Canada: A New Era for Privacy Class Actions - Hopkins v. Kay and Implications for the Health Industry

Last Updated: November 18 2015
Article by Kathryn Frelick

In its highly anticipated decision released October 29, 2015, the Supreme Court of Canada dismissed a hospital's application for leave to appeal the Ontario Court of Appeal decision of Hopkins v. Kay ("Hopkins").

Hopkins involved a proposed class action proceeding against a hospital based on a novel common law privacy tort, "intrusion upon seclusion." In this case, it was alleged that the electronic health record of the representative plaintiff and those of 280 other patients had been improperly accessed by hospital employees.

In October of 2013, the hospital sought to strike out the claim. It argued that the Personal Health Information Protection Act, 2004 ("PHIPA") provided a complete statutory regime for dealing with privacy breaches relating to personal health information ("PHI"), which displaced the common law. The hospital's application was unsuccessful, and the hospital appealed the decision to the Ontario Court of Appeal.

The issue on appeal was whether or not the class action lawsuit could proceed against the hospital or whether the claimants were limited to the statutory framework for privacy breach under PHIPA. The Ontario Court of Appeal held that PHIPA was not an exhaustive code and did not preclude an individual or individuals from pursuing an action in tort against a hospital for privacy breach. Since the Supreme Court of Canada declined to grant leave to appeal, the Court of Appeal decision stands and the class action can now proceed.

Evolution of Privacy Class Actions and Privacy Laws

The legal landscape has changed dramatically when it comes to potential liability for privacy breach. It remains to be seen how these issues will be addressed from a substantive perspective as these cases are still making their way through the courts.

One major development relates to the emergence of privacy class action lawsuits in Canada, generally, and in relation to breaches involving PHI. For example, class action lawsuits have been certified against regional health authorities, hospitals and public health authorities in relation to privacy and security breaches in multiple jurisdictions across Canada. In the health care context, the actions have typically involved unauthorized access to electronic health records (i.e. the "rogue" employee who intentionally accesses personal information for an improper purpose, such as "snooping"), loss of PHI (i.e. loss of PHI on an unencrypted USB key), or theft of PHI (i.e. "selling" PHI of new mothers to a private company).

A second major development relates to the acceptance of novel privacy causes of action in some jurisdictions. In Canada, there has traditionally been no independent action or tort for invasion of privacy. A claim for breach of confidentiality or breach of privacy would typically be brought in conjunction with a claim for negligence, breach of contract, wrongful dismissal or other action.

In January of 2012, the Ontario Court of Appeal released Jones v. Tsige ("Jones"), which established an independent privacy tort based upon "intrusion upon seclusion" in Ontario. The Court recognized that in certain cases where the conduct is intentional or reckless, there ought to be a right of action where there has been a "deliberate and significant invasion of personal privacy." The Court also defined the specific elements that must be met for such a claim to succeed.

More recently, the Federal Court of Canada certified a class action against the federal government based on another novel tort, "public disclosure of private facts." In this case, participants of Health Canada's Marihuana Medical Access Program were sent notices that identified them as members of this program.

However, since the Jones decision, several provinces, including British Columbia and Alberta, have had court decisions which have not recognized a common law tort of invasion of privacy. Some provinces have identified statutory torts of invasion of privacy that may be applicable to the circumstances.

Statutory Breach of Privacy

In Ontario, PHIPA provides a statutory basis for damages for privacy breach. Specifically, there is a statutory right to seek compensation through the Ontario Superior Court for breach of privacy for actual harm suffered where an order has been issued by the Information and Privacy Commissioner (IPC) or there has been a conviction of an offence under PHIPA. PHIPA further provides that damages for mental anguish relating to breach of privacy, capped at $10,000.00, may be awarded where the action is wilful or reckless.

Until Hopkins, it was an open question as to whether an IPC order or conviction of an offence under PHIPA was a prerequisite to bringing a claim for damages for breach of privacy. Such a prerequisite would have limited the potential risk for health information custodians ("HICs") significantly because, although numerous privacy breaches are reported to the IPC, there have been a limited number of orders issued and no successful convictions for PHIPA offences since the legislation came into force. Hopkins has now confirmed that such actions may proceed independent of the PHIPA regime.

