In its highly anticipated decision released October 29, 2015, the Supreme Court of Canada dismissed a hospital’s application for leave to appeal the Ontario Court of Appeal decision of Hopkins v. Kay (“Hopkins”).
Hopkins involved a proposed class action proceeding against a hospital based on a novel common law privacy tort, “intrusion upon seclusion.” In this case, it was alleged that the electronic health record of the representative plaintiff and those of 280 other patients had been improperly accessed by hospital employees.
In October of 2013, the hospital sought to strike out the claim. It argued that the Personal Health Information Protection Act, 2004 (“PHIPA”) provided a complete statutory regime for dealing with privacy breaches relating to personal health information (“PHI”), which displaced the common law. The hospital’s application was unsuccessful, and the hospital appealed the decision to the Ontario Court of Appeal.
The issue on appeal was whether or not the class action lawsuit could proceed against the hospital or whether the claimants were limited to the statutory framework for privacy breach under PHIPA. The Ontario Court of Appeal held that PHIPA was not an exhaustive code and did not preclude an individual or individuals from pursuing an action in tort against a hospital for privacy breach. Since the Supreme Court of Canada declined to grant leave to appeal, the Court of Appeal decision stands and the class action can now proceed.
Evolution of Privacy Class Actions and Privacy Laws
The legal landscape has changed dramatically when it comes to potential liability for privacy breach. It remains to be seen how these issues will be addressed from a substantive perspective as these cases are still making their way through the courts.
One major development relates to the emergence of privacy class action lawsuits in Canada, generally, and in relation to breaches involving PHI. For example, class action lawsuits have been certified against regional health authorities, hospitals and public health authorities in relation to privacy and security breaches in multiple jurisdictions across Canada. In the health care context, the actions have typically involved unauthorized access to electronic health records (i.e. the “rogue” employee who intentionally accesses personal information for an improper purpose, such as “snooping”), loss of PHI (i.e. loss of PHI on an unencrypted USB key), or theft of PHI (i.e. “selling” PHI of new mothers to a private company).
A second major development relates to the acceptance of novel privacy causes of action in some jurisdictions. In Canada, there has traditionally been no independent action or tort for invasion of privacy. A claim for breach of confidentiality or breach of privacy would typically be brought in conjunction with a claim for negligence, breach of contract, wrongful dismissal or other action.
In January of 2012, the Ontario Court of Appeal released Jones v. Tsige (“Jones”), which established an independent privacy tort based upon “intrusion upon seclusion” in Ontario. The Court recognized that in certain cases where the conduct is intentional or reckless, there ought to be a right of action where there has been a “deliberate and significant invasion of personal privacy.” The Court also defined the specific elements that must be met for such a claim to succeed.
More recently, the Federal Court of Canada certified a class action against the federal government based on another novel tort, “public disclosure of private facts.” In this case, participants of Health Canada’s Marihuana Medical Access Program were sent notices that identified them as members of this program.
However, since the Jones decision, several provinces, including British Columbia and Alberta, have had court decisions which have not recognized a common law tort of invasion of privacy. Some provinces have identified statutory torts of invasion of privacy that may be applicable to the circumstances.
Statutory Breach of Privacy
In Ontario, PHIPA provides a statutory basis for damages for privacy breach. Specifically, there is a statutory right to seek compensation through the Ontario Superior Court for breach of privacy for actual harm suffered where an order has been issued by the Information and Privacy Commissioner (IPC) or there has been a conviction of an offence under PHIPA. PHIPA further provides that damages for mental anguish relating to breach of privacy, capped at $10,000.00, may be awarded where the action is wilful or reckless.
Until Hopkins, it was an open question as to whether an IPC order or conviction of an offence under PHIPA was a prerequisite to bringing a claim for damages for breach of privacy. Such a prerequisite would have limited the potential risk for health information custodians (“HICs”) significantly because, although numerous privacy breaches are reported to the IPC, there have been a limited number of orders issued and no successful convictions for PHIPA offences since the legislation came into force. Hopkins has now confirmed that such actions may proceed independent of the PHIPA regime.
