Privacy tort applies to breach of private health information
The Ontario Superior Court of Justice has considered the applicability of the common law tort of intrusion upon seclusion in the context of healthcare. In Hopkins v. Kay,1 the Court held that the recourse available for breaches of private health information under the Ontario Personal Health Information Protection Act (PHIPA)2 does not preclude a common law tort action for breach of privacy: PHIPA does not oust the common law.
Background
Between 2011 and 2012, approximately 280 patient records held by the Peterborough Regional Health Centre (Health Centre) were wrongfully and intentionally accessed without consent. The Health Centre acknowledged the breach, apologized to the affected patients, and dismissed the individuals who had improperly accessed the records. The plaintiffs, on behalf of themselves and all other affected patients, commenced a class action based on a common law tort recently recognized by the Court of Appeal in Jones v. Tsige: intrusion upon seclusion.3 The Health Centre brought a motion to strike the plaintiffs’ claim on the basis that there was no reasonable cause of action and that the Ontario Superior Court of Justice lacked jurisdiction to adjudicate the claim.
Common law tort not precluded by provincial privacy legislation
The Health Centre argued that the plaintiffs were precluded by PHIPA from commencing a common law action. PHIPA is a provincial statute with an enforcement framework, administered by the Information and Privacy Commissioner of Ontario, which prescribes a specific procedure for dealing with breaches of private health information. The PHIPA framework precludes any civil action based on the common law until after a conviction is issued under PHIPA, or until the Commissioner has issued a final order.
Noting that the threshold for striking out a claim is high, the Court held that it was not plain and obvious that the plaintiffs’ claim disclosed no reasonable cause of action. In dismissing the Health Centre’s motion, the Court observed that when the Court of Appeal first recognized the tort of intrusion upon seclusion in 2012, it was "well aware of the provisions of PHIPA and the potential impact of recognizing a common law tort of breach of privacy."4 The Court held that the tort recognized in Jones v. Tsige, a case dealing with federal legislation, should not be restricted to the facts of that case.
It should be noted that the Court’s decision simply allows the case to proceed, with the merits of the claim to be determined at trial.
Potential expansion of damage awards
In allowing the plaintiffs’ claim to proceed, the Court also noted the disparity between damages available under PHIPA compared to those available under the common law. Healthcare organizations should therefore be aware of the potential for an expanded range of damage awards for breaches of private health information. Under PHIPA, damages are capped at $10,000 for mental anguish. Should a claim for intrusion upon seclusion be successful, damages are not capped and are available even where there is no proof of actual loss. (However, the Court of Appeal in Jones v. Tsige noted that damage awards in cases where the plaintiff has suffered no pecuniary loss should be modest, and for such cases, the Court capped damages at $20,000). The common law tort also allows for aggravated and punitive damages in exceptional cases.5
The Court’s decision in Hopkins v. Kay is under appeal and is scheduled to be heard on December 15, 2014. Nonetheless, the availability of the tort of intrusion upon seclusion and the potential expansion of damage awards underscore the importance of reviewing data security policies and practices to ensure that personal information, including private health information, is well-protected.
_________________________
1 2014 ONSC 321.
2 S.O. 2004, c. 3.
3 2012 ONCA 32.
4 2014 ONSC 321 at para. 29.
5 2012 ONCA 32 at paras. 87-88.