Health Privacy: Is PHIPA the only game in town?
There is a new and interesting decision out of Peterborough that raises but doesn’t answer a lot of questions. These questions revolve around the intersection of PHIPA, class action law and tort law. This is not something you see everyday although we may have to wait awhile before the dust (and the law) settles.
The decision is Hopkins v. Kay had its origin in a data breach at the Peterborough Regional Health Center. Approximately two hundred and eighty patient records were intentionally and wrongfully accessed in 2011 and 2012. The hospital admitted as such, apologized and dismissed the individual employees who had accessed the records in question.
A class action lawsuit was filed in connection with the matter. With subsequent amendments, the only item left on the table was a claim alleging an intrusion upon seclusion based on the unauthorized access to personal health information and subsequent distribution of to unknown third parties.
The defendants filed a motion to strike the statement of claim alleging that there was no reasonable cause of action and that the court had no jurisdiction. The disposition of that motion occurs in this particular decision and the ruling is where things get interesting.
As a quick primer, in the event of a breach, the Personal Health Information Protection Act (“PHIPA”) allows a complaint to the Information and Privacy Commissioner of Ontario (“IPC”) [s. 56(1)]. The IPC has discretion as to whether or not to investigate[s. 56(4)]. At the end of the process, the IPC may issue an order. Following an issuance of an order that has become final, a person affected by the order may commence a proceeding for an order for damages for actual harm and damages for mental anguish, the latter not to exceed $10,000. [s. 65].
Given the regime in PHIPA, counsel for the Hospital took the position that new tort does not apply to the breach of personal health information in Ontario. PHIPA governs and to not recognize that “usurps the role of the legislature and the policy decisions that have been made and reflected in PHIPA”. Mr. Justice Edwards didn’t disagree but he also didn’t agree and noted:
“While it is argued by counsel for the Hospital that Jones dealt with Federal privacy legislation (“PIPEDA”), it is equally clear to me that Sharpe J.A. conducted a review of other similar legislation and specifically referred in his decision to PHIPA. At paragraphs 47-51, however, and again at paragraphs 52-54, there can be no doubt that Sharpe J.A. was well aware of the provisions of PHIPA and the potential impact of recognizing a common law tort of breach of privacy.”
Specific text in paragraph 49 of Jones is most interesting in this context:
“I am not persuaded that the existing legislation provides a sound basis for this court to refuse to recognize the emerging tort of intrusion upon seclusion and deny Jones a remedy. In my view, it would take a strained interpretation to infer from these statutes a legislative intent to supplant or halt the development of the common law in this area…”
And at paragraph 51:
“The Ontario legislation essentially deals with freedom of information and the protection of certain private information with respect to government and other public institutions. Like PIPEDA, it has nothing to do with private rights of action between individuals.”
This last comment referring to Ontario legislation, while true, does not consider the issue of damage claims under PHIPA. Reconciling the facts in this case with the above statement will be interesting exercise to watch. Mr. Justice Edwards determined that the law isn’t so straight-forward in this area and it needs to be clearer if he was going to dismiss any privacy claim. Just how PHIPA specifically interacts with tort law and the Jones case was left for a future decision by the Court of Appeal.
Jones involved a claim by one individual against another. No personal information protection statute in Canada really covers that scenario. To not recognize a tort of intrusion upon seclusion, however limited it may be, would have deprived an individual of a remedy in the common law. In this instance, a remedy under PHIPA exists. Perhaps, as a matter of public policy, we should be asking why a plaintiff couldn’t have the option of either using PHIPA or the common law. After all, the court in Jones did not insist on Ms. Jones pursuing her claim against the bank that employed Ms. Tsige.
Similarly, whether a group of people can pursue their claims collectively as a class action is the next interesting question. A finding by the IPC that there was a violation of PHIPA would certainly be a potent piece of evidence in a class action suit even if damages were limited to 10 or 20k per claimant.
In terms of the development of Canadian privacy law, how this claim ultimately plays out will be interesting to watch.