Department of Health

NHS MEL (1997)45

Dear Colleague

GUIDANCE ON THE USE OF FACSIMILE TRANSMISSIONS FOR THE TRANSFER OF PERSONAL HEALTH INFORMATION WITHIN THE NHS IN SCOTLAND

1.   This letter provides guidance for Health Boards and NHS Trusts on the use of facsimile transmissions for the transfer of confidential personal health information

2.   All Board General Managers and Chief Executives of NHS are asked to ensure that all relevant staff are aware of and follow the guidance set out in Appendix A of this letter.

3.   This letter should be copied to Unit General Managers, Health Board Directors of Public Health and Medical Directors of NHS Trusts who should bring this guidance to the attention of all relevant clinical staff. Health Boards should make the necessary arrangements to inform GPs about the contents of this circular.

Background

4.    Health Boards and NHS Trusts should establish connection to NHSnet for transmission of confidential personal health information. In the meantime faxes are being used to transmit information, including confidential personal health information, between various parts of the NHS in Scotland. It is important therefore that suitable safeguards are in place to maintain patient confidentiality and to ensure that access to personal health information is limited to those who need to see it. The attached guidelines offer good practice in the secure use of faxes.

Yours sincerely

PAUL WILSON
Director of Trusts

5 August 1997
______________________________

General Manager, Common Services Agency

Executive Director, SCPMDE

1 . No named data should be sent by fax. If it is essential, clinical information can be sent with a suitable identifier (eg the CHI number) and the name and address and identifier conveyed by post or telephone. Where the transmission of named data is established practice and where discontinuation of this practice would cause disruption to patient services it is essential that best practice as described below is followed and a confidentiality notice as described in para 9 used. In these circumstances Health Boards and Trusts should plan to switch such data exchange to the NHS Net which is being established as a secure, private network at the earliest opportunity. You should refer to NHS MEL(1996)80 for information about NHS Net and how to connect to it.

2. It is imperative that fax machines which are used for the transmission or receipt of confidential information are placed in a secure location. The machines should be operated only by authorised users and these users should fully understand their responsibilities for maintaining confidentiality.

3 . The room housing the fax machine must be locked whenever unattended. If the office is in general use, consideration must be given to ensuring that unauthorised individuals are unable to read, accidentally or otherwise, faxes which are arriving or have recently arrived.

4. Where the fax machine used for confidential information is located in a safe area (eg a "safe
haven" in a Health Board) and is the only fax machine in use by tile organisation, the safe haven staff
should forward any faxes not intended for their area.

5. A particular problem relates to faxes arriving outside normal hours which could be seen by
cleaners or other personnel. Options to combat this include a blanket ban on transmissions outside office hours, switching machines off overnight if they are not secured and, possibly (if it does not constitute a fire hazard), locking machines (while switched on) into a cupboard. A further option involves the use of a computer to receive and store faxed data; whereby the information cannot be extracted without a password.

6. One of the most important risks with fax machines is mis-dialling, although most models display the number dialled. This can lead to faxes not arriving at all or arriving in an unintended location. In the latter case, there can be serious implications if non-coded confidential information is on the fax. Consideration should be given to the use of encryption between two safe havens, in appropriate cases. Best practice involves always checking the safe haven fax number before dialling; never dial from memory. Valid sources would include a locally compiled safe haven directory of a national directory, but not a general directory; alternatively, a telephone call to the safe haven should be used.

7. It is good practice to always precede the fax transmission by a telephone call to the recipient to confirm the fax number, to ensure that someone will be on hand at the machine to receive the fax and to seek confirmation from the intended recipient that the fax has been received.

8. It is good practice to identify frequently used numbers and program these into a fax machine's "memory dial" facility; equally, computer dialling facilities may be used where available. However, numbers must be tested in conjunction with a telephone call before using them for confidential information. Furthermore, the use of "memory dial" codes should be limited to safe haven numbers, this will prevent code mis-dialling having serious consequences.

9. If, in extreme circumstances where the above guidelines cannot be followed completely, non-totally anonymised patient information requires to be faxed, the fax should be preceded by a Confidentiality Notice such as:-

    This facsimile transmission is intended only for the use of the individual or entity to which it is addressed and may contain confidential information belonging to the sender which is protected by the physician-patient privilege. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please notify this office by telephone to arrange for the return of the documents.