It is fair to assume that the personal health information provided to medical professionals is kept confidential. Medical professionals and institutions set up policies and procedures to ensure that...
It is fair to assume that the personal health information provided to medical professionals is kept confidential. Medical professionals and institutions set up policies and procedures to ensure that the information is collected, stored, and used in an appropriate manner and in compliance with privacy regulations. Recently, an individual took The Queensway Carleton Hospital to Court alleging that their procedure for surgery bookings caused her significant damages.
The facts of this case are straightforward. The Plaintiff was told that she required surgery. While waiting for a date for the surgery, she received a paper surgical booking package that she had to complete. The Plaintiff testified that she dropped off the completed booking package in the Hospital’s drop box. However, about a week later, it was returned to her by Canada Post. Despite the Plaintiff’s complaints, no one from the Hospital accepted responsibility for the misplaced booking records. The Information and Privacy Commissioner of Ontario was unable to make a determination regarding who was responsible for the privacy breach. The Plaintiff commenced a claim for damages for intrusion upon seclusion, breach of confidence, and public disclosure of embarrassing facts. She also sought punitive damages.
The Court found, on a balance of probabilities, that the Hospital received the records and they were misplaced. The Plaintiff relied on three causes of action to support her claim – intrusion upon seclusion; breach of confidence; and, public disclosure of embarrassing facts.
In dealing with intrusion upon seclusion, the Court found that a single act of inadvertence, assuming that was what happened, was not sufficient to prove recklessness. In fact, the Court found that the Hospital’s protocol for handling booking records did not create an obvious or serious risk. The Court found that the system worked quite well despite this one instance. There was not a deliberate and significant invasion of personal privacy as required in order to satisfy the threshold for damages.
Second, to establish the tort of breach of confidence, the Plaintiff had to show that the Hospital made unauthorized use of her booking record and misused it to her detriment. Once again, the Court found that this claim was not satisfied, as there was insufficient evidence that the Hospital misused the booking record.
Third, the Court found that the tort of public disclosure of embarrassing facts was not established. There was no evidence that the Hospital “published” the booking record or that the records were deliberately made publicly available. The evidence showed that the record could only be seen by postal workers in Montreal to determine where the record should be returned to. This was not sufficient to establish damages.
The Court considered the provisions of the Personal Health Information Protection Act. Section 71(1)(b) provides a statutory immunity for health information custodians where there has been an attempt at good faith compliance with the Act. The Court found that the evidence did not establish that the Hospital’s use of surgical booking packages was unreasonable. Additionally, there was no evidence that there had been any issues with other booking records, either before or after this incident.
Finally, the Court considered whether the Claimant was entitled to damages based on her “humiliation, anxiety and distress” arising from the receipt of the envelope for Canada Post which contained the booking records. The Plaintiff did not establish, on a balance of probabilities, that she suffered anxiety or psychological upset that rose to the level of requiring compensation. Similarly, there was no high-handed, arrogant or contumelious behaviour on the Hospital’s part that would warrant a finding of punitive damages.
Hospitals are particularly vulnerable to privacy claims – they are required to gather a significant amount of personal health information in a very short period, store and protect that information, and use it in an appropriate way. Healthcare organizations must implement robust safeguards and procedures to ensure their patients’ information is properly collected, used, and disclosed. Taking these reasonable steps will lower an organization’s financial and litigation risk. A good place to start is creating privacy policies or hiring an experienced counsel to review existing policies and their implementation.
The Ontario Court of Appeal has held that business interruption claims are not subject to a rolling limitation period.
In Marvelous Mario's Inc. v. St. Paul Fire, the appellant insureds commenced two actions claiming insurance coverage under a commercial insurance policy issued by the insurer respondent. That policy covered “direct loss from any Peril”, including business interruption loss and loss of property due to theft or wrongful handling.
The trial judge dismissed the First Action in its entirety, finding those claims were not covered under the policy. In the Second Action, the trial judge dismissed the property claim as time-barred, but allowed the business interruption claim to proceed in part. She held that business interruption claims were subject to a “rolling limitation period” and that some of those claims were preserved. She reasoned:
 For the reasons set out above, the second claim, being the claim for business interruption losses, commenced latest on the day the sale to Amore Sweets closed. It was at that time that the plaintiffs knew or had the means of acquiring the knowledge that they had a claim for business interruption losses arising out of the loss of their property.
