In Canada personal health information is regarded as intrinsically private and deserving of protection. This is reflected by the fact that all but two common law provinces have enacted sector specific health legislation. Privacy legislation is generally focused on setting privacy standards and enforcing them. This article focuses on the common law provinces and their regulation of health information privacy and the interaction with the privacy tort of intrusion upon seclusion. Although this article will focus on intrusion upon seclusion, in the past, and currently, traditional torts, equity, and contract law have been pressed into service, sometimes awkwardly and sporadically, to protect health information. Unlike other remedial legislation, privacy legislation does not occupy the field when it comes to protection of health information leaving a developing relationship between privacy legislating and privacy torts.
What is Health Information?
The term health information is generally used in legislation to capture a wider breadth than the traditional information that passes between a person and his/her physician. For example, in regards to health, PIPEDA sets out its own definition of “personal health information”:
personal health information, with respect to an individual, whether living or deceased, means
(a) information concerning the physical or mental health of the individual;
(b) information concerning any health service provided to the individual;
(c) information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;
(d) information that is collected in the course of providing health services to the individual; or
(e) information that is collected incidentally to the provision of health services to the individual.
personal information means information about an identifiable individual.
Health information and privacy have become intertwined in statue, case law, and the Canadian Charter of Rights and Freedoms (Charter). In case law, health information privacy rights have been grounded in both s 7 and s 8 of the Charter. In regards to s 8 the Supreme Court of Canada noted in R v Dyment:
In modern society, especially, retention of information about oneself is extremely important. We may, for one reason or another, wish or be compelled to reveal such information, but situations abound where the reasonable expectations of the individual that the information shall remain confidential to the persons to whom, and restricted to the purposes for which it is divulged, must be protected.
The court in R v Plant went further and grounded privacy as a right of dignity and autonomy:
In fostering the underlying values of dignity, integrity, and autonomy, it is fitting that s. 8 of the Charter should seek to protect a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state. This would include information which tends to reveal intimate details of the lifestyle and personal choices of the individual.
Regarding s 7 of the Charter, the SCC in relation to discovery of therapeutic records in a sexual assault case held, “Respect for individual privacy is an essential component of what it means to be ‘free’. As a corollary, the infringement of this right undeniably impinges upon an individual’s ‘liberty’ in our free and democratic society”. Consequentially, health information privacy is constitutionally protected and therefore should be accorded great weight when it is breached.
Obviously, the rights above are only enforceable against the government. However, the common law must evolve with Charter values. Notably, in Hill v Church of Scientology of Toronto, the Court held that privacy should be considered a Charter value. Therefore, when approaching a breach of health information in the private context, the values of dignity, integrity, autonomy, and their violation should be taken into account. It follows that the violation of these values should be considered when assessing the severity of health information breaches.
Overview of Privacy Legislation Governing Health Information
Canadian privacy legislation can generally be described as a tangled mesh of provincial and federal legislation targeting government-controlled information and commercial information. To complicate matters, certain types of information, such as health information in some jurisdictions, have been carved off into their own statues. To further complicate things, theoretically, in some jurisdictions both federal and provincial legislation applies. An analysis of each of each jurisdiction’s privacy landscape regarding health information is below. Further, each description will note how health information breaches can be addressed. The purpose of this synopsis is to illustrate the differing privacy landscapes as well as the differing ability, if any, to redress health information breaches from jurisdiction to jurisdiction.
Federal Privacy Regulation
i) Government Held Health Information
At the federal level “personal information” held by the government on its citizens is subject to the Privacy Act. This definition is broader than that of personal health information. The Privacy Act establishes an “individual’s right to access and correct personal information the Government of Canada holds about them or the government’s collection, use, and disclosure of their personal information in the course of providing services”. An individual who feels his/her information was accessed improperly, used, or disclosed can make a complaint to the Privacy Commissioner. However, the commissioner can only make recommendations to government bodies. Additionally there is only a statutory right of appeal on refusals of access to information. Unlike other provincial acts that regulate information held by government bodies, the Privacy Act does not provide for any penalties against a person who breaches the act. Consequently, applicants who want to seek damages are left with a common law claim. Notably a statutory breach is not a tort in and of itself, and can only be used as evidence for a common law claim. Further, the common law tort of intrusion upon seclusion has yet to be adopted by the federal courts, therefore, complainants may have a hard time arguing this tort.
