fax number previously used by the physician.  The DPB explained to the patient that the misdirected fax did not contain her full name, but only contained her first name and the initial for her last name.

 

DISCUSSION

 

The following issues were identified as arising from the investigation.

 

Issue A:          Was the information in question "personal information" as defined in section 2(1) of the Act?

 

Section 2(1) of the Act defines "personal information" as recorded information about an identifiable individual, including,

(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or martial or family status of the individual,

(b) information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

...

(d) the address, telephone number, fingerprints or blood type of the individual,

...

(h) the individual's name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

The record at issue in this investigation is a one page letter addressed to the physician discussing the drug treatment of the patient and contained the patient’s first name with the initial of her last name, as well as her date of birth.  I must therefore determine whether, in the absence of the patient’s full last name, the record contains personal information as contemplated in section 2(1) of the Act.

In Order P-230, former Commissioner Tom Wright commented on the approach to be taken in determining whether information qualifies as personal information within the meaning of section 2(1) of the Act:

I believe that provisions of the Act relating to protection of personal privacy should not be read in a restrictive manner. If there is a reasonable expectation that the individual can be identified from the information, then such information qualifies under subsection 2(1) as personal information.

Based on the above, and the circumstances of this case, I believe that it is reasonable to expect that the patient could be identified from the information that appears on the record.  Therefore, the information at issue constitutes that individual's personal information as defined in section 2(1) of the Act, because it reveals recorded information about the identifiable individual.

 

The Ministry does not dispute this finding. 

 

Issue B:           Was the personal information disclosed in compliance with section 42 of the Act?

 

Section 42 of the Act set out a number of circumstances under which an institution may disclose personal information.

 

In this case, the Ministry acknowledges that the record was inappropriately disclosed.  As a result, none of the circumstances outlined in section 42 of the Act apply.  The disclosure, therefore, was not in accordance with the Act. 

 

Additional Matters

 

During the course of this privacy complaint investigation, the Ministry provided the IPC with an excerpt from the DPB’s policy and procedures manual for entering Individual Clinical Review (section 8 of the ODBA) requests into the “Section 8 database”.  The policy includes detailed steps that need to be undertaken when entering physician information into the database for the first time and how to verify the physician’s information if the requesting physician is already on file.  The policy also addresses the steps that need to be taken to ensure that the physician’s information is accurate prior to faxing out a response.  Specifically, the policy states:

 

When a request is being processed, and the prescriber information is being inputted into the database certain steps are being taken to ensure that all the information is accurate.  The steps are as follows:

 

•         Technician ensures correct spelling of the name

•         Verifies that the address, phone and fax number are accurate

•         Calls the requesting physician’s office if info not clear and info cannot be verified using search applications that are available to us

•         The policies and procedures for entering physician information and the importance of accuracy are reinforced with staff on a regular basis.

…

 

When the branch receives requests via fax, in most cases the fax number shows up at the top or bottom of the page.  If the physician’s name is not on the header it is not to be assumed that the fax on the header belongs to the requesting physician. When there is any doubt about a physician’s contact information, call the physician’s office to verify.   [Original emphasis]

 

The DBP explained that the responses to all ODBA section 8 requests are sent out by fax.  The responses are generated from the DPB’s database and are typically a one-page letter that includes the name and address of the DPB, the name and fax number of the physician and patient’s first name and last initial and date of birth.  The letter also includes one or two paragraphs outlining the DPB’s response to the physician’s request.

 

In addition, the top portion of the letter includes the following statement:

 

In order to facilitate processing please fax ICR requests to the Ministry.  Responses are faxed back to the requesting prescriber’s office.  Please include your fax number on all correspondence.  To ensure confidentiality, Ministry replies will identify the patient by first name and the initial of the last name only.

 

In the present case, it is clear that the privacy breach occurred as a result of inadvertent human error.  When the physician’s fax number was initially added to the DBP’s database, the DPB did not verify that the fax number listed on the request was the fax number of the physician.  As noted above, the DPB policy for adding fax numbers to the database outlines in detail the steps that should be taken to verify the correct fax number.  In this case had the policy been followed it is unlikely that a breach would have occurred.

 

Having said this however, the DBP’s policy as described above, addresses the issue of faxing in a very limited way and is missing a number of key elements.

 

In recognition of the risks involved in the use of fax technology, the IPC has issued Guidelines on Facsimile Transmission Security.  These Guidelines were designed for government institutions to consider and use in the development of systems that maintain the integrity and confidentiality of information transmitted by fax.  In order to assist in the adoption of appropriate operating procedures, the Guidelines outline several recommended practices that should be followed by institutions when using facsimile transmission. 

 

The Guidelines point out that as a general rule, personal information should not be faxed and that in cases where time or another similar constraint dictates that personal information must be faxed, institutions should make efforts to sever all personal identifiers from documents that are faxed.