 However, a claim for business interruption losses is, by its nature, an ongoing claim. As the Saskatchewan Court of Appeal stated in Treeland Motor Inn Ltd. v. Western Assurance Co., 1985 CarswellSask 165 (Sask C.A.) at para. 4, the alleged interruption of the plaintiffs’ business might have commenced with a particular event (in that case, a fire; in this case, the closing of the sale to Amore Sweets) “but continued to accrue from day to day thereafter, and cannot therefore be said to have “occurred” on the day of the event which triggered it”.
 In effect, the plaintiffs’ business interruption claim is subject to a rolling limitation period. A new claim accrues each day for the business losses sustained that day. I thus conclude that the plaintiffs’ claim for business interruption (to the extent it can be proven in the next phase of this trial) beginning one year before the commencement of the second action is not out of time - that is, the business interruption losses suffered commencing November 16, 2001 are not barred by reason of the contractual limitation period. To the extent the plaintiffs seek recovery for business interruption losses they suffered before November 16, 2001, those claims were not advanced within the contractual limitation period and are therefore barred. [emphasis added]
The insureds appealed on the other issues and the insurer cross-appealed on the rolling limitation issue.
The Court of Appeal dismissed the appeals but allowed the cross-appeal. The Court acknowledged that there were no cases directly on point on whether business interruption claims were subject to a rolling limitation period. Accordingly, the Court considered “first principles”:
The jurisprudence suggests that a rolling limitation period may apply in a breach-of-contract case in circumstances where the defendant has a recurring contractual obligation. The question is not whether the plaintiff is continuing to suffer a loss or damage, but whether the defendant has engaged in another breach of contract beyond the original breach by failing to comply with an ongoing obligation. In cases where there have been multiple breaches of ongoing obligations, it is equitable to impose a rolling limitation period. [emphasis added]
The Court found:
[T]he policy covered business interruption losses and the respondent was obliged to pay those losses in their totality, subject to any limits in the policy. The fact that there was a 24-month cap on the business interruption losses does not convert the respondent’s obligation to indemnify into a recurring contractual obligation. Therefore, this was not a proper case for the application of a rolling limitation period.
It followed that the limitation period for the business interruption claims started on the day the insureds knew that they had suffered a loss or damage. The fact that the extent of damages may not have been known with precision did not stop the commencement of the limitation period.
This is the first Ontario decision that has considered whether business interruption claims are subject to a rolling limitation period.
Facebook has made history today, but not in a good way. The US Federal Trade Commission (“FTC”) announced this morning that Facebook will pay a record-breaking $5 billion penalty, submit to new restrictions, and modify the company’s corporate structure to settle the charges that the company violated a 2012 FTC order. Not only is this the largest penalty in FTC history but it is also almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.
In making this determination, the FTC Chairman, Joe Simons, explained “[d]espite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices.” The underlying 2012 order included a prohibition that Facebook make misrepresentations about the privacy or security of consumers’ personal information or the extent to which this information was shared to third parties. It also required Facebook to maintain a reasonable privacy program that safeguarded the privacy and confidentiality of user information.
The FTC’s new 20 year settlement order will require Facebook to establish an independent privacy committee that will be appointed by an independent nominating committee. In addition, Facebook will be required to designate compliance officers who have to submit FTC quarterly certifications that the company is in compliance with the privacy program mandated by the FTC order. An annual certification must also be completed. Not only will the certifications need to be made by compliance officers, but they will also have to be endorsed by Facebook’s CEO, Mark Zuckerberg. Any false certification will subject the parties to individual civil and criminal penalties.
The order also strengthens external oversight of Facebook and provides that an independent third party assessor will evaluate the effectiveness of the privacy program and identify any gaps. The assessor will not simply rely on the assertions made by Facebook’s management. The third party assessor’s biennial assessments of the company’s privacy program must be based on the assessor’s independent fact gathering, sampling and testing. The third party assessor must also report to the privacy committee on a quarterly basis.
The privacy program covers not only Facebook but also WhatsApp and Instagram. Any new or modified product, service or practice must undergo a privacy review before it is launched. Any decisions about privacy in these circumstances must be documented.
There are also positive obligations in the event of a data breach. Specifically, the order requires Facebook to document incidents where the data of 500 or more users have been compromised. The company must also document what efforts it made to address the incident. This information must be sent to the FTC and the third party assessor within 30 days.
Other requirements of the Order include:
Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
Facebook must establish, implement, and maintain a comprehensive data security program;
Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and,
Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
Most notably, Facebook agreed with the FTC settlement. Facebook will be actively and voluntarily engaged in revising their privacy policies and procedures. This stands in stark contrast to their behavior following the Office of the Privacy Commissioner of Canada’s findings that Facebook must alter their approach to privacy, a mere three months ago. Although the FTC settlement is borne out of the US, the effect will be felt worldwide. It will be interesting to see the fallout this decision will have on other organizations, especially in light of numerous other organizations that are facing a similar, yet much less financially burdensome, fine (i.e. British Airways).
