Leave to Appeal Denied in Landmark Privacy Breach Case

On October 29, 2015, the Supreme Court of Canada dismissed the applications for leave to appeal from the judgment in Hopkins v. Kay, the groundbreaking privacy breach case decided earlier this year in which the Ontario Court of Appeal held that the Personal Health Information Protection Act, 2004 (“PHIPA”) does not preclude individuals who have been affected by a privacy breach from pursuing a civil lawsuit.

The Facts of Hopkins v. Kay

In Hopkins v. Kay, the representative plaintiff brought a class action lawsuit against Peterborough Regional Health Centre (the “Hospital”) alleging that her health records and those of approximately 280 other patients had been intentionally and improperly accessed by the Hospital and its employees. The claim was based on the common law tort of intrusion upon seclusion, which was first articulated by the Ontario Court of Appeal in Jones v. Tsige, 2012 ONCA 32. In Jones, the Court of Appeal explained that a claim of intrusion upon seclusion could succeed where: (1) there was intentional or reckless conduct by the defendant; (2) the defendant invaded, without lawful justification, the plaintiff’s private affairs or concerns; and (3) a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. The Court of Appeal held that proof of actual harm is not an element of the tort for intrusion upon seclusion, but in cases that did not involve any pecuniary loss, a plaintiff’s damages would generally be capped at $20,000.

Hopkins was initially heard in October 2013 by Edwards J. of the Ontario Superior Court of Justice. The Hospital brought a motion to dismiss the action, arguing that the plaintiff was barred from making a common law claim for invasion of privacy because the statutory regime set out in PHIPA for dealing with privacy breaches was exhaustive. Justice Edwards did not comment on the merits of the case, but concluded that Ontario’s health privacy laws do not prevent patients from pursuing a legal action against health care providers where their privacy has been breached. The Hospital appealed this decision to the Ontario Court of Appeal.

The PHIPA Regime

The Information and Privacy Commissioner of Ontario (“IPC”) is responsible for the administration and enforcement of PHIPA and, as such, has the authority to conduct reviews under PHIPA in relation to the collection, use, disclosure, retention, disposal, access to, and correction of health records. Under PHIPA, individuals may bring complaints about contraventions of the act, including privacy breaches, to the IPC. The IPC has extensive procedural and investigative powers in relation to complaints and the power to make a number of remedial orders following a complaint review, including an order requirement a custodian of PHI to cease certain practices with respect to the use, collection or disclosure of PHI. A person affected by an order of the IPC may appeal on a question of law to the Divisional Court.

In addition, the Attorney General (or an agent of the Attorney General) may commence a prosecution for a summary conviction offence under PHIPA if he or she has reason to believe that there has been a willful collection, use, or disclosure of PHI in breach of the rules set out in PHIPA. The fine that may be imposed if there is a conviction for the offence is currently up to $50,000 for an individual, and up to $250,000 for organizations.

It is possible that an individual whose personal health information (“PHI”) is lost, stolen or inappropriately accessed breached can obtain compensation for the breach of PHIPA, but only in certain limited circumstances: where an order of the IPC or a conviction for an offence under PHIPA has become final as a result of there being no further right of appeal. Where this is the case, the person affected may commence an action in the Superior Court of Justice for damages for actual harm that they have suffered as a result of a breach of PHIPA or as a result of the conduct that resulted in the conviction.  If the Superior Court of Justice finds that the harm suffered by the plaintiff was caused by a breach of PHIPA or an offence that was willful or reckless, it may award damages of up to $10,000 for mental anguish.

The Ontario Court of Appeal’s Decision in Hopkins v. Kay

The Court of Appeal found that the IPC does not have exclusive jurisdiction under PHIPA to hear claims related to privacy breaches of personal health information, and that accordingly, individuals are permitted to directly pursue civil claims through the court system.

The Court grounded its decision in the following three lines of reasoning:

1. the enforcement provisions of PHIPA were primarily designed to investigate and resolve systemic issues related to health information privacy rather than individual complaints;

2. there is nothing in PHIPA that suggests it is an exhaustive code which precludes a right of action in court for a breach of an individual’s privacy; and

3. allowing individual civil claims for privacy breaches will not undermine the PHIPA enforcement scheme because the elements of the common law tort of intrusion upon seclusion are more difficult to establish than a breach of PHIPA.

In addition, the Court of Appeal noted that PHIPA’s privacy breach review procedure does not necessarily ensure that individuals who complain to the IPC about their privacy rights will have an effective redress, and for this reason, the Court concluded, individuals should not be hindered from pursuing civil actions such as the one initiated in this case. Accordingly, the Court of Appeal dismissed the appeal.

Implications

As the Supreme Court of Canada did not grant leave to appeal, the Ontario Court of Appeal’s decision in Hopkins v. Kay remains the final pronouncement of the law in Ontario on this issue. The financial consequences for custodians of PHI, such as hospitals, other health institutions and individual health care professionals, who may be sued in tort for privacy breaches, could be significant, as each plaintiff may seek damages up to $20,000, as well as potential punitive damages, and class actions (such as that at issue in Hopkins v. Kay) could result in sizeable damages awards in the case of a large scale breach.

While the decision in Hopkins v. Kay does not affect the substantive privacy obligations under PHIPA for custodians of PHI, the fact that it opens the door to claims in tort for privacy breaches should serve as a reminder of the importance of having adequate privacy policies and practices in place and ensuring that they are appropriately implemented.

If you require assistance in ensuring that your privacy or your organization’s practices comply with legislation and best practices, please contact us to learn more about our PHIPA Compliance Services.