The Court of Appeal Finds PHIPA Does Not Create an Exhaustive Code

In Hopkins v Kay, the Ontario Court of Appeal recently ruled that a private plaintiff may bring a class proceeding for damages in tort against Peterborough Regional Health Center (PRHC) for unauthorized access to personal health information. As previously reported in the E-TIPS® newsletter here, Hopkins is an appeal from the lower court’s decision not to strike the plaintiffs’ cause of action for the tort of intrusion upon seclusion based on the defendants’ argument that the Ontario Personal Health Information Protection Act (PHIPA) provides complete and comprehensive protection for personal information in the healthcare context.

Following a privacy breach involving hundreds of medical records in 2011-2012, the plaintiffs, dissatisfied with the outcome of the Information and Privacy Commissioner’s investigation, launched this class action against the PRHC and based the claim on the common law tort of intrusion upon seclusion, recognized by the Court of Appeal in Jones v Tsige, which was previously reported in the E-TIPS® newsletter here.

The PRHC brought a motion to strike the proposed class action on the basis that PHIPA is an exhaustive code that ousts the jurisdiction of the Superior Court to entertain any common law claim for invasion of privacy rights in relation to patient records. However, the Court upheld the lower court’s decision and unanimously found that PHIPA is not an exhaustive code and does not preclude plaintiffs from pursuing an action in tort against a health care institution for a privacy breach.

The Court concluded that PHIPA provides an informal and highly discretionary review process that is tailored to deal with systemic issues rather than individual complaints. Further, PHIPA expressly contemplates the possibility of commencing a proceeding in the Superior Court (to seek damages following an order of the Commissioner). The Court opined that by allowing actions based on Jones to proceed in courts would not undermine the PHIPA scheme as it is more difficult to establish the elements of the common law cause of action and therefore it cannot be said that a plaintiff is circumventing any substantive provision of PHIPA by launching a common law action.

The Commissioner, as an intervener, submitted that his focus was the systemic remediation of contraventions of PHIPA, not providing remedies to individuals for an invasion of their health records. Accordingly, the Court noted that PHIPA may not afford effective redress in cases where individual complaints do not raise systemic issues or where any systemic issues raised have been addressed to the satisfaction of the Commissioner.

Based on the above, the Court refused to infer a legislative intention to confer exclusive jurisdiction on the Commissioner to address the privacy breaches of health records. The Court’s decision may have a sweeping impact as health information custodians may now face civil exposure for damages for future privacy breach incidents.