St. Joseph’s Healthcare Hamilton is committed to protecting patient privacy
Recognizing the importance of patient privacy and our responsibility to safeguard all patient information, St. Joseph’s Healthcare Hamilton (SJHH) has conducted a comprehensive review of various privacy protocols and practices.
SJHH is committed to implementing best practices and addressing any past shortcomings related to the protection of patient privacy. As a result of our review, SJHH has made the following changes in recent months:
- Launched and completed mandatory annual privacy training for all staff, in addition to the existing requirements for training at onboarding;
- Enhanced the hospital’s privacy policy that sets out rules for the collection, use and disclosure of personal health information, a protocol for responding to privacy breaches and warns of disciplinary consequences for non-compliance, up to and including termination;
- Increased governance and oversight of privacy incidents, including bimonthly audits and a privacy disclaimer presented to staff before they sign into the hospital’s electronic medical record system.
In addition, SJHH closely reviewed misdirected faxes for 2020 and 2021. As a result, SJHH is contacting approximately 230 patients to inform them that a health record about them was faxed to the wrong person in error. In almost all cases, the faxes were inadvertently sent to the wrong health care professional, such as a previous family doctor, who then informed SJHH of the error and confirmed they destroyed the fax they received. SJHH is notifying patients in accordance with requirements of the privacy legislation.
SJHH also apologized to the affected patients and informed them about changes put in place to reduce the number of misdirected faxes in the future, such as:
- Updated SJHH’s fax reporting tool to collect more fields of information which allow for more timely investigation into whether a misdirected fax incident constitutes a breach of the Personal Health Information and Protection Act (PHIPA), patient and IPC notification where applicable, and the ability to track and remediate incidents;
- Strengthening standard procedures to confirm the correct primary care provider in our information systems in order to reduce the possibility of misdirected faxes. SJHH is also encouraging patients to update contact information to ensure information is sent to the current/correct healthcare provider.
Patients who have questions or concerns about SJHH’s review of misdirected faxes can contact us at privacy@stjoes.ca
“We sincerely apologize to all patients who were affected by these privacy incidents,” said Wendy Lawrence, SJHH’s Chief Privacy Officer. “We know that having strong privacy practices and safeguards is essential to fostering trust between patients, SJHH, and clinicians, and to the delivery of the highest quality health care. Our promise to our patients is that we have and will continue to take actions to protect and safeguard their privacy.”
We believe the actions we have taken at SJHH strongly support the prevention and quick detection of privacy breaches, however we know the work does not stop here. SJHH will monitor the effectiveness of recent changes to our privacy policies and practices and continue to work on the enhancement of patient privacy and implementation of best practices.
More information on privacy at St. Joseph’s Healthcare Hamilton:
Misdirected faxes
- St. Joseph’s Healthcare Hamilton reported more than 900 misdirected faxes to the Information and Privacy Commissioner (IPC) in 2020. However, the majority of the reported misdirected faxes in 2020 involved a health record being sent to the wrong healthcare provider due to SJHH not being provided up to date information about a patient’s healthcare provider.
- An intense review found that, in about 122 of the fax incidents reported in 2020, there was an error on the part of SJHH staff which lead to the misdirected fax.
- In almost every circumstance, the error happened because there was either a miscommunication between the patient and the registration staff resulting in incorrect health provider contact information being recorded (i.e. similar named provider), or human error (i.e. staff selecting the incorrect health provider in the Health Information System), which resulted in the wrong provider receiving the information.
- Similarly, in 2021, SJHH reported 120 misdirected faxes to the IPC.
- In almost all cases, both in 2020 and 2021, SJHH learned of the misdirected faxes from the health professional who received the fax and who confirmed having destroyed then fax they received.
- St. Joe’s is in the process of informing the approximately 230 remaining patients.
- SJHH’s electronic medical record (EMR) system automatically sends faxes to a patient’s health care professional (such as a family doctor) to ensure they are updated on important medical information, such as medical visits and diagnostic testing. This is done to keep records up to date and to provide the patient with the best care. SJHH sends more than one-million faxes annually.
- When the patient’s health care professional information changes and updated information is not provided, those faxes could continue to be sent to the previous healthcare professional.
- SJHH is refining its processes to ensure the most up-to-date healthcare professional / primary care professional information is on file for all patients to ensure that medical information is faxed correctly.
Intentional Privacy Breaches
- In 2020, SJHH reported three (3) intentional privacy breaches.
- Three (3) staff members were responsible for these three (3) intentional breaches. All three (3) breaches were considered unauthorized accesses.
- Two (2) staff were terminated and one (1) staff disciplined.
- In 2021, SJHH reported six (6) intentional breaches.
- Five (5) staff and one former student were responsible for these six (6) intentional breaches. Five (5) of these six (6) breaches were considered unauthorized accesses (snooping) and one involved the sharing of information via social media.
- All five (5) staff were disciplined. Of those five staff, one employee was found to have breached the privacy of 49 patients and was terminated. In each of the four other staff incidents, between one and six patients were affected.
- In the circumstance involving the 49 patients, the IPC opened an investigation, since closed, citing satisfaction with the hospital’s response and next steps.
- In all of these circumstances, affected patients were notified with the exception of a few where clinical status or lack of contact information prevented informing them.
Strengthening our commitment to Privacy
- Regretfully, our work in informing patients about fax privacy breaches and responding to privacy incidents was not consistently as prompt and thorough as dictated by best practices.
- Recognizing the importance of this issue, St. Joe’s has taken several steps to improve our privacy practices and is actively working on enhanced privacy training, education about the importance of up-to-date contact records and enforcement of our privacy policies. We are committed to protecting patient privacy through the ongoing implementation of established best practices and continued improvement.