Information and Privacy Commissioner Gary Dickson said he was 'underwhelmed' at the response after the privacy breach was revealed. Information and Privacy Commissioner Gary Dickson said he was 'underwhelmed' at the response after the privacy breach was revealed. (CBC)

Tighter rules for faxing medical documents are needed after a privacy breach last year, Saskatchewan's privacy commissioner says.

Information and privacy commissioner Gary Dickson said Monday that after a Saskatoon medical clinic changed its fax number, another business in town got its old number — and received 60 faxes containing private health information.

Most of the faxes contained laboratory results and had been sent by health regions, physicians offices and pharmacies, Dickson said in a 64-page report.

The health region told the privacy commissioner's office about the faxes in early April, 2009, but despite efforts to stop the activity, the Saskatoon business was still getting documents later in the month.

He said the trustees at the various health organizations — those who are supposed to ensure privacy of the documents — didn't respond very well.

He didn't blame SaskTel for giving the clinic's number to another business, noting that the number had been out of commission for 17 months before it was reassigned to the Saskatoon business.

That would mean that for 17 months, anyone sending faxes to the number would get a message that the fax didn't go through.

When the business started getting the faxes, it started contacting the various medical officials to let them know.

However, the response the business received was often words to the effect of 'This is no big deal, faxes get misdirected all the time,' Dickson said.

Dickson said a regional health authority was proactive in contacting his office when it discovered the error.

However, he wasn't impressed with how well, in general, health organizations were at getting to the root of the fax problem.

"Overall, I am underwhelmed by the response of the trustees to these privacy breaches," Dickson said.

"Most trustees have not adequately investigated the breach. More importantly, their current policies and procedures do not address the issues that caused these breaches, and therefore are not likely to prevent a reoccurrence in the future."

Dickson noted that some medical agencies had fax machines that were preprogrammed with the wrong fax number.

Some people continued to send faxes multiple times when they didn't get a response from what they thought was a medical clinic.

Also, the medical clinic that changed its number forgot to the change the header on its faxes, leaving the outdated fax number, adding to the confusion.

Overall, doctors, clinics, pharmacies and health regions need to do more to tighten up the rules for sending faxes, he said.

Dickson did not publish the names of the businesses, health officials, doctors or pharmacists involved in the privacy breaches.