Laura has a diverse practice where she focuses on accident benefits, bodily injury claims, product liability, cyber liability, privacy law and drone liability. Read more ...
Although privacy issues have been taking over the headlines in recent months, healthcare organizations have been subject to stringent privacy regulations for a number of years. Organizations providing healthcare services...
Although privacy issues have been taking over the headlines in recent months, healthcare organizations have been subject to stringent privacy regulations for a number of years. Organizations providing healthcare services are particularly susceptible to issues of unauthorized access and public disclosure of personal health information (“PHI”). More specifically, professionals working in healthcare are required to maintain a high level of confidentiality with respect to their patient’s PHI.
Early this year, Ms. Hamilton, a registered practical nurse (RPN), was involved in a professional disciplines hearing with the College of Nurses of Ontario. The allegations made by the College revolved around comments Ms. Hamilton made with respect to an elderly client at the facility she worked at who suffered from Alzheimer’s disease and dementia. The allegations stemmed from an incident that occurred in December 2016.
On December 2, 2016, the client’s child (Child A) posted a publicly available message on Facebook expressing concerns about the client’s Power of Attorney (“POA”), who was also the client’s child (Child B). The same post also expressed concern about the care that the client was receiving at the facility. Numerous family members commented on this post.
The following day, on December 3, Ms. Hamilton published several comments as direct responses to Child A’s Facebook post. The comments were public and disclosed the client’s PHI including her name, identifying her as a resident at the facility, identifying herself as an RPN and employee of the facility, referring to the client’s POA, and referring to her experiences dealing with the client’s medical conditions.
More specifically, Ms. Hamilton posted:
I’m sorry but there are 2 sides to every story. I happen to work at this facility and there is no way [the Client] or any of our residents are treated as these people speak of. How dare you imply that she is neglected in any way. Our residents receive more care hours than the provincial average in Ontario long term care home. Our staff are the hardest working I’ve seen in any LTC facility I know. I’m disgusted that you would even post this filth and lies on social media. Shame on you!
We don’t have a problem with the POA [Child B]. This is your personal business which you have chosen to hang out to dry on Facebook. I will gladly call you a liar because I spend more time with your mother than you do.
When Child A’s children (the client’s grandchildren) made posts defending Child A, Ms. Hamilton was noted to have made inappropriate and unprofessional comments such as one of the grandchildren having a “bad mouth” and that the client “would be disappointed” in the grandchild for their language. Ms. Hamilton also implied that the grandchild was uneducated regarding her medical condition and had no understanding of their grandmother’s health. She also told the grandchild to “shut up” or “grow up”.
Ms. Hamilton also posted “Oh [grandchild A] I look forward to meeting you the next time you visit your grandmother – I see we have much to discuss”, which the grandchild interpreted to be a threat.
The comments were deleted, but the family members captured them.
In the course of the disciplinary hearing, Ms. Hamilton admitted that it was inappropriate to engage in such dialogue with the client’s family, especially given such a public forum like Facebook. She further acknowledged that she breached the client’s privacy and disclosed her PHI without her consent or authorization.
Professional Standard and the Allegations
In 2004, the College issued a Practice Standard titled Confidentiality and Privacy – Personal Health Information, which was updated in 2009. The standards issued by the College represent the standard of care that is expected of all member of the organization. This particular standard largely reflected the personal health information protections codified in the Personal Health Information Protection Act (“PHIPA”). Some of the standards noted in the Practice Standard included the following provisions:
Maintaining confidentiality of clients’ personal health information with members of the healthcare team, who are also required to maintain confidentiality, including information that is documented or stored electronically…
Not discussing client information with colleagues or the client in public places such as elevators, cafeterias and hallways…
In the Notice of Hearing, dated December 7, 2018, the College made allegations against Ms. Hamilton that she: (1) engaged in an act of professional misconduct; (2) gave information about a patient to a person other than the patient or her authorized representative without the consent of the patient and without being required or allowed to do so by law; and, (3) that she engaged in conduct that would reasonably be regarded by members of the profession as disgraceful, dishonourable, or unprofessional.
Decision and Reasoning
The committee noted that the College bore the onus of proving the allegations on a balance of probabilities based upon clear, cogent, and convincing evidence. The College found that Ms. Hamilton committed the acts of professional misconduct.
