The Ontario Court of Appeal has affirmed the common law tort of intrusion upon seclusion applies to healthcare providers in Ontario, notwithstanding Ontario’s existing statutory scheme for protecting personal health information.
In the recent ground breaking case Hopkins v. Kay, 2015 ONCA 112, the Court held that the statutory enforcement scheme in Ontario’s Personal Health Information Protection Act, S.O. 2004, c.3, Sch. A (“PHIPA”) does not preclude common law claims for invasion of privacy in the healthcare industry.
In Hopkins v. Kay, the representative plaintiff seeks to bring a class action alleging hospital employees and others intentionally and wrongfully accessed healthcare records about her and approximately 280 other patients. The cause of action for the claim is the tort of intrusion upon seclusion.
This tort first appeared in the Ontario Court of Appeal’s decision in Jones v Tsige, 2012 ONCA 32. In that case, the Court set out the following requirements for a claim of intrusion upon seclusion to be successful: (1) intentional or reckless conduct by the defendant, (2) that the defendant invaded, without lawful justification, the plaintiff's private affairs or concerns; and (3) that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. Actual harm is not a requirement for this tort, although the Court commented that symbolic or moral damage awards in this context should not exceed $20,000.
The defendant Hospital brought a motion to dismiss the claim, arguing that the enforcement provisions in PHIPA form an exhaustive code for the enforcement of privacy rights against custodians of personal health information in Ontario. As a result of the statutory scheme in PHIPA, the Hospital argued, common law privacy breach claims should be precluded from being brought against personal health information custodians in Ontario. The Hospital’s motion was dismissed and the Hospital appealed.
The purposes for which PHIPA was enacted are set out in section 1. These purposes are: to set out rules for the collection, use and disclosure of personal health information about individuals, to protect such information’s confidentiality, and to provide for independent review and resolution of complaints with respect to personal health information, among other things.
A detailed enforcement scheme is set out in Part IV of PHIPA. Individuals may bring complaints about contraventions of PHIPA to the Information Privacy Commissioner of Ontario (the “Commissioner”). In response, the Commissioner may make inquiries, require settlement efforts, or authorize mediation. If none of these steps are taken, or if any of these steps fail to resolve the complaint, the Commissioner may choose to review, or not to review, the complaint.
A complaint is not required for the Commissioner to act with respect to breaches of PHIPA. The Commissioner may self-initiate a review of any matter where it is reasonable to believe there has been, or will be, a contravention of PHIPA.
PHIPA sets out procedures for the Commissioner to follow and gives him or her powers to make a variety of orders following a review. The Commissioner’s orders may be filed with the Superior court, at which time they become enforceable as a judgement of the court.
Where such an order has become final, a person affected by the order may commence a court proceeding for damages for actual harm suffered as a result of the contravention of PHIPA. Where the court finds the defendant engaged in the breach of PHIPA wilfully or recklessly, it may award damages for mental anguish not exceeding $10,000. Section 71 of PHIPA provides that no action or proceeding for damages may be instituted against a person for reasonable acts or omissions done in good faith in the exercise of any of their powers or duties under PHIPA.
The defendants argued that these previsions of PHIPA establish a statutory scheme that balances conflicting interests regarding personal health information. As a result, they argued, making the tort of intrusion upon seclusion available where PHIPA applies would defeat the legislature’s intention and contradict the code of enforcement in PHIPA.
The Court of Appeal disagreed with the defendant Hospital, and dismissed its motion.
First, the Court concluded that PHIPA’s enforcement provisions were primarily designed to facilitate the Commissioner’s investigation into systemic issues rather than to resolve individual complaints. In support of this conclusion, the Court considered the fact that many fundamental features of an adversarial system, such as oral hearings and cross-examination, are not present in PHIPA. The Court also commented that the Commissioner’s discretion to decide whether or not to review a complaint indicates PHIPA’s scheme is primarily directed at resolving systemic issues.
Second, the Court noted that it could not find any explicit language in PHIPA to support the defendant’s argument. On the contrary, the Court considered the prohibition against any “action or proceeding for damages” for reasonable acts or omissions done in good faith in the exercise of powers or duties under PHIPA (section 71 of PHIPA) to indicate the legislature specifically contemplated that common law actions may be brought with respect to personal health information.
The Court also dismissed the defendant’s allegation that permitting common law privacy actions in the healthcare context would enable plaintiffs to circumvent PHIPA. The Court based this conclusion on its view that the elements of the tort of intrusion upon seclusion are, on balance, more difficult to establish than a breach of PHIPA.
As a result, the court dismissed the Hospital’s assertion that PHIPA should oust the Superior Courts jurisdiction to make common law awards for breach of privacy with respect to personal health information.
Hopkins v. Kay confirms common law claims for breach of privacy may be brought in Ontario’s healthcare sector. Privacy breach tort claims may brought against personal health information custodians without any requirement that the Commissioner investigate a complaint or issue a report pursuant to PHIPA.
Claims for intrusion upon seclusion will be subject to the $20,000 limit on damages set out in Jones v Tsige (twice the limit in PHIPA) and may include additional punitive damages. While damages must be proven for a complainant to obtain a damage award pursuant to PHIPA, actual damages are not required to establish a claim for intrusion upon seclusion. By permitting plaintiffs to bring a privacy breach claim where individual damages need not be proven, Hopkins v. Kay may open the door to a significant increase in class actions claiming collective remedies for privacy breaches in Ontario’s health care sector.
Hopkins v. Kay also suggests that common law breach of privacy claims may be possible in other provinces, even where a personal health information protection statute similar to PHIPA is in place, and in other regulated industry sectors, even where a legislated enforcement scheme is in place.