ii) Commercial Sphere Health Information Regulation
The main foray into protecting privacy in the commercial sphere was the introduction of the Personal Information Protection and Electronic Documents Act (PIPEDA) by the Federal government in 2000. The government relied on its trade and commerce power to enact this legislation. The Act governs the collection, use, and disclosure of information for “commercial activity”. This legislation applies to all intra-provincial information and all information crossing provincial boundaries.  PIPEDA does contain a statutory path to damages on appeal from the privacy commissioner via s 16(2): “award damages to the complainant, including damages for any humiliation that the complainant has suffered”. Damage awards via this path ranged from $0 to $5,000, with one exceptional case being awarded $20,000.  For a more detailed on the article on the subject see my post here.
In regards to health information, Jennifer Stoddart, former Privacy Commissioner of Canada, quipped, “You can be forgiven if you remain somewhat confused about what constitutes a commercial activity! It is not always clear, particularly in the health care sector.” The federal government has intimated that a self-employed health practitioner, such as a doctor, dentist, or chiropractor, would be covered under PIPEDA. It has also suggested that a provincially-run hospital would not be considered to engage in a commercial activity, even if it was charging for a private rooms or special services such as creating a fibre glass cast. However, the courts have defined commercial activity by characterizing the “primary activity” in question and not the common activities or general characteristics of the organization. Therefore, this analysis will need to be carried out to determine if the activity is commercial and thus falls under PIPEDA.
Since collection, use, and disclosure of information also falls under the provincial heads of power of property and civil rights and matters of local nature, the provinces have also delved into the field. In consequence, the provinces are able to set in place intra-provincial provincial legislation that occupies the field if the provincial legislation is deemed “substantially similar”.
Provincial Health Privacy Regulation
Provinces have taken different paths when approaching regulating health information. Some province have enacted sector specific health information that carves out health privacy from both the private and public context and situates it under one statute. Other jurisdictions rely on a commercial activity (ie. PIPEDA or a provincially created commercial privacy statue) and privacy legislation for publicly held records (commonly referred to as Freedom of Information Privacy Protection Acts [FOIPOP or FOIPOPA]). Notably, some of the health information statues have not been declared “substantially similar.” In this situation, theoretically a claimant could make a complaint about a commercial actor to either the provincial health information statue or PIPEDA. Additionally, a few jurisdictions have enacted a statutory tort for breach of privacy. Some jurisdictions have upheld both common law privacy torts and statutory torts while others have held there is no common law privacy torts at all. While still others appear to have no privacy torts at all.
Alberta has sector specific health legislation that has not been declared “substantially similar”. Under the health legislation the Privacy Commissioner’s orders are binding and final. Generally, an individual who contravenes the act is liable for a maximum fine of $10,000 and a corporation up to $500,000. The Alberta Supreme Court in Martin v General Teamsters, Local Union No. 362 held that there was no common law tort of invasion of privacy.  This leaves Alberta with neither a statutory privacy tort nor a common law privacy tort.
ii) British Columbia
British Columbia (BC) has general legislation that stands in the place of PIPEDA, which has been declared “substantially similar.”  Therefore, health information existing in the private sector is regulated by the provincial commercial privacy act. The Privacy Commissioner’s orders are binding. Contravention of the act is subject to a maximum $10,000 fine for a person and $100,000 maximum for a corporation. Also if the act has been contravened and the Privacy Commissioner has made a final order, or there has been a conviction, the act establishes a cause of action for “for actual harm that the individual has suffered as a result of the breach by the organization of obligations under this Act.”
Government health records are regulated by the Freedom of Information and Protection of Privacy Act (FOIPOPA), which covers “personal information” held by government bodies.  Contravention of the BC FOIPOP carries a maximum fine of $5,000. An order by the Privacy Commissioner is binding on government departments. Additionally, BC has specific legislation governing government-held electronic health records.
