In a decision of particular significance to healthcare
institutions and their employees, the Ontario Court of Appeal has
affirmed the applicability of the common law tort of intrusion upon
seclusion in the healthcare context. In Hopkins v. Kay,
2015 ONCA 112, the Court of Appeal affirmed that the Ontario
Personal Health Information Protection Act, S.O. 2004, c. 3,
Sch. A (PHIPA), does not preclude a common law tort action for
breach of privacy.
Between 2011 and 2012, approximately 280 patient records held by
the Peterborough Regional Health Centre (Health Centre) were
wrongfully and intentionally accessed without consent. The affected
patients commenced a class action suit against the Health Centre on
the basis of intrusion upon seclusion. The tort of intrusion upon
seclusion was previously recognized by the Court of Appeal in
Jones v. Tsige, where the court outlined the following
three requirements of the claim:
there is an intentional or reckless intrusion on a person's
there is no lawful justification for the intrusion; and
viewed objectively, the intrusion was highly offensive or
causing distress, humiliation or anguish.
The Health Centre brought a motion to strike the plaintiffs'
claim on the basis that there was no reasonable cause of action and
that the Ontario Superior Court of Justice lacked jurisdiction. The
motion was dismissed (as previously reported by Torys in our
Privacy tort applies to breach of private health
information," and the Health Centre appealed.
Common law tort not precluded by provincial privacy
On appeal, the Health Centre contended that PHIPA was an
"exhaustive code" which precludes a plaintiff from
commencing a common law action. PHIPA grants the Information and
Privacy Commissioner of Ontario extensive procedural and
investigative powers and the power to make a variety of orders. It
also includes a mechanism whereby an individual may bring a civil
action for damages arising from harm caused by a privacy breach.
Because of this, the Health Centre argued that it was the intent of
the legislature that claims pertaining to personal health
information be resolved solely in accordance with PHIPA, thereby
excluding any additional remedies through the courts.
The Court of Appeal disagreed with the Health Centre, stating
that "[w]hile PHIPA does contain a very exhaustive set of
rules and standards for custodians of personal health information,
details regarding the procedure or mechanism for the resolution of
disputes are sparse," and that "to the extent PHIPA does
provide for individual remedies, it turns to the courts for
enforcement." The Court held that there is no basis to
conclude that the legislative intent of PHIPA was to confer
exclusive jurisdiction on the Commissioner to resolve disputes
related to misuse of personal health information. Allowing the
plaintiff's claim to proceed would not undermine the PHIPA
scheme. Thus, the decision permits this case to proceed, but did
not rule on the merits of the claim.
Potential expansion of damage awards
In allowing the plaintiffs' claim to proceed, the Court also
noted that the Commissioner has no power to award damages. An
individual complainant can seek damages only by commencing an
action in the Superior Court following either a final order of the
Commissioner or a conviction under the Act. The Court of Appeal
concluded that PHIPA provides an informal and discretionary review
process that "is not tailored to deal with individual
Healthcare institutions should be aware that the limit on
damages available under PHIPA is lower than the cap on damages for
intrusion upon seclusion. Under PHIPA, damages for mental anguish
are limited to a maximum of $10,000. There is no cap on damages for
a successful intrusion upon seclusion claim, but the Court of
Appeal in Jones v. Tsige did limit the damages to $20,000
where there is no proof of pecuniary loss. Unlike PHIPA, the common
law tort also allows for aggravated and punitive damages in
Another important difference between PHIPA and the common law
tort is that a two-year limitation period applies to bringing the
tort action, while the statute imposes a one-year limitation period
for initiating a complaint. Even though the Commissioner is
permitted to extend the one-year period under certain circumstances
(and there is no time limit on self-initiated reviews by the
Commissioner), healthcare institutions should be mindful of the
two-year limitation period.
In the wake of the Court of Appeal's decision, healthcare
institutions are encouraged to review and strengthen data
protection practices and policies to ensure that private health
information is secure.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).