Personal Health Data Breaches in Hopkins v Kay, 2015 ONCA 112

Posted By Jey Kumarasamy

Overview

The Ontario Court of Appeal’s decision in Hopkins v Kay involved a proposed class action proceeding against a hospital for the unauthorized access of personal health information by its employees.

The health information of the respondent, Erkenraadje Wensvoort, was improperly accessed by employees at the Peterborough Regional Health Centre (“hospital”). She was one of the 280 patients who were notified by the hospital, as required by Ontario’s Personal Health Information Protection Act (“PHIPA”), that the privacy of their personal health information had been breached. The respondent feared that her ex-husband, who had hurt her in the past, had orchestrated the breach in an attempt to locate her.

As a result, the respondent brought forward a common law claim for intrusion upon seclusion against the hospital and some of its employees.

The appellants sought to have the action dismissed on the grounds that PHIPA is an exhaustive code, which precludes the Superior Court from entertaining any causes of actions external to it, including those found in the common law.

The motion judge dismissed the appellants’ motion and allowed the respondent to bring her claim in the Superior Court.

The issue on appeal was whether the respondent is precluded from bringing a common law claim for intrusion upon seclusion in the Superior Court on the basis that PHIPA creates an exhaustive code. The Information and Privacy Commissioner of Ontario (“Commissioner”), who is responsible for the administration and enforcement of PHIPA, intervened in support of the respondent’s position.

Court of Appeal’s decision

The Court of Appeal concluded that PHIPA does not preclude a common law claim for intrusion upon seclusion. Their analysis centered on whether there was a legislative intention to create an exhaustive code with regards to PHIPA.

As there was no such explicit intention stated in PHIPA, the Court turned to the three factors listed by Cromwell J.A. in Pleau v Canada that should be considered when determining whether the legislature intended to create an exhaustive code.

First, the Court assessed whether “the process for dispute resolution” established in PHIPA is consistent with exclusive jurisdiction. To this extent, the Court recognized that the Act contains a “comprehensive set of rules about the manner in which personal health information may be collected, used, or disclosed across Ontario’s health care system.” However, the sections regarding the resolution of disputes give much discretion to the Commissioner, and the language (e.g. s. 57(4)(b) and s. 71) specifically contemplates the possibility that certain complaints related to personal health information may be the subject of a procedure that falls outside the scope of PHIPA.

Second, the Court looked at the “essential character” of the claim and asked whether the court’s assumption of jurisdiction would be consistent with the PHIPA scheme. The respondent’s claim for intrusion upon seclusion was based on the common law tort recognized in Jones v Tsige, and does not depend on PHIPA. The Court did not accept the appellants’ argument that allowing the respondent to pursue this cause of action would effectively amount to a circumvention of the statutory restrictions and limitations contained in PHIPA. Instead, the Court held that the respondent’s burden was higher now as a result of the additional elements required by a Jones v Tsige claim. The Court did acknowledge, however, that proof of actual harm is not required under the common law claim, unlike under PHIPA. Additionally, the alleged difference in the limitation periods of the two causes of actions was held to be insignificant in practice.

Finally, the Court assessed the Act’s capacity to afford “effective redress”. The Court once again highlighted the informal and discretionary nature of the review procedure under PHIPA, especially the Commissioner’s prerogative, pursuant to s. 57(4), to not review a complaint for any reason he or she considers appropriate. At this stage, the Court gave significant weight to the Commissioner’s own submission that “granting him exclusive jurisdiction over individual claims would impair his ability to focus on broader issues.” This, along with the Court’s own determination that the review procedure reflects a statutory focus on systemic issues, led the Court to postulate that it is plausible that many complaints of merit would never result in an order from the Commissioner.

Thus, the Court concluded that there was no legislative intention to create an exhaustive code and confer exclusive jurisdiction on the Commissioner.

Conclusion

The frequency and severity of personal health data breaches seem to be following a dangerous trend in Canada. The privacy commissioners of both British Columbia and Alberta have recently reported that health workers “snooping” on private data is among the most common breaches, and that “improper access of health information is becoming an epidemic.” In this context, the Court’s decision in Hopkins v Kay is a significant one. Allowing civil actions to be commenced outside the regime established by PHIPA for breach of personal health information in Ontario increases the legal options available to plaintiffs and potentially increases the legal risk for health information custodians.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s