|
Privacy - PHIPA (Personal Health Information Protection Act)
MORE CASES
Part 2
. Hospital for Sick Children v. Ontario (Information and Privacy Commissioner) [security - s.12(2)]
In Hospital for Sick Children v. Ontario (Information and Privacy Commissioner) (Ont Div Ct, 2025) the Ontario Divisional Court dismissed a joint appeal/JR, this against a "decision of the respondent Information and Privacy Commissioner of Ontario" (IPC) where "the IPC found that privacy breaches had occurred, and that the Applicants had failed to comply with the requirement to notify affected individuals".
Here the court - in a JR 'reasonableness' and statutory interpretation context, considered whether a ransomware offender who blocked access to (but failed to themselves access) personal information, still 'used' it within the meaning of PHIPA s.12(2) [Security - Notice of theft, loss, etc. to individual]:C. The Applicants have not established that the IPC erred or was unreasonable in finding there was an unauthorized use of personal information
[82] The Applicants submit that in the Decisions, the IPC erred and was unreasonable in finding that there was an unauthorised “use” of personal information.
[83] As noted previously, the Applicants take issue with the use of the term “transform” when referring to the encryption process.
[84] In the Decisions, the adjudicator provided her “view that the transformation (by encryption) of the external containers also transforms the personal information housed within those containers—at a minimum, by making that personal [health] information unavailable and inaccessible to authorized users of that information”: SickKids Decision, at para. 40; Halton Decision, at para. 53. In the SickKids Decision, at para. 42, the IPC further explained that “this use of information occurs whether or not the threat actor actually views or accesses … or exfiltrates” the information: see also Halton Decision, at para. 54, to similar effect.
[85] In the SickKids Decision, at para. 40, the IPC found that the effect of making the personal health information unavailable was “a kind of ‘handling’ of or ‘dealing with’ that information” in accordance with the definition of “use” in PHIPA. As a result of this unauthorized “use”, the IPC found that the duty to notify in s. 12(2) of PHIPA applied: SickKids Decision, at para. 45.
[86] In the Halton Decision, at paras. 53-54, the IPC found that the effect of making the personal information unavailable to Halton was “a kind of ‘dealing with’ that information”, which it found to be a “use” of the information within the meaning of the CFSA. As a result, of this unauthorized “use”, the IPC found that the duty to notify in s. 308(2) applied: Halton Decision, at para. 56.
[87] In the Decisions, the IPC stated that it was adopting a “purposive” approach to interpretation of the notification requirement “that, in the context of a ransomware attack, contemplates notice to affected individuals where there has been an unauthorized action in respect of their personal [health] information”: SickKids Decision, at para. 52; Halton Decision, at para. 63. The IPC noted that it was consistent with the purposes of those statutory provisions that affected individuals be “notified of a third party’s malicious action” denying the custodian or service provider access to the information. In the Sick Kids Decision, at para. 53 (and to similar effect in the Halton Decision, at para. 64), the IPC continued:The purpose of the duty to notify in these circumstances is to inform individuals about the unauthorized action involving information that, in a fundamental sense, belongs to them. These individuals should be made aware if the custodian is not able to access their personal health information as a result of unauthorized activity, and of the risks associated with that activity. [Emphasis added.] [88] The Applicants submit that the IPC’s interpretation of “use” was not supported by the text, context or purpose of the statutory provisions. They say that the IPC’s interpretation appears to have put the desired outcome – that a cyberattack of this nature requires notification to individuals – before a proper construction of the provision at issue.
[89] Regarding the text of the notification provisions, the Applicants submit that in order to fall within the term “use” in the notification provisions, the “threat actors” must have interacted with the information directly. The Applicants say that this requirement follows from the correct interpretation of the term “use”, which requires consideration of whether the information has been “viewed” or “dealt with” or (in the case of PHIPA) “handled”. The Applicants argue that the grammatical and ordinary sense of those terms support the conclusion that for the personal information to be “used” it must be interacted with directly. The Applicants say that interpretation of the notification requirement also requires consideration of the information custodian’s obligations under s. 12(1) of PHIPA or s. 308(1) of the CYFSA to ensure that the records containing personal information are protected against “unauthorized copying, modification or disposal.” The Applicants note that there is no evidence that the information in the containers had in any way been viewed, accessed, copied, or modified. In these circumstances, the Applicants submit that the requirement to notify individuals is not engaged.
