The recent unauthorized disclosure of a National Football League ("NFL") player's medical records has garnered significant media attention. On July 8, 2015, ESPN reporter Adam Schefter posted images of NFL player Jason Pierre-Paul's medical charts on Twitter.1 The records detailed the medical procedures performed on Mr. Pierre-Paul's finger, which was injured in a fireworks incident on July 4th. In response to the news of his injury, the New York Giants pulled Mr. Pierre-Paul's long-term $60 million contract.2
The "twitterverse" quickly denounced Mr. Schefter's revelation as an improper violation of Mr. Pierre-Paul's privacy. While some people may disagree with Mr. Schefter's decision to post full medical records, the question of whether there has been a violation of legal privacy rights remains. If this situation had occurred in Canada, there would be a number of potentially relevant laws to consider.
Provincial Health Sector Legislation
Most Canadian provinces have implemented legislation governing collection, use and disclosure of personal health information.3 For example, in Ontario, the relevant legislation is the Personal Health Information Protection Act ("PHIPA").4 PHIPA applies to health information custodians within Ontario, and includes some provisions that apply to individuals and organizations that receive personal health information from such custodians.
Under PHIPA, a health information custodian who willfully discloses personal health information without consent can be found guilty of an offence and fined up to $50,000, if the person is a natural person, and otherwise up to $250,000.5 Furthermore, if a corporation commits such an offence, "...every officer, member, employee or other agent of the corporation who authorized the offence, or who had the authority to prevent the offence from being committed but knowingly refrained from doing so, is a party to and guilty of the offence and is liable, on conviction, to the penalty for the offence, whether or not the corporation has been prosecuted or convicted."6
In addition, if this incident had occurred in Ontario, Mr. Pierre-Paul could have a potential claim under PHIPA against the individual who disclosed his medical records to ESPN, if such individual was a health information custodian. Under PHIPA, a person affected by conduct giving rise to a conviction for an offence can sue for damages for actual harm caused by the contravention or offence.7 In addition, under PHIPA, willful or reckless conduct may give rise to an award of up to $10,000 for mental anguish.8 Furthermore, in Hopkins v Kay,9 the Ontario Court of Appeal held that PHIPA does not preclude separate tort claims. Therefore, a person who discloses medical records without authorization in Ontario could also face civil exposure for damages.
Tort of "Intrusion Upon Seclusion"
In Canada, the common law protects individuals against certain unauthorized intrusions upon privacy. In the leading case of Jones v Tsige,10 the Ontario Court of Appeal formulated a new tort of "intrusion upon seclusion", as follows:
One who intentionally [or recklessly] intrudes, physically or otherwise, upon the seclusion of another or his [or her] private affairs or concerns, is subject to liability to the other for invasion of his [or her] privacy, if the invasion would be highly offensive to a reasonable person.11
This tort is actionable without proof of economic harm, although the Court did establish some limits upon non-pecuniary damages.12 Jones v Tsige has been followed by courts in a number of Canadian jurisdictions outside of Ontario, including British Columbia,13 Nova Scotia,14 Newfoundland,15 and Manitoba.16
Medical records contain sensitive personal information, and it is conceivable that unauthorized disclosure of such records could meet the threshold of being "highly offensive to a reasonable person." Therefore, in Canada, Mr. Pierre-Paul would potentially have a claim for intrusion upon seclusion against a person who released his medical records.
Some provinces in Canada have enacted legislation creating a statutory privacy tort, which provides a right of action against a person who willfully and without a claim of right violates the privacy of another person.17 As with the common law tort described above, proof of damages is not required for such statutory torts. However, the statutory torts appear to establish a lower threshold for claims, as the violation of privacy does not need to meet the standard of being "highly offensive" to a reasonable person.
If an unauthorized disclosure of medical records were to occur in a province where a statutory privacy tort has been enacted, a person in Mr. Pierre-Paul's situation could have a potential recourse under such legislation.
Private Sector Privacy Legislation
In Canada, the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and substantially similar provincial legislation governs the collection, use and disclosure of personal information in the private sector.18 The term "personal information" has been interpreted broadly,19 and it would certainly include an individual's medical records. However, this legislation generally only applies to the activities of "organizations" (or, in Quebec, "enterprises"). Therefore, this legislation would not generally apply to an individual's actions unless such person was acting in the course of his/her employment, in which case the employing organization could potentially be held responsible for any privacy breach (such as the unauthorized disclosure of personal information).
Furthermore, under PIPEDA and substantially similar legislation, there are exceptions to consent requirements for collection, use and disclosure of personal information solely for journalistic purposes,20 which may be relevant in situations like the one facing Mr. Pierre-Paul.
The disclosure of Mr. Pierre-Paul's medical records provides a good illustration of the complex nature of privacy rights and restrictions. If this situation had occurred in Canada, there are a number of laws that could potentially apply, and such laws vary by province.
Given the complicated network of privacy and data protection laws in Canada, organizations would be well advised to consult with a legal advisor when collecting, using or disclosing personal information, especially sensitive information such as medical records.
1 Brian Stelter, "ESPN reporter tweets player's medical charts, and ethical questions erupt", CNN, July 7, 2015.
2 Dan Diamond, "Jason Pierre-Paul Lost His Finger. Did ESPN Violate HIPAA By Reporting It?", Forbes, July 8, 2015.
3 The only provinces that do not are Quebec and Prince Edward Island.
4 Personal Health Information Protection Act, 2004, SO 2004, c 3, Sched A.
5 Ibid at s 72.
6 Ibid at s 72(3).
7 Ibid at s 65(1).
8 Ibid at s 65(3).
9 2015 ONCA 112.
10 2010 ONCA 32.
11 Ibid at para 70.
12 Ibid at para 71.
13 Albayate v Bank of Montreal, 2015 BCSC 695.
14 Murray v Capital District Health Authority, 2015 NSSC 61.
15 Hynes v Western Regional Integrated Health Authority, 2014 NLTD(G) 137.
16 Grant v Winnipeg Regional Health Authority, 2015 MBCA 44.
17 Provinces with privacy acts include British Columbia, Manitoba, Newfoundland and Labrador, and Saskatchewan.
18 Personal Information Protection and Electronic Documents Act, SC 2000 c 5.
19 Canada (Information Commissioner) v Canada (Commissioner of the Royal Canadian Mounted Police),  1 SCR 66, 2003 SCC 8 at para 23.
20 Supra note 15, s 4.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2015