Court of Appeal affirms: privacy tort applies to breach of private health information

In a decision of particular significance to healthcare institutions and their employees, the Ontario Court of Appeal has affirmed the applicability of the common law tort of intrusion upon seclusion in the healthcare context. In Hopkins v. Kay, 2015 ONCA 112, the Court of Appeal affirmed that the Ontario Personal Health Information Protection Act, S.O. 2004, c. 3, Sch. A (PHIPA), does not preclude a common law tort action for breach of privacy.

Background

Between 2011 and 2012, approximately 280 patient records held by the Peterborough Regional Health Centre (Health Centre) were wrongfully and intentionally accessed without consent. The affected patients commenced a class action suit against the Health Centre on the basis of intrusion upon seclusion. The tort of intrusion upon seclusion was previously recognized by the Court of Appeal in Jones v. Tsige, where the court outlined the following three requirements of the claim:

• there is an intentional or reckless intrusion on a person’s private affairs;
• there is no lawful justification for the intrusion; and
• viewed objectively, the intrusion was highly offensive or causing distress, humiliation or anguish.

The Health Centre brought a motion to strike the plaintiffs’ claim on the basis that there was no reasonable cause of action and that the Ontario Superior Court of Justice lacked jurisdiction. The motion was dismissed (as previously reported by Torys in our bulletin "Privacy tort applies to breach of private health information," and the Health Centre appealed.

Common law tort not precluded by provincial privacy legislation

On appeal, the Health Centre contended that PHIPA was an "exhaustive code" which precludes a plaintiff from commencing a common law action. PHIPA grants the Information and Privacy Commissioner of Ontario extensive procedural and investigative powers and the power to make a variety of orders. It also includes a mechanism whereby an individual may bring a civil action for damages arising from harm caused by a privacy breach. Because of this, the Health Centre argued that it was the intent of the legislature that claims pertaining to personal health information be resolved solely in accordance with PHIPA, thereby excluding any additional remedies through the courts.

The Court of Appeal disagreed with the Health Centre, stating that "[w]hile PHIPA does contain a very exhaustive set of rules and standards for custodians of personal health information, details regarding the procedure or mechanism for the resolution of disputes are sparse," and that "to the extent PHIPA does provide for individual remedies, it turns to the courts for enforcement." The Court held that there is no basis to conclude that the legislative intent of PHIPA was to confer exclusive jurisdiction on the Commissioner to resolve disputes related to misuse of personal health information. Allowing the plaintiff’s claim to proceed would not undermine the PHIPA scheme. Thus, the decision permits this case to proceed, but did not rule on the merits of the claim.

Potential expansion of damage awards

In allowing the plaintiffs’ claim to proceed, the Court also noted that the Commissioner has no power to award damages. An individual complainant can seek damages only by commencing an action in the Superior Court following either a final order of the Commissioner or a conviction under the Act. The Court of Appeal concluded that PHIPA provides an informal and discretionary review process that "is not tailored to deal with individual claims."

Healthcare institutions should be aware that the limit on damages available under PHIPA is lower than the cap on damages for intrusion upon seclusion. Under PHIPA, damages for mental anguish are limited to a maximum of $10,000. There is no cap on damages for a successful intrusion upon seclusion claim, but the Court of Appeal in Jones v. Tsige did limit the damages to $20,000 where there is no proof of pecuniary loss. Unlike PHIPA, the common law tort also allows for aggravated and punitive damages in exceptional cases.

Another important difference between PHIPA and the common law tort is that a two-year limitation period applies to bringing the tort action, while the statute imposes a one-year limitation period for initiating a complaint. Even though the Commissioner is permitted to extend the one-year period under certain circumstances (and there is no time limit on self-initiated reviews by the Commissioner), healthcare institutions should be mindful of the two-year limitation period.

In the wake of the Court of Appeal’s decision, healthcare institutions are encouraged to review and strengthen data protection practices and policies to ensure that private health information is secure.