[90] Regarding the context of the notification provisions, the Applicants submit that the notice requirement’s purpose is to enable an individual to take protective steps to minimize the risk of harm of a privacy breach and to facilitate the exercise of their right to privacy by making a complaint to the IPC or by pursuing an action in Superior Court for actual harm stemming from the breach: see PHIPA, s. 65(1); CYFSA, s. 325(1). The Applicants argue that the attacks in question did not compromise the confidentiality of personal information or cause any harm to privacy interests. Therefore, there was nothing that needed to be rectified by way of a complaint or court proceeding. The Applicants says that finding a duty to notify in these circumstances is illogical and serves no purpose relevant to the objects of the provisions.
[91] Regarding the purpose of the notification provisions, the Applicants submit that the IPC’s interpretation of “use without authority” does not accord with the purpose of the provisions. According to the Applicants, that purpose relates to the protection of the privacy interest of affected individuals, rather than requiring notification of cyber attacks that do not impact their privacy interest. The impact of the ransomware attack was to make the individuals’ private information temporarily unavailable to the custodian or service provider. The Applicants say that there was little to no impact on the care or services they provided. They submit that in those circumstances, interpreting the attack as “use without authority” that triggers notification is not aligned with the objectives of the legislation and would impose an unnecessarily onerous burden on the Applicants.
[92] The OHA intervened in the judicial review applications and the appeal to support the Applicants’ position. The OHA submits that it is not appropriate to adopt a broad duty to notify about ransomware attacks where individuals’ data was not actually viewed, accessed or stolen by threat actors, and where the information was restored quickly such that all or almost all individuals were unaffected. The OHA says that it is important to avoid an interpretation of the requirement that results in useless, over-notification. They submit that such notifications do not advance the legislative purposes of protecting information confidentiality and personal privacy. Instead, such notifications can result in needless costs, can unnecessarily raise anxiety levels of affected individuals, and can lead to notification fatigue. The OHA says that avoiding an overly broad interpretation of the obligation to notify is particularly important where privacy legislation does not include a risk-based threshold (such as a real risk of significant harm [“RROSH”]) for notification to be required.[3]
[93] I have concluded that the Applicants have not demonstrated that the IPC erred or was unreasonable in finding that there was an unauthorized “use” of personal information that gave rise a requirement to notify affected individuals.
[94] With respect to the text of the provisions, I am not persuaded by the Applicants’ submission that the information must be interacted with directly in order for notification to be required. The Applicants base this argument on the obligation to take reasonable steps to protect against “unauthorized copying, modification or disposal”: PHIPA, s. 12(1); CYFSA, s. 308(1). The Applicants submit that those terms are meant to exemplify “uses” involving direct interaction with personal information. On the contrary, those terms demonstrate the opposite, namely, that uses can occur without direct interaction with the information. For example, physically destroying a hard drive that contains personal information disposes of that information, without any direct interaction with that information itself.
[95] With respect to context and purpose of the provisions, I do not agree with the Applicants that the only purpose of notification is to allow individuals to take steps to minimize the risk of harm resulting from the privacy breach or make a complaint to the IPC and pursue an action in Superior Court for actual harm.
[96] As explained below, while many Canadian privacy statutes contain a risk-based threshold for notification, PHIPA and the CYFSA do not require that a risk of harm to the individual be established for notification to be required.
[97] First, Legislatures use clear statutory language (such as RROSH) to indicate a risk-based notification threshold: see e.g. FIPPA, s. 40.1. There is no such language in PHIPA or the CYFSA.
[98] Second, the Applicants appear to assume (wrongly) that complaints under PHIPA and the CYFSA can be filed only by individuals who have been notified of a breach and wish to complain about the theft, loss, or unauthorized use or disclosure of their personal information. Unlike other privacy and access to information statutes that expressly link the right to file a complaint with notification,[4] PHIPA and the CYFSA do not. Any individual may file a complaint with the IPC when they have reasonable grounds to believe that any of the requirements applicable legislation have been or are about to be contravened: see PHIPA, s. 56(1); CYFSA, s. 316(1). As well, the right to pursue an action in Superior Court is not tied to notification: see PHIPA, s. 65; CYFSA, s. 325.
[99] While there is no dispute that advising individuals of risks is an important reason for notification, it is not the fundamental or only purpose of notification. For example, individuals who are notified of a breach can complain to the IPC that the information custodian did not comply with the security obligations in s 12(1) of PHIPA or s. 308(1) of the CYFSA. Doing so allows individuals to hold information custodians accountable for how they are protecting the individuals’ personal information.
