Statistics collected by our office in 2022 revealed a continuing concern with misdirected faxes in the health sector, representing almost 38 per cent of health privacy breaches in Ontario.
Using outdated and vulnerable technologies such as faxes and unencrypted email threatens to erode public confidence that personal health information is secure. In September, the IPC joined its federal, provincial, and territorial counterparts in issuing a joint resolution addressing insecure methods of transmitting personal health information. The resolution calls on governments and relevant partners in the health sector to replace traditional faxes and unencrypted email with more secure forms of digital communication. The resolution is an urgent call to action given what we know to be the largest source of health data breaches reported to our office over several years.
In the resolution, the IPC and our counterparts urge governments to address the issue by coordinating a strategic plan and providing institutions with appropriate supports, such as funding or other incentives, to phase out traditional fax and unencrypted email. The resolution asks governments to promote the adoption of more modern and secure digital alternatives that are equitably available and accessible to all, and calls on health sector organizations and providers to do their part as well. Finally, the resolution commits the IPC and our counterparts to collaborate with interested parties to support this transition and to provide relevant privacy and security guidance and public education about the risks and opportunities associated with digital communications and virtual health care.
In February 2023, the government announced a plan to phase out faxes in the health sector over a five-year timeline. Our office applauds this initiative and stands ready to assist the government and other interested parties in implementing this plan in a manner that supports public trust. We look forward to seeing the health care sector continue to decrease its dependency on faxes in favour of more secure forms of digital communication.
Ongoing advocacy for administrative penalties
Last year, the commissioner recommended the government set out the details of PHIPA’s administrative penalty scheme in regulations. The purpose of these administrative penalties is to encourage compliance and prevent persons from deriving, directly or indirectly, any economic benefit as a result of contravening Ontario’s health privacy law or its regulations. This would enable the IPC to impose monetary consequences on the few bad actors who unfortunately undermine Ontarians’ trust in the entire health system.
We expect the government to release the proposed regulation for public comment, setting out the criteria to be considered by the IPC when imposing a penalty and the maximum dollar amounts. We look forward to seeing this regulation come into force and giving Ontarians confidence that there are effective mechanisms in place to promote positive behaviour, while stamping out the bad.
In keeping with our vision of a modern and effective regulator, the IPC will apply a proportionate approach to administrative penalties. We intend to adopt the principles and philosophy of a just culture approach by applying different levels of intervention based on the nature and circumstances of the contravention. The choice of enforcement tool (whether it be education, corrective measures, recommendations, orders, administrative penalties or referral to the Attorney General for prosecution of an offence) will depend on a range of factors, including the conduct of the person or organization in question. Such conduct could range from a single honest mistake to a repetitive pattern based on carelessness; from a minor error in judgment to a more serious one; from recklessness or disregard for the rules to deliberate intent to break the rules for malicious or profit-seeking motives. Where appropriate, we will also look at the organization’s governance structures and processes in place to determine to what extent, if any, these (or the lack thereof) may have contributed to the conditions that enabled the contravention to take place.