The College found that Ms. Hamilton’s conduct showed disregard for private information of clients and inappropriate use of social media. The College further noted that Ms. Hamilton’s conduct was unprofessional as it fell below the standards of nursing with respect to confidentiality and trust. In short, she showed a persistent disregard for her professional obligations. The College further noted that disclosing PHI and breaching the client’s privacy in an open public forum was unacceptable and fell well below the standards of the profession.
The College ordered several penalties including a suspension for three months and further privacy training with a regulatory expert. Training was to focus on a review of professional standards, confidentiality, and privacy regarding PHI. The College found that these penalties achieved the purpose of specific deterrence, general deterrence, and rehabilitation and remediation.
Lessons from this Case
Organizations providing healthcare services to patient are required, by law, to maintain their patient’s PHI confidential. This includes proper cyber security safeguards, physical security safeguards, and policies aimed at ensuring staff are aware of their professional obligations. Organizations should develop policies that can be monitored and, more importantly, enforced on a regular basis. Ongoing staff training aimed at ensuring that staff and healthcare professionals are aware of their legal obligations to their patients are critical in meeting the appropriate standard of care.
This case is a perfect example of the impact social media has on an industry that traditionally does not have any connection to social media. Organizations should consider implementing social media policies to outline the obligations and expectations of their staff, which should be continually reinforced in the workplace. Failure to do so may result in disclosure of patients’ PHI and expose the professional and the organization to regulatory penalties and civil claims.
Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...
The Ontario Court of Appeal has upheld Justice Ramsay’s determination that the LAT has exclusive jurisdiction at first instance over all claims in respect of accident benefits, including extra contractual claims such as bad faith conduct.
By way of background, Ms. Stegenga started an action in Superior Court against her accident benefit insurer, Economical, claiming aggravated, exemplary and punitive damages for breach of contract, negligence, misrepresentation, infliction of mental distress and bad faith. Economical brought a motion to strike the claim pursuant to Rule 21 of the Rules of Civil Procedure, on the basis that the LAT had exclusive jurisdiction at first instance, not the court.
Economical took the position that s. 280 of the Insurance Act, which came into effect April 1, 2016, was clear and unambiguous in taking jurisdiction from the courts and giving it to the LAT. They argued that the legislature had made a policy choice to grant exclusive jurisdiction to the LAT and limit the remedies the LAT could grant.
The Plaintiff argued that the language of s. 280 of the Insurance Actwas not clear and unambiguous enough to take away the Superior Court’s inherent jurisdiction over certain claims, and in particular claims for bad faith. She also argued that the fact that the LAT cannot award aggravated, exemplary or punitive damages supported this conclusion.
Economical was successful and the Plaintiff’s claim was struck on the motion, with Justice Ramsay finding:
There is no reason to doubt that the legislature, in enacting the present s. 280 of the Insurance Act, intended to deprive a claimant of resort to the court at first instance whenever the claim is based on a denial of accident benefits, no matter how the denial is characterized in legal terms.
The Plaintiff appealed to the Court of Appeal.
Once again the Plaintiff, now the Appellant, argued that her claim was for bad faith handling of her accident benefit claim and not a claim “in respect of an insured person’s entitlement to statutory accident benefits or in respect of the amount of statutory accident benefits to which an insured person is entitled”. As a result, she took the position that her claim did not fall within the ambit of s. 280 of the Insurance Act, which provides jurisdiction to the LAT and prohibits access to court other than on appeal or judicial review.
To understand the decision it is helpful to review the language of s. 280 of the Insurance Act, which falls under the title“Dispute Resolution- Statutory Accident Benefits”:
Resolution of disputes
280 (1) This section applies with respect to the resolution of disputes in respect of an insured person’s entitlement to statutory accident benefits or in respect of the amount of statutory accident benefits to which an insured person is entitled. 2014, c. 9, Sched. 3, s. 14.
Application to Tribunal
(2) The insured person or the insurer may apply to the Licence Appeal Tribunal to resolve a dispute described in subsection (1). 2014, c. 9, Sched. 3, s. 14.
Limit on court proceedings
(3) No person may bring a proceeding in any court with respect to a dispute described in subsection (1), other than an appeal from a decision of the Licence Appeal Tribunal or an application for judicial review. 2014, c. 9, Sched. 3, s. 14.
Resolution in accordance with Schedule
(4) The dispute shall be resolved in accordance with the Statutory Accident Benefits Schedule. 2014, c. 9, Sched. 3, s. 14.