[100] Another important purpose of the notification requirement is to enable the IPC to exercise its statutory authority to provide oversight of Ontario’s access to information and privacy laws, including to determine whether to conduct a review under s. 58(1) of PHIPA and s. 318(1) of the CYFSA. The Applicants argue that a ransomware attack that encrypts containers containing personal information is not an unauthorized use or loss of such information. I agree with the IPC’s submission that, if this argument were accepted by this court, it would unduly restrict the obligation imposed on information custodians to be transparent and accountable in relation to the expanding threat of cyber attacks of this nature. The absence of a requirement to notify in these circumstances also would interfere with the IPC’s ability to ensure that information custodians conduct a proper investigation to determine whether individuals’ personal information was compromised.
[101] I also disagree with the Applicants’ submission (supported by the OHA) that interpreting the cyber attack as “use without authority” that triggers notification is not aligned with the objectives of the legislation and would impose an unnecessarily onerous burden on the Applicants. They also raise the spectre of “over-notification” and “notification fatigue”.
[102] As the Decisions indicated, the IPC itself recognized that an “overly broad interpretation” of the notification requirement could lead to “notification fatigue on the part of the public, disproportionate costs to the [information custodian], and other unintended and undesirable consequences”: SickKids Decision, at para. 51; Halton Decision, at para. 62. However, the IPC went on find that the notification requirement was triggered in this case, adopting a “purposive” approach to interpretation of the provisions: SickKids Decision, at paras. 52-53; Halton Decision, at paras. 63-64. It is notable that the IPC characterized the purpose of notification as “to inform individuals of unauthorized activities involving information that, in a fundamental sense, belongs to them”: SickKids Decision, at para. 53; Halton Decision, at paras. 64.
[103] In doing so, the IPC recognized that affected individuals have a legitimate continuing interest in what happens to that information, which justifies notification for purposes beyond being alerted to risks of harm. This approach is consistent with other provisions of PHIPA and the CYFSA, which require notification of affected individuals if the information custodians use or disclose information contrary to their written public statements, even when they would be otherwise be legally authorized to use or disclose the information under those statutes: see PHIPA, s. 16; CYFSA, s. 311. That notification requirement is not tied to risk of harm. Rather, it recognizes the individuals’ continuing interest in their personal information and in ensuring that information custodians are transparent and accountable.
[104] Accordingly, I conclude the Applicants have not demonstrated that the IPC erred or was unreasonable in finding that there was an unauthorized “use” of personal information that gave rise a requirement to notify affected individuals. As a result, I conclude that the IPC did not err and was reasonable in finding that the Applicants were required by s. 12(2) of PHIPA or s. 308(2) of the CYFSA to notify individuals of the relevant ransomware attack. It follows that the judicial review applications and the appeal should be dismissed on the merits. . Folz v Algoma Family Services
In Folz v Algoma Family Services (Div Court, 2023) the Divisional Court considered a JR of IPC-PHIPA adjudication denials regarding requests for personal health information held by a child protection agency, specifically, information: "... made in relation to an intensive treatment program for the Applicant’s son". In these paragraphs, the court illustrates the complex legal interplay between PHIPA, FIPPA and MFIPPA (and more statutes) that can occur - especially since the 2020 amendments to them under the omnibus statute, the Economic and Fiscal Update Act, 2020 [paras 1-18].
. Martin (Estate) v Health Professions Appeal and Review Board
In Martin (Estate) v Health Professions Appeal and Review Board (Div Court, 2023) the Divisional Court considered a JR brought by a complainant after a "decision of the Inquiries, Complaints and Reports Committee (“ICRC”) of the College of Physicians and Surgeons (“CPSO”)" dismissed a complaint of the (estate of a now-deceased) patient that the doctor had inappropriately accessed medical records. The doctor claimed that the access was allowed under PHIPA s.37(1)(h), which reads:37(1) A health information custodian may use personal health information about an individual, ...
(h) for the purpose of a proceeding or contemplated proceeding in which the custodian or the agent or former agent of the custodian is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding or contemplated proceeding; In granting the JR, the court walks through the issue of authorized access to medical records thoroughly at paras 33-58 and paras 61-62.
. Hopkins v Kay
In Hopkins v Kay (Ont CA, 2015) the Court of Appeal considers the PHIPA (Personal Health Information Protection Act) scheme:(1) The legislative scheme
[12] PHIPA was adopted in 2004 following a lengthy process of proposals, draft bills and consultations triggered by Justice Horace Krever’s Report of the Commission of Inquiry into the Confidentiality of Health Information in Ontario (Toronto: Queen’s Printer, 1980).
