PHIPA does not Protect Health Information Custodians from Lawsuits

February 18, 2015

The Court of Appeal for Ontario has held that a hospital can be sued (in a proposed class action) for a privacy breach.

In Hopkins v. Kay, the class plaintiff alleged that her records as a patient at the Peterborough Regional Heath Centre were improperly accessed. She based her claim on the common law tort of intrusion upon seclusion, set out in Jones v. Tsige.

The hospital brought a Rule 21 motion to dismiss the claim on the ground that the Personal Health Information Protection Act (“PHIPA”) is an exhaustive code that ousts the jurisdiction of the Superior Court to entertain any common law claim for invasion of privacy rights in relation to patient records.


By way of background, PHIPA is an Ontario law that governs the collection, use and disclosure of personal health information within the health sector. The statute’s object is to keep personal health information confidential and secure. The Information and Privacy Commissioner of Ontario is responsible for the administration and enforcement of PHIPA.

An individual who has reasonable grounds to believe that another person has or is about to contravene a provision of PHIPA may complain to the Commissioner. The Commissioner is given extensive procedural and investigative powers in relation to complaints and the power to make a variety of orders following a review. The Act gives the complainant the right to make representations to the Commissioner but does not contemplate a formal adversarial hearing for the resolution of complaints. An appeal from the Commissioner’s order on a question of law lies to the Divisional Court.

Of note is section 65 of PHIPA, dealing with remedies:

65.  (1)  If the Commissioner has made an order under this Act that has become final as the result of there being no further right of appeal, a person affected by the order may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of a contravention of this Act or its regulations.

(2)  If a person has been convicted of an offence under this Act and the conviction has become final as a result of there being no further right of appeal, a person affected by the conduct that gave rise to the offence may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of the conduct.

(3)  If, in a proceeding described in subsection (1) or (2), the Superior Court of Justice determines that the harm suffered by the plaintiff was caused by a contravention or offence, as the case may be, that the defendants engaged in wilfully or recklessly, the court may include in its award of damages an award, not exceeding $10,000, for mental anguish. [emphasis added]

With respect to bringing actions against a custodian of personal information:

71.  (1)  No action or other proceeding for damages may be instituted against a health information custodian or any other person for,

(a) anything done, reported or said, both in good faith and reasonably in the circumstances, in the exercise or intended exercise of any of their powers or duties under this Act; or

(b) any alleged neglect or default that was reasonable in the circumstances in the exercise in good faith of any of their powers or duties under this Act.

(2)  Despite subsections 5(2) and (4) of the Proceedings Against the Crown Act, subsection (1) does not relieve the Crown of liability in respect of a tort committed by a person mentioned in subsection (1) to which it would otherwise be subject.

Superior Court Motion

The motion judge dismissed the motion, holding that it was not plain and obvious that the claim based on Jones v. Tsige could not succeed.

Court of Appeal

On appeal, the defendants submitted that PHIPA amounts to a comprehensive code that reflects a careful legislative attempt to balance various conflicting interests. They contend that PHIPA’s careful balance would be disturbed if claims based on Jones v. Tsige were entertained by the courts in relation to personal health information. They argued that allowing these common law claims would contradict the statutory scheme, defeat the intention of the legislature, and undermine the policy choices embodied in PHIPA.

The Court of Appeal dismissed the appeal.

After setting out the various provisions in PHIPA, the Court found that there was nothing in PHIPA – either implicitly or expressly – that suggested a legislative intention to confer exclusive jurisdiction on the Privacy Commissioner to resolve all disputes over misuse of personal health information:

I conclude that the language of PHIPA does not imply a legislative intention to create an exhaustive code in relation to personal health information. PHIPA expressly contemplates other proceedings in relation to personal health information. PHIPA’s highly discretionary review procedure is tailored to deal with systemic issues rather than individual complaints. Given the nature of the elements of the common law action, I do not agree that allowing individuals to pursue common law claims conflicts with or would undermine the scheme established by PHIPA, nor am I satisfied that the review procedure established by PHIPA ensures that individuals who complain about their privacy in personal health information will have effective redress. There is no basis to exclude the jurisdiction of the Superior Court from entertaining a common law claim for breach of privacy and, given the absence of an effective dispute resolution procedure, there is no merit to the suggestion that the court should decline to exercise its jurisdiction.

The Aftermath

In Jones v. Tsige, the Court of Appeal created a new privacy tort that allowed individuals to sue people or companies for privacy breaches. This new decision brings the Jones v. Tsige tort to the healthcare sector, arguably the custodian of the most sensitive kind of personal information.

We live in an age of increasing privacy threats and awareness. Hopkins provides yet another example of how lawmakers and courts are doing whatever they can to protect personal information, while punishing those who mishandle it. We expect to see many more court decisions that not only protect privacy, but also expand upon the tort of intrusion upon seclusion.

See Hopkins v. Kay, 2015 ONCA 112


This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.