On an appeal from a Rule 21 motion, the Court of Appeal ruled that the Personal Health Information Protection Act, S.O. 2004, c. 3, Sch. A (PHIPA) does not create an exhaustive code precluding a civil action for intrusion upon seclusion.
Hopkins v. Kay, 2015 ONCA 112 involved a proposed class proceeding of 281 patients alleging improper access of their medical records by a nurse, who was subsequently terminated by the defendant hospital.
The Court of Appeal found that the common law tort of intrusion upon seclusion differs from thePHIPA legislative scheme in that:
- The priority of the Privacy Commissioner under PHIPA is systemic issues, not individual complaints;
- The elements of the common law tort are more difficult to establish than a breach ofPHIPA, so an action would not circumvent the legislation.
The common law tort of intrusion upon seclusion requires intentional or reckless conduct and an unlawful invasion into the plaintiff's private affairs, which a reasonable person would regard as highly offensive causing distress, humiliation or anguish – but not proof of actual harm. In comparison, an action for damages for a breach of PHIPA requires actual harm. Despite this distinction, the court found no significant difference between the damages recoverable in a common law action and the damages available under section 65(3) of PHIPA.
The risk of double recovery for the same breach of privacy should be avoidable. The Privacy Commissioner has the discretion not to review a matter which has already been dealt with by another proceeding.
The court's analysis and the decision make sense. However, it is curious that the improper access of the medical records of 281 patients did not constitute a systemic issue which the Privacy Commissioner would treat as a priority. The mischief in this decision may be the risk of duplicate legal proceedings based on the same alleged breach of privacy – if the Privacy Commissioner decides to proceed with a review, and finds a breach of PHIPA, despite an outstanding civil claim alleging breach of privacy.