British Columbia has a statutory privacy tort via the Privacy Act (For a more detailed look on statutory privacy torts see the post here). Notably, in Mohl v University of British Columbia, the Court of Appeal held that the common law tort of intrusion of seclusion does not exist. Therefore privacy torts are only actionable via the statutory route in BC.
Manitoba (MB) has a sector specific health information statue that has not been declared “substantially similar.” In MB, the Privacy Commissioner’s orders are binding. Contravention of the health legislation carries a maximum penalty of $50,000 for both an individual and a corporation. Manitoba also has a statutory privacy tort. However, in 2015 the MB Court of Appeal did not strike out a pleading of intrusion upon seclusion.
iv) New Brunswick
New Brunswick (NB) has sector specific health legislation that has been declared “substantially similar.” The Privacy Commissioner’s orders are not binding and can be appealed to a superior court. In NB, contravention of the health act has a maximum penalty of $10,200. New Brunswick does not have a statutory privacy tort, however, a pleading has recently been allowed containing the common law tort of intrusion upon seclusion.
v) Newfoundland and Labrador
Newfoundland and Labrador (NFLD) has only sector specific health legislation that has been declared “substantially similar.” The Privacy Commissioner’s findings are not binding and an appeal exists to a superior court. In NFLD, the maximum fine for contravention of the act is $10,000 or a six month term of imprisonment, or both. Also, NFLD has a statutory privacy tort (For a more detailed look on privacy torts see the post here). However, pleadings containing the common law tort of intrusion upon seclusion have been approved.
vi) Nova Scotia
In Nova Scotia (NS), there is no general privacy statue that acts in place of PIPEDA and the health information statue has not been declared “substantially similar.” The Privacy Commissioner’s orders are not binding and an appeal to a superior court exists. Contravention of the health Information act has a maximum penalty of $10,000 or imprisonment for six months, or both for an individual and a maximum penalty of $50,000 for a corporation. Intrusion upon seclusion has been pleaded in a few cases in NS, but no decision has cemented the tort into law yet.
Ontario (ON) has sector specific health legislation that has been declared “substantially similar”. The orders of the Privacy Commissioner are binding, however, there is statutory right of appeal is only on issues of law. In ON, contravention of the act has a maximum fine of $50,000 for a person and $250,000 for a corporation. Ontario also has set out a route for damages within its health statue. After the privacy commissioner has made a final order, or the offender has been convicted of a breach of the action, the claimant can commence a proceeding in superior court via s 72(3) for “actual harm that the person has suffered”. The harm must have been caused “willfully or recklessly”, however, “mental anguish” damages are capped at $10,000. Additionally, Ontario also has at least two common law privacy torts (intrusion upon seclusion and appropriation of personality) and likely a third publication of embarrassing private facts.
viii) Prince Edward Island
Prince Edward Island (PEI) has no private sector or health sector legislation and thus it is subject to PIPEDA. Notably, PIPEDA generally has no penalties for violation of the act. The Privacy Commissioner’s orders are not binding, however, the parties or the commissioner, with consent of the compliant, can apply to the court to enforce the order. However, once the complaint is referred to the Privacy Commissioner, PIPEDA allows complainants to apply to the court to enforce the Privacy Commissioner’s recommendations and force the organization to publish the changes it makes to address the Privacy Commissioner’s findings and award damages to the complainant. Awarding damages to a complainant is discussed in detail below. Any government held “personal information” is subject to PEI’s Freedom of information and Protection of Privacy Act. The Privacy Commissioner’s order is binding, upon registration with the superior court, and no appeal exists. Breach of the statue is an offence with a fine of not more than $10,000.
Saskatchewan (SK), has a health information statue that has not been declared “substantially similar.” The Privacy Commissioner’s orders are not binding and an appeal to superior court exists. The health information act sets a $50,000 fine for violation by an individual, one year of imprisonment, or both and a maximum fine of $500,000 for a corporation. Saskatchewan also has a statutory privacy tort (For a more detailed look on privacy torts see the post here).
Intrusion upon Seclusion and Health Privacy Developments
The general trend of intrusion to seclusion is the certification of class action proceedings against health providers whose employees have accessed or disclosed health information improperly. Below is a canvass of the developing case law regarding intrusion upon seclusion and health information.