[13] The purposes of PHIPA, stated in s. 1, are:(a) to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care;
(b) to provide individuals with a right of access to personal health information about themselves, subject to limited and specific exceptions set out in this Act;
(c) to provide individuals with a right to require the correction or amendment of personal health information about themselves, subject to limited and specific exceptions set out in this Act;
(d) to provide for independent review and resolution of complaints with respect to personal health information; and
(e) to provide effective remedies for contraventions of this Act. [14] PHIPA is a lengthy and detailed statute comprised of seven parts and seventy-five sections dealing with the collection, use, disclosure, retention and disposal of personal health information. Part II specifies the required practices to be followed by custodians of personal health information to ensure accuracy and to protect confidentiality. If personal health information is stolen, lost or improperly accessed, subject to certain “exceptions and additional requirements”, the custodian is required to notify the individual at the first reasonable opportunity (s. 12(2)).
[15] Detailed requirements for obtaining consent to the collection, use and disclosure of personal health information are set out in Part III. Collection, use and disclosure are the subject of Part IV. Rights of access and correction are addressed in Part V.
[16] The provisions in Part VI deal with administration and enforcement. It is the purpose and effect of those provisions that lie at the heart of this appeal.
[17] The Commissioner is responsible for the administration and enforcement of PHIPA. The Commissioner is appointed under s. 4(1) of the Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31 (“FIPPA”), and is an officer of the legislature. In addition to PHIPA and FIPPA, the Commissioner is also responsible for the administration and enforcement of the Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. M.56.
[18] The Commissioner has a broad mandate of public protection that enables him or her to conduct reviews under PHIPA in relation to the collection, use, disclosure, retention and disposal of records, as well as access to and correction of records. An individual who has reasonable grounds to believe that another person has or is about to contravene a provision of PHIPA may complain to the Commissioner (s. 56). Upon receipt of a complaint, the Commissioner may “inquire as to what means, other than the complaint, that the complainant is using or has used to resolve the subject-matter of the complaint” (s. 57(1)(a)), require the complainant “to try to effect a settlement” (s. 57(1)(b)), or authorize a mediator to review the matter and attempt to effect a settlement (s. 57(1)(c)).
[19] If the Commissioner takes none of these steps or if these steps fail to achieve a resolution of the complaint, the Commissioner has two options. First, “the Commissioner may review the subject-matter of a complaint made under this Act if satisfied that there are reasonable grounds to do so” (s. 57 (3)). The second option is specified in s. 57(4):The Commissioner may decide not to review the subject-matter of the complaint for whatever reason the Commissioner considers proper, including if satisfied that,
(a) the person about which the complaint is made has responded adequately to the complaint;
(b) the complaint has been or could be more appropriately dealt with, initially or completely, by means of a procedure, other than a complaint under this Act;
(c) the length of time that has elapsed between the date when the subject-matter of the complaint arose and the date the complaint was made is such that a review under this section would likely result in undue prejudice to any person;
(d) the complainant does not have a sufficient personal interest in the subject-matter of the complaint; or
(e) the complaint is frivolous or vexatious or is made in bad faith. [20] The Commissioner also has the power to conduct a self-initiated review of any matter where there are reasonable grounds to believe that there has been or is about to be a contravention of the Act (s. 58).
[21] The Commissioner is given extensive procedural and investigative powers in relation to complaints (ss. 59-60) and the power to make a variety of orders following a s. 57 or 58 review (s. 61). The Act gives the complainant the right to make representations to the Commissioner (s. 60(18)) but does not contemplate a formal adversarial hearing for the resolution of complaints. An appeal from the Commissioner’s order on a question of law lies to the Divisional Court (s. 62).
[22] Orders of the Commissioner may be filed with the Superior Court whereupon they become enforceable as a judgment of the court (s. 63).
[23] The possibility of recovering damages as a result of a breach of PHIPA is the subject of s. 65:65.(1) If the Commissioner has made an order under this Act that has become final as the result of there being no further right of appeal, a person affected by the order may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of a contravention of this Act or its regulations.
(2) If a person has been convicted of an offence under this Act and the conviction has become final as a result of there being no further right of appeal, a person affected by the conduct that gave rise to the offence may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of the conduct.
