Court of Appeal holds that patients can sue hospitals for privacy breach
An Ontario Court of Appeal decision that gives patients the right to sue hospitals – and any other health information custodian – is an important ruling that will have far-reaching implications, says Toronto health lawyer Elyse Sunshine.
“It’s a huge decision with many implications for health care custodians,” she tells AdvocateDaily.com.
Sunshine, partner at Rosen Sunshine LLP, says that while the decision shouldn’t necessarily result in any substantive changes as to how hospitals manage their privacy practices, it’s another “wake-up call” to the importance of having privacy policies and practices and actually implementing them and instilling a culture of privacy for all staff. The implications of a privacy breach for an institution now will not just include just being the subject of a potential investigation by the privacy commissioner but being a defendant in a civil court case.
In Hopkins v. Kay bsp;2015 ONCA 112 (CanLII), a proposed class-actions suit, the plaintiff (respondent on appeal) alleges that her records as a patient at the Peterborough Regional Heath Centre were improperly accessed. The issue on appeal was whether the respondent is precluded from bringing a common law claim for intrusion upon seclusion in the Superior Court (established in Jones v. Tsige, 2012 ONCA 32 (CanLII)) because the Personal Health Information Protection Act (PHIPA) creates an exhaustive code.
The court dismissed the hospital’s appeal, concluding that the respondent isn’t precluded from asserting a common-law claim for intrusion upon seclusion in the Superior Court.
The court also awarded the respondent the costs of the appeal at $24,000.
The decision upholds an earlier decision that said Ontario’s health privacy laws do not prevent patients from seeking legal action against hospitals if their privacy is breached.
The Hopkins case started after 280 patients at the Peterborough hospital had their records snooped in 2011 and 2012. Erkenraadje Wensvoort, the respondent in this matter, was one of them.
The statement of claim alleges that she attended the hospital on several occasions for treatment of injuries inflicted by her then-husband. She eventually left her husband, but still feared for her safety and took steps to safeguard her identity. She contended that she feared her ex-husband had paid someone to access her patient records in order to find her.
Sunshine points out that though the decision in this matter gives patients the ability to sue hospitals for privacy breaches, the damages that would be available without proof of actual harm are “relatively modest.”
Sunshine says another important aspect of the decision is how the court stressed that PHIPA is really aimed at addressing systemic issues and that’s where it’s best suited.“
And as we are of late seeing more individual complaints, if made to the privacy commissioner, these can lead to systemic improvements," she says. “If individuals are seeking compensation for breaches of their privacy, these appear to be better dealt with through the court processes, even though it is more time consuming and more expensive for the involved parties."
The court notes "the broad discretion conferred on the Commissioner by PHIPA means that complainants would face an expensive and uphill fight on any judicial review challenging a decision not to review or proceed with an individual complaint."
Sunshine says it appears as if the court wants to keep the door open for patients to have their recourse.
“The court doesn’t want to limit an individual such that they potentially have no real recourse as a result of a privacy breach because of the discretion that’s afforded by PHIPA to the commissioner in terms of how privacy breaches are handled,” she says.
The interveners, the Ontario Hospital Association, supported the position of the appellants, and the Information and Privacy Commissioner supported the position of the respondent.
Sunshine says it’s also clear from the decision that the court placed a lot of emphasis on the comments from the commissioner.
Sunshine says it's unknown whether the decision will result in a flood of civil matters arising from health information privacy breaches.
“The court does note that the test from Jones is actually difficult to satisfy so I don’t know if it will, in the long run, open the flood gates,” she says. “It might in the short term.”
Sunshine notes that the ruling also applies to all custodians of health information, including private practice physicians, physiotherapy clinics, etc.
“This case is not limited to hospitals and the decision opens the door for patients to sue any health information custodian,” she says.
