Back in 2012, the Ontario Court of Appeal recognized the tort of invasion of privacy – fast forward to the recent string of privacy breaches of personal information held by health care facilities in Ontario. Along comes Hopkins v Kay, 2014 ONSC 321 (CanLII), where patients from the Peterborough Regional Health Centre (the “Hospital”) have launched a $5.6 million class action lawsuit against the Hospital alleging that approximately 280 patient records were intentionally and unlawfully accessed and disseminated to third parties without the patients’ consent.
The Hospital, in response, brought a motion to strike the plaintiffs’ claim on the basis that it did not disclose a cause of action, arguing that the claim was precluded by the Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A (“PHIPA”) because the legislature intended PHIPA to be a comprehensive code that displaces any common law cause of action, including intrusion upon seclusion (aka the tort of breach of privacy). The Hospital’s position is that the plaintiffs’ only recourse is a complaint to the Privacy Commissioner.
The Ontario Superior Court of Justice dismissed the Hospital’s motion to strike, concluding that it was not plain and obvious that the claim disclosed no reasonable cause of action, and the Hospital launched an appeal of this decision.
The Ontario Court of Appeal subsequently held that the Hospital cannot escape from the proposed class action proceeding on the basis of the provisions of PHIPA.
The proposed class action was launched by a former patient whose records were improperly accessed. Her claim was based on the common law tort of intrusion upon seclusion, a claim recognized by Ontario courts in Jones v. Tsige, 2012 ONCA 32, 108 O.R. (3d) 241.
The representative plaintiff, Erkenraadje Wensvoort, claims that she attended the Hospital on several occasions for treatment of injuries inflicted by her ex-husband. She eventually left her husband, but still feared for her safety. Along with two hundred eighty other patients, the plaintiff received two notices from the Hospital notifying her that the privacy of her personal health information had been breached. The plaintiff was afraid that her ex-husband had paid someone to access her records in order to try to find her.
Wensvoort initially relied on breaches of PHIPA to assert a cause of action, but she later amended her statement of claim to contain only the common law cause of action identified in Jones v. Tsige for intrusion upon seclusion.
PHIPA is an Ontario law that governs the collection, use and disclosure of personal health information. It also provides rules to protect the confidentiality of that information and the privacy of individuals, while facilitating the effective provision of health care.
PHIPA provides that an individual may make a complaint to Ontario’s Information and Privacy Commission for contravention of the Act and the Commissioner has powers to make a variety orders to ensure compliance with the Act.
The Court also noted that:
The possibility of recovering damages as a result of a breach of PHIPA is the subject of s. 65:
65. (1) If the Commissioner has made an order under this Act that has become final as the result of there being no further right of appeal, a person affected by the order may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of a contravention of this Act or its regulations.
(2) If a person has been convicted of an offence under this Act and the conviction has become final as a result of there being no further right of appeal, a person affected by the conduct that gave rise to the offence may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of the conduct.
(3) If, in a proceeding described in subsection (1) or (2), the Superior Court of Justice determines that the harm suffered by the plaintiff was caused by a contravention or offence, as the case may be, that the defendants engaged in wilfully or recklessly, the court may include in its award of damages an award, not exceeding $10,000, for mental anguish.
The Court of Appeal pointed out that PHIPA does not allow the Commissioner to award damages, and instead requires individuals to bring an action in Superior Court to seek compensation for any harm caused. The Court found that this undermines the argument that the legislature intended to exclude courts from resolving disputes governed by PHIPA.
The Court ultimately concluded that PHIPA does not confer exclusive jurisdiction on the Commissioner to resolve all disputes over misuse of personal health information, holding:
PHIPA’s highly discretionary review procedure is tailored to deal with systemic issues rather than individual complaints. There is no basis to exclude the jurisdiction of the Superior Court from entertaining a common law claim for breach of privacy and, given the absence of an effective dispute resolution procedure, there is no merit to the suggestion that the court should decline to exercise its jurisdiction.
The health care community needs to be even more vigilant in its efforts to protect the privacy of health information, now that Hopkins has thrown the doors wide open to tort claims against custodians of health information for privacy breaches.