The Ontario Court of Appeal has recently allowed common law actions for invasions of privacy relating to personal health information. In so doing, the Court has made it clear that the Ontario Personal Health Information Protection Act, S.O. 2004, c.3, Sched. A (“PHIPA”) does not preclude courts from hearing civil actions for invasion of privacy rights in relation to patient records.

In Hopkins v. Kay, 2015 ONCA 112, per Sharpe J.A., the plaintiffs commenced a class action against the Peterborough Regional Health Centre (the “Hospital”) on the basis that their patient records at the Hospital were improperly accessed. The claim was based upon the new tort of “intrusion upon seclusion”; this tort was established by the Court of Appeal in Jones v. Tsige, 2012 ONCA 32 to award damages to plaintiffs whose privacy rights have been infringed.

The representative plaintiff in Hopkins had attended the Hospital on several occasions for treatment to injuries inflicted upon her by her ex-husband. Though the plaintiff had left her husband, she was still concerned for her safety and took measures to protect her identity. The plaintiff, along with 280 other patients, were notified by the Hospital, pursuant to PHIPA, that the privacy of her personal health information had been breached. The plaintiff was concerned her ex-husband had paid someone to access her patient records to locate her. The claim in the class action alleged that a nurse at the Hospital and other Hospital employees had improperly accessed and disclosed patient records. The claim further alleged that the Hospital failed to adequately monitor its staff and implement policies and systems to prevent the improper access to personal health information and records. The class action sought damages against the Hospital for intrusion upon seclusion.

Following the commencement of the class action, the Hospital brought a motion under Rule 21 of the Rules of Civil Procedure, R.R.O. 1990, Reg. 194 to dismiss the claim on the basis that PHIPA represented an exhaustive code for breaches of privacy rights relating to personal health information. According to the Hospital, Ontario Courts therefore have no jurisdiction to hear civil claims based on breaches of privacy rights governed by PHIPA.

The Court of Appeal dismissed the Hospital’s motion and held that PHIPA does not create an “exhaustive code”. Accordingly, the plaintiffs could bring a class action for intrusion upon seclusion for the defendants’ improper access to and disclosure of patient records.

After analyzing the legislative scheme set out in PHIPA, the Court of Appeal made the following rulings:

1. The Ontario Legislature Did Not Intend to Create an Exhaustive Code in PHIPA.

First, the Court held that the process established under PHIPA for breaches of privacy relating to personal health information was designed to allow an investigation into systemic privacy issues. In other words, PHIPA was not designed for the resolution of individual privacy complaints.

The Court recognized that the Act gives the Information and Privacy Commissioner (the “Commissioner”) the power to review breaches of privacy. However, the Court held that the Act leaves the procedure to be followed in conducting these reviews to the Commissioner. For example, reviews were generally conducted in writing and there was no requirement for an oral hearing. Moreover, section 57(4)(b) of the Act provides that one of the factors the Commissioner is to take into account in deciding whether to investigate a privacy complaint is whether the complaint could more appropriately be dealt with “by means of a procedure, other than a complaint under [PHIPA]”. Accordingly, the complaint procedure under PHIPA was never intended to be exhaustive and exclusive.

Perhaps most important, under PHIPA, the Commissioner has no power to award damages. Under section 65 of the Act, where the Commissioner makes an order that the individual complainant can seek damages to compensate for the actual harm suffered as a result of violations of PHIPA, the complainant has to commence a proceeding in the Superior Court to seek damages. Accordingly, the Court of Appeal held that the inability of the Commissioner to award damages meant that the Commissioner was never intended to play a comprehensive role in dealing with individual complaints.

Second, the essential nature of the plaintiff’s claim in this case was one based on the tort of intrusion upon seclusion. According to the Court, actions based on this tort would not undermine the PHIPA scheme. The elements required to establish a claim for intrusion upon seclusion are as follows: (i) intentional or reckless conduct by the defendant; (ii) that the defendant invaded, without lawful justification, the plaintiff’s private affairs or concerns; and (iii) that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. The Court held that these elements for the common law action were more difficult to establish than a breach of PHIPA. Accordingly, the plaintiff in an action for intrusion upon seclusion would not be trying to “circumvent” PHIPA by commencing a civil action.

Third, the complaint procedure set out under PHIPA does not provide the individual with “effective redress” in the Court’s view. The Commissioner, who intervened in the appeal in Hopkins, submitted that while the Court’s focus on an action for intrusion upon seclusion was to provide remedies to individuals, the Commissioner was required to focus on addressing “systemic remediation of contraventions of PHIPA”. The Court therefore held that where an individual complaint under PHIPA did not raise systemic issues, the Commissioner had the power to decline to conduct a review or make an order that could form the basis for a claim in damages in civil court. Moreover, complainants under PHIPA who were denied the opportunity to pursue a complaint by the Commissioner, would have to face an “expensive and uphill fight on any judicial review challenging a decision not to review [the PHIPA complaint]”. Accordingly, the PHIPA process did not provide an adequate mechanism of redress for civil complaints.

For all of the reasons set out above, the Court concluded that the Ontario Legislature never intended PHIPA to be an “exhaustive code” to redress individual breaches of privacy rights relating to personal health information.

2. Case Law Relating to the Exclusive Jurisdiction of PHIPA Is Distinguishable

In support of its argument that PHIPA created an exhaustive code that ousted the jurisdiction of the civil courts, the Hospital relied on certain lines of authority where the Court’s jurisdiction had been ousted in favour of the governing tribunal’s jurisdiction over the matter. The Court held that all these lines of authority were distinguishable:

  1. First, while the Supreme Court of Canada in Seneca College v. Bhadauria, [1981] 2 S.C.R 181 had held that the Ontario Human Rights Code constituted a comprehensive statutory scheme precluding a civil action for discrimination based on the common law, the Court held that the Human Rights Code was different from PHIPA. That is, unlike the Code, PHIPA explicitly contemplates the possibility of other proceedings in relation to claims arising from the improper use of personal health information.
  2. Second, in the labour relations context, provisions of the Ontario Labour Relations Act required all collective agreements to provide for final and binding arbitration of any dispute between the parties arising from the agreement. The Court in Hopkins held that labour grievances and arbitrations represented an “accessible mechanism for comprehensive and efficient dispute resolution”. By contrast, PHIPA was not tailored to deal with individual complaints and its invocation depends largely upon the Commissioner’s discretion.
  3. Third, with respect to privacy statutes in other provinces, i.e. British Columbia and Alberta, where the Courts held that privacy statutes “occupied the field” and precluded civil actions based on breaches of privacy, the Court held that in these provinces there was a statutory cause of action for breach of privacy. By comparison, in Ontario there was no general statutory cause of action for breaches of privacy. The wrong the plaintiff sought to redress in Hopkins was based on the common law of intrusion upon seclusion, not a breach of a statute.

For all of the foregoing reasons, the Court held that the case law on which the Hospital relied was distinguishable and did not support the argument that PHIPA was a comprehensive code.

The decision in Hopkins represents an important step in the evolution of privacy law in Ontario. The Court of Appeal established that breaches of privacy relating to personal health information can form the basis of an action in tort, despite the regulation of the use and disclosure of personal health information by statute. The Court’s analysis was clearly governed by a concern to provide individual complainants with a feasible form of redress in the civil courts.