(3) If, in a proceeding described in subsection (1) or (2), the Superior Court of Justice determines that the harm suffered by the plaintiff was caused by a contravention or offence, as the case may be, that the defendants engaged in wilfully or recklessly, the court may include in its award of damages an award, not exceeding $10,000, for mental anguish. [24] The Commissioner is also given broad general powers to conduct research and provide information to the public in relation to the matters covered by PHIPA (s. 66).
[25] Part VII, headed “General”, contains two provisions relevant to the issue raised on this appeal. Section 71 confers immunity upon entities or individuals exercising (or intending to exercise) powers and duties under PHIPA for good faith acts or omissions that were reasonable in the circumstances:71.(1) No action or other proceeding for damages may be instituted against a health information custodian or any other person for,
(a) anything done, reported or said, both in good faith and reasonably in the circumstances, in the exercise or intended exercise of any of their powers or duties under this Act; or
(b) any alleged neglect or default that was reasonable in the circumstances in the exercise in good faith of any of their powers or duties under this Act.
(2) Despite subsections 5(2) and (4) of the Proceedings Against the Crown Act, subsection (1) does not relieve the Crown of liability in respect of a tort committed by a person mentioned in subsection (1) to which it would otherwise be subject. [26] Finally, s. 72 makes it a summary conviction offence to, inter alia, wilfully collect, use or disclose personal health information in contravention of the Act (s. 72(1)(a)), punishable by fine of up to $50,000 for individuals and $250,000 for institutions (s. 72(2)). Pursuant to s. 72(5), only the Attorney General or agent for the Attorney General may commence such a prosecution.
(2) Does PHIPA create an exhaustive code governing patient records that precludes common law claims for breach of privacy and ousts the jurisdiction of the Superior Court?
[27] The Hospital and Ms. Edgerton-Reid, supported by the OHA, submit that PHIPA amounts to a comprehensive code that reflects a careful legislative attempt to balance various conflicting interests. They contend that PHIPA’s careful balance would be disturbed if claims based on Jones v. Tsige were entertained by the courts in relation to personal health information. Permitting these common law claims would, according to the appellants, contradict the statutory scheme, defeat the intention of the legislature and undermine the policy choices embodied in PHIPA.
[28] My analysis is two-fold. First, I consider whether a legislative intention to create an exhaustive code can be inferred from the language of PHIPA. Second, I address the jurisprudence raised by the appellants in support of their contention that PHIPA ousts the jurisdiction of the Superior Court.
(i) Did the legislature intend to create an exhaustive code?
[29] Ruth Sullivan, in Sullivan on the Construction of Statutes, 6th ed. (Markham, Ont.: LexisNexis Canada, 2014), at para. 17.20, explains the characteristics of an exhaustive code as follows: “The key feature of a code is that it is meant to offer an exclusive account of the law in an area; it occupies the field in that area, displacing existing common law rules and cutting off further common law evolution.” She notes, at para. 17.34, that “if legislation constitutes a complete code, resort to the common law is impermissible.” See also Beiko v. Hotel Dieu Hospital St. Catherines, 2007 ONCA 860, at para. 4; Cuthbertson v. Rasoulli, 2013 SCC 53, [2013] 3 S.C.R. 341, at paras. 2-4. If PHIPA does constitute an exhaustive code, the court has no jurisdiction to entertain the claim advanced by the respondent and it must be struck.
[30] An intention to create an exhaustive code may be expressly stated in the legislation or it may be implied. As there is nothing explicit in PHIPA dealing with exclusivity, the question is whether an intent to exclude courts’ jurisdiction should be implied. In Pleau v. Canada (A.G.), 1999 NSCA 159, 182 D.L.R. (4th) 373, leave to appeal refused, [2000] S.C.C.A. No. 83, Cromwell J.A. explained, at para. 48: “Absent words clear enough to oust court jurisdiction as a matter of law, the question is whether the court should infer… that the alternate process was intended to be the exclusive means of resolving the dispute.”
[31] Cromwell J.A. identified three factors that a court should consider when discerning whether there is a legislative intent to confer exclusive jurisdiction. First, a court is to consider “the process for dispute resolution established by the legislation” and ask whether the language is “consistent with exclusive jurisdiction”. Courts should look at “the presence or absence of privative clauses and the relationship between the dispute resolution process and the overall legislative scheme”: Pleau, at para. 50 (emphasis in original).
[32] Second, a court should consider “the nature of the dispute and its relation to the rights and obligations created by the overall scheme of the legislation”. The court is to assess “the essential character” of the dispute and “the extent to which it is, in substance, regulated by the legislative… scheme and the extent to which the court’s assumption of jurisdiction would be consistent or inconsistent with that scheme”: Pleau, at para. 51 (emphasis in original).