 

As mentioned above, the DPB does not include the patient’s full last name in the ODBA section 8 responses that are being faxed to the physicians.  The Ministry advised that the patient’s first name, initial of the last name and date of birth are included in the document in order to allow the physician to accurately identify the patient.  Although excluding the patient’s full last name is clearly a positive step in enhancing the privacy protection of the individual, as outlined above, it does not render the patient unidentifiable.  If the DPB continues to use fax as a vehicle for responding to ODBA section 8 requests, it must ensure that these responses are fully anonymized and do not contain any personal information as defined in section 2(1) of the Act.   This would sufficiently address the privacy concerns raised in this complaint.  Accordingly, I will address this in my recommendations below.

 

Another recommended practice in the Guidelines relates to the use of fax cover sheets where personal information needs to be faxed.  The Guidelines state that all faxes sent by institutions should be accompanied by a standardized cover sheet containing the name, title and organization of both the sender and the intended recipient, along with a notation indicating the total number of pages faxed and should also include a box that allows the sender to “check off” whether he would like the recipient to confirm that she has successfully received the transmission.  Also, the cover sheet should include a written notice that the material contained in the fax is confidential, and that it may contain personal information that may be subject to the privacy provisions of the Freedom of Information and Protection of Privacy Act or the Municipal Information and Protection of Privacy Act.  The notice should also explicitly state that the fax should not be distributed, copied, or disclosed to any unauthorized persons, and it should also provide instructions for the recipient to follow when the fax is received in error.

 

Unfortunately, the DPB’s policy does not address the use of fax cover sheets, nor does it appear that fax cover sheets are currently being used when faxing documents.  Accordingly, I will be recommending that the DPB amend its policy in this regard.

 

Finally, the Guidelines state that where circumstances dictate that personal information that cannot be severed from a document must be faxed, the sender of the fax should phone ahead to alert the intended recipient that a fax containing personal information is about to be sent.  Adopting this procedure will help to ensure that the recipient is aware of the sensitive nature of the document that will be received.  If, after being informed that a fax containing personal information is on its way, the document is not received, the recipient should contact the sender in order to inform him or her that the fax has not been received.  The sender will then be aware of, and be able to address, the problem that led to the errant transmission.

 

The Ministry advised that given the large number of responses that are faxed to physicians on a regular basis, approximately 500 a day, and the need to respond in a timely manner, the DPB is unable to telephone ahead each time before a fax is sent.  While I accept that it may not be practicable for the DPB to call ahead before sending a fax under those circumstances, I am not persuaded that all ODBA section 8 responses need to be sent to the physicians on an urgent basis.  In the present case, it took approximately two months since the initial request for the DPB to respond to the patient’s physician.  In light of this, I see no reason why the response had to be faxed, and could not have been mailed or couriered to the physician.  Accordingly, I will address this in my recommendations below.

 

CONCLUSION:

 

I have reached the following conclusions based on the results of my investigations:

 

1. The information in question was personal information as defined in section 2(1) of the Act.

 

2. The disclosure of the information was not in compliance with section 42 of the Act.

 

3. The disclosure of personal information by the DPB was the result of inadvertent human error.

 

RECOMMENDATIONS:

 

1.                  In accordance with the IPC Guidelines on Facsimile Transmission Security, a copy of which is attached, as a general rule, personal information should not be faxed.  In light of this and my conclusions under item 1 above, I recommend that the DPB anonymize all ODBA section 8 responses that are faxed by ensuring that they do not contain any personal information as defined in section 2(1) of the Act.  The Ministry is asked to determine how this can best be achieved and to provide a draft proposal to the IPC for consideration prior to implementation.

 

2.                  In circumstances where it is determined that the DPB needs to transmit personal information by fax, I recommend that the DPB should only fax ODBA section 8 responses containing personal information in urgent situations and that the remaining non-urgent section 8 responses should be sent out by courier or by mail.  In this regard, the Ministry is asked to establish a policy guideline that defines what constitutes an urgent situation.

 

3.                  I recommend that where ODBA section 8 responses are faxed, that the DPB use a fax cover sheet and telephone the recipient prior to sending out the fax.

 

4.                  I recommend that the DPB amend its policies to reflect the above recommendations and the principles underlying the IPC Guidelines on Facsimile Transmission Security and to educate its staff accordingly.

 

The Ministry should provide the Office of the Information and Privacy Commissioner with proof of compliance with recommendation 1 by July 27, 2004.

 

The Ministry should provide the Office of the Information and Privacy Commissioner with proof of compliance with the remaining recommendations by August 27, 2004.

 

 

 

 

 

 

 

 

 

                                                                                                            May 27, 2004

Brian Bisson Investigator