I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Warning: If you go privacy rogue – your employer’s insurance company likely doesn’t have to protect you

Posted by

If you ever needed a reason to behave, this is as good a one as any.

In a new Ontario court decision, a nurse was denied coverage from her former hospital employer’s insurance provider for her legal fees and possible costs associated with her alleged snooping in health records. So now, she walks into court alone.

Last year I wrote a blog post about a class action against a nurse and hospital for breach of privacy (intrusion upon seclusion). The nurse had stolen more than 20,000 Percocet pills (opioids) over a nine-year period of working at the hospital. To do so, she had to look at the medical records of more than 11,000 patients to obtain active patient names she could enter into the medication system to open the medication drawers. Remember that one?

Well, the saga continues.

The court has released a new decision (Demme v. Healthcare Insurance Reciprocal of Canada, 2021 ONSC 2095 (CanLII)) finding that the nurse is not entitled to coverage from the insurer for her legal expenses and representation in the case. The court also concluded  that the intentional tort of intrusion upon seclusion is not covered under the occurrence-based insurance policy issued by the insurer.

The nurse brought a motion for a declaration that HIROC (her former employer’s insurance company) owed a duty to defend her in the eight civil actions in which she is named as Defendant. The hospital where she had worked held an insurance policy with HIROC. The policy provided coverage to the hospital and its employees in the course of their employment. The nurse took the position that she was an insured under the policy. She wanted to be reimbursed for the costs she had incurred in the litigation and she wanted HIROC to pay her future defence costs until the actions concluded.

The court concluded the former nurse did not fall within the insuring agreement and was not entitled to coverage and HIROC did not have a duty to defend the nurse.

The court found:

  • the true nature of all eight claims was the intentional tort of intrusion upon seclusion;
  • HIROC’s duty to defend would be triggered if there is a “mere possibility” that intrusion upon seclusion could fall within coverage;
  • the HIROC insurance policy is an occurrence-based policy – therefore, the claims could fall within coverage if the injuries or damages arose out of an accident and were neither expected nor intended from the standpoint of the insured (in this case, the nurse);
  • the onus was on the nurse to prove that the injuries alleged were caused by an occurrence and that she did not expect or intend the injuries to the plaintiffs; and
  • the claims of intrusion upon seclusion did not result in injuries that were unexpected or unintended from the perspective of the nurse; therefore, these were not injuries caused by an occurrence.

The court also found that the claims against the nurse were excluded by the intentional act and/or criminal act exclusions in the policy.

The court was satisfied that the hospital could still be covered under the policy but not for intrusion upon seclusion. A wide range of other types of claims for negligent privacy breaches would still fall within the insuring agreement of the policy – including for example, a negligent release of private information, improper faxing of private information, incorrectly sent e-mails, erroneous attachments to correspondence or e-mail, loss of medical records, records improperly disposed of and negligent storage of records.

Of note, the hospital was not a party to the nurse’s motion. So this decision doesn’t say anything about whether the policy would cover the hospital’s vicarious liability for the nurse’s actions, or its potential liability for the privacy breach by virtue of its own supervisory and safety failings in respect of its personnel and drug protocols (failings that were mentioned in the certification decision).

Bottom Line: This decision acts as a warning to employees who go privacy rogue. Not only could you lose your job and your license to practice from your regulatory College – if you engage in intentional or reckless actions with patient information, you may be paying your own way to defend yourself in costly legal proceedings.  As we lawyers like to say “govern yourself accordingly”.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Health Privacy Officer Foundations training
September 14, 21, 28, October 5, 12, 19, 26 2021

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2021

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our September program will address toxic employees and in October we discuss collaboration agreements.
Full details of the 2021 webinar series and registration here.

Team Privacy Training Events
September 22, 23, 24, 27, 30 October 13, 14, 20, 21

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Part X CYFSA Privacy Designate Course - video course online

For Privacy Designates in the child welfare sector including children's aid societies and indigenous children's well-being centres

We focus on how to implement Part X of the Child Youth and Family Services Act in your organization.
Full details and registration here.

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

NEW! Ontario Hospital Association Professional Staff Credentialing Toolkit

2nd Edition is now available for managing physicians, dentists, midwives and nurse practitioners in hospitals Read here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

Join The Shush, my community for Privacy Officers in the healthcare sector. Develop knowledge, skills and judgment,… https://t.co/xGIfjnRDiI

about 22 hours ago

“Refresher Credentialing Training” for hospital Credentials Committees, MACs and Boards --- Based on the new Prof… https://t.co/d9RdfwdxJn

08:00 AM Oct 18th


contact details

P.O. Box 97010 Roncesvalles
Toronto Ontario M6R 3B3

(416) 855 9557

.