In the Federal jurisdiction, R. V. John Doe involves a class action certification by members of Health Canada’s Marijuana Medical Access Program that received over-sized envelopes with the identifying program as a return address. In sum, the claim is that Health Canada has identified the program’s recipients to other individuals. The Court of Appeal held that the pleading of intrusion upon seclusion was bound to fail as the pleading did not the material facts to make out the elements of the tort. However, we can glean from the analysis that the tort is not outright precluded in the federal sphere.
In Alberta, the case of Martin v. General Teamsters, Local 363, the plaintiff pleaded intrusion upon seclusion of her health information by her employer among other more serious pleadings such as sexual battery. The court quoting the BC case of Mohl v. University of British Columbia held there was no common law privacy tort in Alberta. This holding has some frailties as Mohl was decided by the BC Court of Appeal in light of the BC statutory privacy tort.  Whereas Alberta has no statutory privacy tort to fill this void.
In Manitoba, the Court of Appeal in Grant v. Winnipeg Regional Health Authority, dealt with the issue of whether a family of a deceased could claim intrusion upon selusion. In this case, the deceased died in a hospital after a prolonged period time. In response, the hospital set up a media campaign to argue there was no wrong doing on their part. However, the hospital utilized health information details of the deceased patient to mount this campaign. The family sued for negligent disclosure of health information. The court in reviewing the pleading took note of the development of intrusion upon seclusion, and noted it is not precluded by the Manitoba statutory privacy tort, and also noted health privacy legislation did not preclude a claim of this type. The Court of Appeal recognized that there are legitimate questions about if there is “sufficient proximity to the victim [the deceased patient’s family] in a tort context and are therefore able to advance a claim in their own right, remains an open question.” The Court of Appeal went on to refer the case back to the motions judge to give leave to the Plaintiff to amend their pleadings to specifically claim “breach of confidence or intrusion up seclusion or publicity, using the facts set out in the statement of claim.”
iv) New Brunswick
In New Brunswick, there is only once case, Little v Regional Health Authority B, which has claimed intrusion upon seclusion as a cause in class action. In this case the hospital failed to properly sterilize instruments for performing a colposcopy. Upon discovering this information, the hospital informed the patients. The class claimed the method in which this information was communicated was an intrusion upon seclusion. Interestingly, this class also includes matrimonial and non-matrimonial partners of the program particpants. If this case goes forward will be interesting how the court deals with improper disclosure of health information of an individuals and the nock off effects on the partners right to privacy.
v) Newfoundland and Labrador
In Newfoundland and Labrador there is one class proceeding that has been certified on breach of health information on both the basis of that statutory tort of privacy and the common law tort of intrusion upon seclusion. In Hynes v. Western Regional Integrated Health Authority, a hospital employee improperly accessed the file of 1,043 individuals. If this case, goes forward it will be interesting to see how the case law develops in relation two the statutory tort and the common law tort. Which may have interesting precedential value for the other provinces that have both the statutory privacy tort and the potentially the tort of intrusion upon seclusion as well.
vi) Nova Scotia
In Nova Scotia, there are at least two class action proceedings based on the tort of intrusion upon seclusion against health providers. In Heameon v. South West District Health Authority, the class claim is in regard to a hospital employee’s improper access of health records. In Capital District Health Authority v. Murray, the class claim is that a hospital strip searched patients in violation of s.8 of the Charter and committed the tort of intrusion upon seclusion. This case is unique as thus for in Canada intrusion upon seclusion has been based largely on informational breaches as opposed to physical breaches.
In Ontario the Court of Appeal in Hopkins v Kay addressed a novel issue raised by a class proceeding of potentially 280 patients against a hospital for improper access of medical information by a nurse.  The Court held that an applicant can seek redress for damages through both intrusion upon seclusion and via s 65(1) of the Personal Health Information Protection Act (PHPIA) which provides compensation for wilful or reckless harm and no more than $10,000 in compensation for mental anguish. In Daniells v. McLellan the court dealt with a class certification where in 5,803 had their health information improperly accessed by a nurse of a hospital.