Implications for Health Information Custodians
The test to strike out a claim on a preliminary motion like the one brought in this case is very high. The court will only strike a claim as disclosing “no reasonable cause of action” where it is “plain and obvious” that it has no chance of success. It will generally not decide novel issues of law on this type of motion.
This case involves a novel and evolving area of law. The Hopkins decision leaves the door open for these types of claims to be brought against hospitals, long-term care homes, community care access centres, family health teams, clinics, laboratories, pharmacies, health professionals and other HICs.
It is important to note that the substantive issues have not yet been considered. It remains to be seen how these issues will ultimately be decided by the courts and there are a number of outstanding questions. For example, under PHIPA, a HIC is legally responsible for the actions of its employees or agents. In its decisions, the IPC has determined this to be the case, even when the activity is not within the scope of employment, is contrary to the HIC’s policies, or is intentional or even criminal in nature. It is not known whether this expanded concept of vicarious liability will be extended by the courts.
In terms of dealing with risk relating to privacy breach, there are a number of considerations that HICs ought to keep in mind:
- Privacy class action lawsuits based on negligence law and mental distress have had minimal success in the absence of evidence of actual loss. In the absence of actual harm, damages for mental distress relating to the risk of fraud or identity theft are not compensable as they are minor and transient.
- Hopkins was brought on the basis of a privacy tort, which is an important distinction because it allows individuals to sue a HIC directly for privacy breach. If the claim is made out, there is an entitlement to damages, without having to show actual loss or harm. The scope and limits on this action remain to be determined. In the Jones case, the court noted that in the absence of loss or harm, damages for intrusion upon seclusion would be relatively modest. The potential risk relating to a class action lawsuit becomes much more significant given the number of individuals who may be impacted.
- It is increasingly important for HICs to be able to demonstrate that they have taken reasonable steps to address the privacy and security of PHI. This includes having comprehensive policies and procedures (including a privacy breach protocol), ongoing training of staff and agents, monitoring for compliance and auditing of electronic systems. It is important to be aware of changes in privacy and technology standards and guidelines, and to incorporate these into practice.
- Given the significant risk, the manner in which potential privacy and security breaches are investigated, managed and communicated, including patient notification and look back becomes critically important. Early involvement by legal counsel is essential.
- HICs must continue to take a risk managed approach to addressing privacy risk, including when they are involved in information sharing initiatives or are contracting external service providers. From a contractual perspective, the potential mechanisms that are available require an analysis of the organization’s risk tolerance.
- Privacy risk can be very effectively managed through an enterprise risk framework. Depending on the HIC’s risk tolerance, it may look at strategies to avoid risk; to manage or mitigate risk; to allocate or share risk; or, to transfer risk, for example, through mechanisms such as insurance.
- Privacy risk may also relate to the cost of privacy breach notification and containment programs, particularly since notification of patients is mandatory under PHIPA. Where the privacy breach involves a large number of individuals, the cost of identifying and notifying individuals who have been impacted, and managing the breach, requires a significant expenditure of time and organizational resources. In some cases, additional measures are required to protect against risks such as identity theft, for example, credit monitoring services.
- Cyber and privacy risk protection is often not included in standard insurance coverage that is available to HICs. This may require the purchase of specific insurance products or coverage. There are a number of insurance products that are available that deal with cyber risk, data security and privacy breaches.
In the face of unprecedented change to the privacy landscape, the Health Industry should continue to take a risk managed approach to address privacy risk and to monitor how it evolves. Perhaps more importantly, these issues raise significant public policy questions for a publicly funded health care system that is already under tremendous strain, where privacy legislation places ultimate liability on the individual HIC and where there is an absence of a provincial solution.