Lawsuit may change health privacy law

By Staff

Toronto health lawyer Kate Dewhirst says a class-action lawsuit against Peterborough Regional Health Centre has the potential to change the face of health privacy law in Ontario and Canada.

"Health-privacy lawyers are watching this very closely," she tells

The key issue in the case, known as Hopkins v. Kay, is whether patients whose privacy has been breached can sue the hospital directly, reports the Toronto Star.

Erkenraadje Wensvoort, the lawsuit’s lead plaintiff, is one of 280 patients whose medical records were wrongfully accessed between 2011 and 2012, says the article.

She alleges in her amended statement of claim that she left an abusive relationship in 2011 after 51 years of marriage and went into hiding with an unlisted phone number and address, says the newspaper. A month later, she was admitted to Peterborough Regional Health Centre and her identity was supposed to be kept secret from everyone except those treating her, says the article.

"According to the claim, she was left paranoid and anxious when the hospital revealed years later that her medical records had been improperly accessed, and she worried that her husband had paid off a hospital employee in an attempt to find her," says The Star.

The hospital has since admitted the medical records were improperly accessed, apologized to the affected patients and fired the seven employees who were allegedly responsible, reports the newspaper.

The hospital, in its amended notice of appeal, argues the Superior Court has no jurisdiction to hear the lawsuit because under the province’s Personal Health Information Protection Act (PHIPA), personal health information privacy violations are solely the domain of the Ontario Information and Privacy Commissioner.

Dewhirst, principal at Kate Dewhirst Health Law, says Ontario has had health privacy legislation since 2004 and when a privacy breach occurs, an organization has the responsibility to tell everyone whose privacy has been negatively affected. Those affected individuals have the right to make a complaint to the organization and to the Information and Privacy Commissioner of Ontario.

"In the normal course after a privacy breach, an organization explains what happened and what it has done and will do to prevent a breach from happening again," she says. "In some cases, staff members responsible for a privacy breach will be fired. To date, there have not been any financial fines issued under PHIPA.

"In Hopkins v. Kay, this is the first time a court is considering whether individuals whose privacy has been breached in the health-care context can also sue for damages."

The Peterborough case is occurring at a time when the ability to sue someone for breach of privacy has only been established since 2012 in Ontario.

In a landmark case, Jones v. Tsige Bank of Montreal employee sued a co-worker — her ex-husband’s new partner — for invading her privacy by repeatedly examining her personal bank account information, reports The Star. The Court of Appeal ruled her privacy had been breached and awarded $10,000 in damages, says the newspaper.

"The question in Hopkins v. Kay is whether that precedent — which created the new common law tort of “intrusion upon seclusion” — applies even though PHIPA provides an existing remedy to privacy breaches," says the article.

Dewhirst says the Peterborough case reminds the health-care system that it is everyone’s responsibility to protect health information.

"Breaches of privacy undermine therapeutic relationships and can have devastating personal consequences for patients and their families, and social consequences for our greater communities," she says. "It is essential that everyone working in health care make a commitment to respect privacy."

The lawyer also notes that the case raises the issue of financial impacts of privacy breaches in a publicly funded health system.

"If the plaintiffs are successful in Hopkins v. Kay, health-care organizations such as hospitals could be seriously financially exposed for the actions of their staff," she says. "Despite robust privacy-training efforts and the reinforcement of a culture of privacy, there have been rogue staff members in health-care organizations who access health information for their own purposes. Society may pay dearly for the poor choices and nefarious activities of a few."

To Read More Kate Dewhirst Posts Click Here