10/18/2013 05:10 EDT | Updated 12/18/2013 05:12 EST

Saskatchewan privacy boss issues new rules for misdirected patient health faxes

REGINA - Saskatchewan's privacy commissioner and Ministry of Health are taking more steps to stop patient health information from ending up in the wrong hands.

Commissioner Gary Dickson has issued guidelines for those in the health sector, including doctors and pharmacies, on what to do if they fax information to the wrong number or receive a fax by mistake.

Dickson says a checklist on when and how health information should be faxed was issued in 2009.

But he says problems persist and his office is currently investigating two dozen cases that involve misdirected faxes. The commissioner says that's "concerning and disappointing" after a detailed checklist was made available.

"For a number of years, after we went through the work in 2009 and 2010, I think we had assumed that most trustees in Saskatchewan had got the message and in fact had implemented those kinds of policies and procedures we'd recommended," Dickson said Friday.

"It appears now, just reflecting on the number of breaches that we're investigating, that confidence was misplaced."

For example, the guidelines say health providers who get faxes with patient information by mistake should notify their organization's privacy officer and not keep a copy of the misdirected fax.

For health providers that fax patient information to the wrong number, the guidelines say they should confirm that the document was destroyed. Otherwise, it says, they should ask that the recipient return the personal health information by mail or send a courier to pick it up.

They also need to investigate the root cause of the breach.

Dickson says often faxes from health providers end up going to private businesses. The commissioner doesn't have jurisdiction over private businesses, but he says some companies have called him when they get faxes with health information.

"One of the things that we found interesting — and part of the reason for this latest (guideline) is — we will hear from a private business when they get a fax that clearly contains somebody's health information, clearly was not intended for them," said Dickson.

"And if they're able to find out who sent it, when they contact the trustee, too often what they're told is, 'Well this is no big deal, just throw it in the garbage' — which is totally inappropriate."

Dickson says the guidelines spell out that error is still the health provider's responsibility to deal with.