Implications for Health Information Custodians

The test to strike out a claim on a preliminary motion like the one brought in this case is very high. The court will only strike a claim as disclosing "no reasonable cause of action" where it is "plain and obvious" that it has no chance of success. It will generally not decide novel issues of law on this type of motion.

This case involves a novel and evolving area of law. The Hopkins decision leaves the door open for these types of claims to be brought against hospitals, long-term care homes, community care access centres, family health teams, clinics, laboratories, pharmacies, health professionals and other HICs.

It is important to note that the substantive issues have not yet been considered. It remains to be seen how these issues will ultimately be decided by the courts and there are a number of outstanding questions. For example, under PHIPA, a HIC is legally responsible for the actions of its employees or agents. In its decisions, the IPC has determined this to be the case, even when the activity is not within the scope of employment, is contrary to the HIC's policies, or is intentional or even criminal in nature. It is not known whether this expanded concept of vicarious liability will be extended by the courts.

In terms of dealing with risk relating to privacy breach, there are a number of considerations that HICs ought to keep in mind:

  • Privacy class action lawsuits based on negligence law and mental distress have had minimal success in the absence of evidence of actual loss. In the absence of actual harm, damages for mental distress relating to the risk of fraud or identity theft are not compensable as they are minor and transient.
  • Hopkins was brought on the basis of a privacy tort, which is an important distinction because it allows individuals to sue a HIC directly for privacy breach. If the claim is made out, there is an entitlement to damages, without having to show actual loss or harm. The scope and limits on this action remain to be determined. In the Jones case, the court noted that in the absence of loss or harm, damages for intrusion upon seclusion would be relatively modest. The potential risk relating to a class action lawsuit becomes much more significant given the number of individuals who may be impacted.
  • It is increasingly important for HICs to be able to demonstrate that they have taken reasonable steps to address the privacy and security of PHI. This includes having comprehensive policies and procedures (including a privacy breach protocol), ongoing training of staff and agents, monitoring for compliance and auditing of electronic systems. It is important to be aware of changes in privacy and technology standards and guidelines, and to incorporate these into practice.
  • Given the significant risk, the manner in which potential privacy and security breaches are investigated, managed and communicated, including patient notification and look back becomes critically important. Early involvement by legal counsel is essential.
  • HICs must continue to take a risk managed approach to addressing privacy risk, including when they are involved in information sharing initiatives or are contracting external service providers. From a contractual perspective, the potential mechanisms that are available require an analysis of the organization's risk tolerance.
  • Privacy risk can be very effectively managed through an enterprise risk framework. Depending on the HIC's risk tolerance, it may look at strategies to avoid risk; to manage or mitigate risk; to allocate or share risk; or, to transfer risk, for example, through mechanisms such as insurance.
  • Privacy risk may also relate to the cost of privacy breach notification and containment programs, particularly since notification of patients is mandatory under PHIPA. Where the privacy breach involves a large number of individuals, the cost of identifying and notifying individuals who have been impacted, and managing the breach, requires a significant expenditure of time and organizational resources. In some cases, additional measures are required to protect against risks such as identity theft, for example, credit monitoring services.
  • Cyber and privacy risk protection is often not included in standard insurance coverage that is available to HICs. This may require the purchase of specific insurance products or coverage. There are a number of insurance products that are available that deal with cyber risk, data security and privacy breaches.

Conclusion

In the face of unprecedented change to the privacy landscape, the Health Industry should continue to take a risk managed approach to address privacy risk and to monitor how it evolves. Perhaps more importantly, these issues raise significant public policy questions for a publicly funded health care system that is already under tremendous strain, where privacy legislation places ultimate liability on the individual HIC and where there is an absence of a provincial solution.

Miller Thomson's National Health Industry Group has extensive expertise in all aspects of personal health information privacy and would be pleased to assist on both a proactive and reactive basis.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Kathryn Frelick
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions