The Personal Health Information Protection Act ("PHIPA") creates a myriad of obligations for "personal health information custodians", as defined by the Act. In a decision, that will be of particular interest to employers in the healthcare sector, the Ontario Court of Appeal has ruled that the legislative scheme does not close the door on a potential action for breach of privacy involving the personal health information ("PHI") of patients or clients.
After approximately 280 patient records were improperly accessed by an employee of the Peterborough Regional Health Centre (the "Hospital"), and the patients advised of the privacy breach, three (3) representative plaintiffs commenced a class action lawsuit (Hopkins v. Kay) against the Hospital, claiming "intrusion upon seclusion" (the privacy tort first recognized by the Ontario courts in Jones v. Tsige ("Jones")). According to the Statement of Claim, a Registered Practical Nurse (who was later terminated as a result of her actions) and other Hospital employees accessed patient records without authorization. The Claim alleged that the Hospital had not taken proper measures to implement policies and monitor staff to prevent unauthorized access to PHI. Although the Claim had originally relied on provisions of PHIPA as a basis for relief, it was later amended to rely solely on the common law tort of intrusion upon seclusion. The Hospital brought a motion to dismiss the action, claiming that the plaintiffs' rights were entirely governed by PHIPA, which created an exhaustive code in relation to PHI, and that there was no access to a common law remedy for the privacy breach. The motion was dismissed and the Hospital appealed.
On appeal, the Hospital argued that PHIPA created a comprehensive scheme, including complaint and enforcement mechanisms, that was intended to be the sole means to remedy violations of privacy related to PHI. The Hospital argued that the Act set up adequate methods of redress, and it was clearly the intention of the Legislature that PHIPA was to occupy this field of the law, to the exclusion of the common law of tort. The Court reviewed the history of the statute, and provided an overview of its mechanisms. The Court observed that the Commissioner (who oversees the Act) has broad investigative and procedural powers, but that there was no "adversarial" dispute resolution contemplated and that orders of the Commissioner only became enforceable upon being filed with the Superior Court. Moreover, upon a finding of a violation by the Commissioner, a complainant was expressly entitled to pursue a claim for damages in the courts, including a claim for mental anguish (s. 65 of the Act). The Act also provides immunity for "good faith" acts or omissions that violate the legislation, but provides for fines for willful violations.
The Court found that there was nothing express or implied in PHIPA that would suggest the Legislature intended PHIPA to exclusively occupy the field of PHI protection. While PHIPA provides an expansive and detailed regime for the collection, use and disclosure of personal information, it does not provide a dispute resolution mechanism that allows complainants to present and challenge evidence, instead focusing on the Commissioner's investigative authority. The legislation expressly contemplates the possibility that a complaint might be more properly addressed through some other procedure, and permits individuals to pursue claims for damages in the courts. While there was some overlap between proving a violation of the Act and making out the Jones tort, the two proceedings are sufficiently different that there was no reason to conclude that allowing an action to proceed would undermine the enforcement provisions of the Act. Finally, the Court found that the Commissioner has broad discretion on whether to investigate a particular complaint, but that the Commissioner focuses on systemic issues. While the remedies available to a complainant may be similar, there was significantly less chance of achieving redress through the PHIPA procedure since individual complaints rarely resulted in an order by the Commissioner. The authorities advanced by the Hospital were also distinguished. In the result, the appeal was dismissed and the matter was permitted to proceed in the courts.
It remains to be seen whether the class proceeding will be certified by the Superior Court, but given the decision in Evans v. The Bank of Nova Scotia (discussed here), it is likely that the representative plaintiff can get past this hurdle. So, what does it mean for employers who are responsible for collecting, using and disclosing PHI? Well, in addition to the risk of being publicly shamed through the PHIPA enforcement procedure, personal health information custodians also bear the risk of being held vicariously liable for breaches of privacy by their employees. Employers who possess PHI (whether covered by PHIPA as "personal health information custodians" or not) will want to ensure that they have robust policies, clearly communicate expectations to employees, provide adequate training on privacy protection, and implement effective safeguards to prevent unauthorized access and disclosure of such information. Failing to take these steps could result in significant liability.
Do you have questions about the protection of personal information? Concerned about a potential "intrusion upon seclusion" claim? Contact Lance Ceaser for cost-effective and expert help.