[33] The third consideration is “the capacity of the scheme to afford effective redress” by addressing the concern that “where there is a right, there ought to be a remedy”: Pleau, at para. 52 (emphasis in original).
[34] These three factors provide a useful framework for considering the question posed on this appeal.
(a) The language of PHIPA and the process it establishes
[35] There can be no doubt that PHIPA lays down an elaborate and detailed set of rules and standards to be followed by custodians of personal health information. I accept former Commissioner Ann Cavoukian’s description of PHIPA as a “comprehensive set of rules about the manner in which personal health information may be collected, used, or disclosed across Ontario’s health care system”: Commissioner’s PHIPA Highlights (Toronto: Information and Privacy Commissioner/Ontario, March 2005).
[36] PHIPA also includes among its purposes the “independent review and resolution of complaints with respect to personal health information” and the provision of “effective remedies for contraventions” of the Act. The Act gives the Commissioner certain powers in this regard.
[37] While PHIPA does contain a very exhaustive set of rules and standards for custodians of personal health information, details regarding the procedure or mechanism for the resolution of disputes are sparse. At para. 28 of the Commissioner’s factum, the review process is described as “inquisitorial in nature”. The Act essentially leaves the procedure to be followed to the discretion of the Commissioner. Reviews are generally conducted in writing. There is no requirement to hold an oral hearing, and therefore the fundamental features of an adversarial system, such as cross-examination, are absent. The Act gives complainants no procedural entitlements beyond the right to make representations. Pursuant to s. 59(1) of the Act, the usual procedural rights pertaining to administrative hearings granted by the Statutory Powers Procedure Act, R.S.O. 1990, c. S.22, do not apply.
[38] The nature of the process established by PHIPA indicates that it was designed to facilitate the Commissioner’s investigation into systemic issues. While that process can be triggered by an individual complaint, the procedure is not designed for the resolution of all individual complaints. This coincides with the Commissioner’s policy, discussed in greater detail below, to give priority to complaints raising systemic issues.
[39] I now turn to the specific language of the Act. Section 57(4)(b) provides that one of the factors to be considered by the Commissioner when deciding whether or not to investigate a complaint is whether “the complaint has been or could be more appropriately dealt with, initially or completely, by means of a procedure, other than a complaint under this Act.” On its face, s. 57(4)(b) specifically contemplates the possibility that complaints about the misuse or disclosure of personal health information may properly be the subject of a procedure that does not fall within the reach of PHIPA. In my view, the language of s. 57(4)(b) is difficult to reconcile with the proposition that the complaint procedure under PHIPA is exhaustive and exclusive.
[40] The appellants argue that s. 57(4)(b) contemplates proceedings such as complaints to a professional college where a doctor or nurse has misused patient information. No doubt, professional complaints of that nature are covered by s. 57(4)(b). However, the very fact that PHIPA contemplates the resolution of disputes regarding personal health information by other tribunals undermines the argument in favour of exclusivity. Moreover, the appellants offer no explanation as to why we should limit the language of s. 57(4)(b) to one kind of tribunal and exclude the Superior Court, especially in relation to a claim that is not based on any rights conferred by PHIPA.
[41] I also read s. 71, the immunity provision, as explicit recognition that there could be proceedings relating to improper use or disclosure of personal health information other than those specifically contemplated by PHIPA. That provision provides immunity in an “action or other proceeding for damages” where there has been an attempt at good faith compliance with the provisions of the Act. In my view, this language indicates that the legislature did contemplate the possibility of a common law action for damages in the courts.
[42] Further, to the extent PHIPA does provide for individual remedies, it turns to the courts for enforcement. The Commissioner has no power to award damages. It is only by commencing a proceeding in the Superior Court following an order of the Commissioner that an individual complainant can seek damages, pursuant to s. 65.
[43] The appellants and the OHA argue that s. 65 demonstrates that the legislature turned its attention to the role of the courts and specifically limited their jurisdiction to assessing damages, hearing appeals on points of law and entertaining applications for judicial review.
[44] I disagree. In my view, the only conclusion that can be drawn from the role recognized for the courts under s. 65 is that the Commission was not intended to play a comprehensive or expansive role in dealing with individual complaints.[45] I conclude that PHIPA provides an informal and highly discretionary review process that is not tailored to deal with individual claims, and it expressly contemplates the possibility of other proceedings.
|