Orders, powers and duties
(5) The regulations may provide for and govern the orders and interim orders that the Licence Appeal Tribunal may make and may provide for and govern the powers and duties that the Licence Appeal Tribunal shall have for the purposes of conducting the proceeding. 2014, c. 9, Sched. 3, s. 14.
Orders for costs, other amounts
(6) Without limiting what else the regulations may provide for and govern, the regulations may provide for and govern the following:
1. Orders, including interim orders, to pay costs, including orders requiring a person representing a party to pay costs personally.
2. Orders, including interim orders, to pay amounts even if those amounts are not costs or amounts to which a party is entitled under the Statutory Accident Benefits Schedule. 2014, c. 9, Sched. 3, s. 14.
The Court of Appeal dismissed the appeal and upheld the motion judge’s decision, finding that the legislative purpose, use of expansive language and the jurisdiction given to the LAT in the Insurance Act, Statutory Accident Benefit Scheduleand in Regulation 664all supported a broad interpretation of the LATs jurisdiction, therefore prohibiting access to the courts. J. Zarnett,, writing for the Court of Appeal, stated:
If the dispute relates to the insurers compliance with obligations to the insured concerning SABS, the timeliness of performance of those obligations and/or the manner in which they were administered, it falls within the broad reach of the dispute resolution provisions, and within the jurisdiction of the LAT. The prohibition on court proceedings will apply.
Having found that the dispute resolution provisions are broad enough to give the LAT jurisdiction, the Court of Appeal considered the Appellant’s argument that because bad faith is a standalone cause of action it could not be captured by the language of s. 280 “in respect of entitlement or amount of benefits”. The Court concluded that “it does not follow that this automatically takes the subject matter of the claim, even when characterized as one for bad faith, outside of s. 280”, noting that it is the nature and subject matter of the dispute that are determinative, not the legal characterization.
Ultimately, the Court held that the facts giving rise to the disputes between the parties allrelated to the Appellant’s entitlement to benefits or the amount of entitlement. These were all disputes captured by the broad language of s. 280(1) of the Insurance Actand the LAT’s jurisdiction under s. 280(2), and therefore fall within the prohibition on court proceedings in s. 280(3).
Lisa has an insurance law practice that has focused exclusively on insurance defence for 15 years. Her practice focuses on complex insurance-related litigation, including accident benefits and bodily injury. Read more ...
Adjudicator Letourneau has held that the LAT does not have jurisdiction to award interim benefits in 18-007113 v Allstate Insurance-007113/AABS, 2019 CanLII 63379 (ON LAT). This follows on the decision of his colleague Adjudicator Hines, in 17-007152 v State Farm Insurance, 2018 CanLII 141015 (ON LAT), who similarly found that LAT lacked the jurisdiction to award interim benefits.
There is now what appears to be a growing body of LAT caselaw confirming that LAT will not award interim benefits.
In the most recent case, there was a lag of over year between the date of the application for accident benefits and the in-person hearing on the issue of attendant care. In that period, the applicant claimed to have incurred more than $18,000 in attendant care. The applicant argued that this financial burden created a risk that he would not be able to receive adequate care before the LAT hearing on the issue of attendant care benefits. The Applicant wanted an order awarding him attendant care benefits until such time as the issue was decided before the LAT.
FSCO made interim awards of benefits all the time, the applicant complained, why can’t the LAT do the same? After all, the SPPA (Statutory Powers Procedure Act) allows for interim orders and the LAT Act says the LAT tribunal has all the powers necessary to carry out its duties. Shouldn’t that be enough to empower the LAT to grant interim orders for benefits?
In response, the LAT adjudicator noted that the Tribunal’s powers to make orders with a view to resolving the applicant’s dispute are limited to what is provided for in the Insurance Act and the SABS. Section 280(4) of the Insurance Act states specifically that, “the dispute shall be resolved in accordance with the Statutory Accident Benefits Schedule”.
The LAT Adjudicator further pointed out that there have been specific changes to the Insurance Act in recent years that clearly show the legislator’s intention to restrain the Tribunal’s jurisdiction. Section 280(6) of the Insurance Act was amended to say that “regulations [under the insurance act] may provide for interim orders to pay amounts to which a party is entitled under the SABS”. Interim benefits are not amounts that a party is entitled to under the SABS, the adjudicator concluded. This omission amounts to be a clear intention to bar the LAT tribunal from reading in power to grant interim orders for benefits.
In its past two decisions regarding orders for interim benefits, at least two LAT adjudicators are harmonizing the edict in the old standby karaoke favorite that you can’t hurry love.