CPSO v Mercado: Breach of Patient Privacy and the Circle of Care

A diagnostic radiologist conducted hundreds of unauthorized searches of patient records over six years. The OPSDT imposed a four-month suspension, reprimand, and costs.

By Paul Cahill March 4, 2024 14 min read

Case comment on CPSO v Mercado, 2024 ONPSDT 7, on unauthorized records access, PHIPA, and the circle of care doctrine. By Paul Cahill, LSO Certified Specialist in Civil Litigation.

Hospital electronic medical record systems are powerful, comprehensive, and trust-dependent. Every clinician with credentials can access records well beyond their immediate clinical needs. The systems work because clinicians are trusted to access only what their patients’ care requires. The Personal Health Information Protection Act, 2004 (PHIPA) gives that trust statutory force: health information custodians and their agents may use personal health information only for purposes consistent with healthcare delivery to the patient. The operative concept is the “circle of care” — the providers actually involved in providing or facilitating healthcare to a particular patient. Accessing records for patients outside one’s circle of care is what the statute prohibits, and what the discipline tribunal sanctions.

CPSO v Mercado, 2024 ONPSDT 7, is the discipline counterpart to a serious PHIPA violation. A diagnostic radiologist conducted hundreds of unauthorized searches of hospital records over a six-year period. The targets were not random — they were people he knew personally, including extended family members and colleagues. One patient and family member group was accessed 484 separate times. The unauthorized access stopped only after a patient complained and the hospital initiated an investigation. The OPSDT found professional misconduct, suspended the licence for four months, ordered a reprimand, and imposed $6,000 in costs.

The case is doctrinally significant because it engages PHIPA, the circle of care concept, the CPSO professional misconduct framework, and the parallel civil law tort of intrusion upon seclusion from Jones v Tsige. It also illustrates the institutional dimension of patient privacy protection — the hospital’s audit logs were what made the pattern detectable, and the hospital’s response (denial of access pending investigation) was the immediate protective measure.

The substantive facts

Dr. Ashley John Mercado was a diagnostic radiologist with hospital credentials granting access to patient records through the electronic medical record system. Between 2015 and August 2021, he conducted hundreds of unauthorized searches of the records of 20 patients. None of the 20 were under his clinical care. All 20 were people he knew personally — extended family members, colleagues, and other acquaintances.

The information accessed included:

Visit history (when each patient had attended the hospital)
Encounter type (the clinical service the patient had attended — for example, obstetrics and gynecology, oncology and chemotherapy)
Reasons for visits
For 4 of the 20 patients: medical imaging studies and the corresponding imaging reports

One particular patient and family member group was accessed a total of 484 times, sometimes multiple times in a single day.

The unauthorized access stopped only after one of the patients raised concerns. The hospital conducted an internal investigation, confirmed the pattern through audit logs, and implemented a “denial of access” restricting Dr. Mercado’s ability to use the electronic medical record system. The CPSO discipline proceedings followed.

The PHIPA framework

The Personal Health Information Protection Act, 2004 is the governing statute in Ontario for personal health information. The statute establishes a comprehensive framework for the collection, use, and disclosure of PHI by health information custodians (hospitals, physicians, regulated health professionals, and other entities defined in the statute) and their agents.

The core principle of PHIPA is purpose-limitation. PHI may be collected, used, and disclosed only for purposes that fall within statutory authorization. The principal authorization is healthcare delivery — a custodian may use PHI to provide or facilitate the provision of healthcare to the individual to whom the information relates. Additional authorizations exist for purposes such as research (with ethics approval), public health, and certain regulatory and legal purposes, but these are circumscribed.

For physicians and other clinicians with access to hospital records, the practical operation of PHIPA depends on the “circle of care” concept. The circle includes the providers actively involved in providing or facilitating healthcare to a particular patient. A radiologist who reports on a patient’s imaging study is within the circle of care for that imaging study. A radiologist with no clinical involvement in a particular patient’s care is outside the circle for that patient. Accessing the records of a patient outside the circle of care is, in practical PHIPA terms, an unauthorized use.

The PHIPA framework operates alongside, not instead of, professional discipline. A physician who breaches PHIPA may face statutory enforcement through the Information and Privacy Commissioner of Ontario (IPC), civil liability through the tort of intrusion upon seclusion, and professional discipline through the CPSO. The three regimes are independent and can operate in parallel.

The “circle of care” doctrine

The circle of care concept is foundational to the practical operation of PHIPA in hospitals and other clinical settings. The concept is not explicitly codified — the statute speaks in terms of authorized purposes rather than circles — but it captures the substantive principle that practical PHIPA compliance requires.

A physician who works in a hospital has electronic credentials that technically permit access to a vast range of records. The technical permission exists because the same credentials must allow access to whatever patients the physician actually needs to treat. The system cannot anticipate in advance which records each physician will need on any given day.

The legal restriction on the technical permission is the purpose-limitation principle. A physician should access only the records they need for the patients they are treating. The “circle of care” is the operative concept that distinguishes authorized access (within the circle for the relevant patient) from unauthorized access (outside the circle). The concept is enforced through:

Audit logs that record every access
Policy-level expectations that physicians will access only records within their circle of care
Compliance training and reminders
Investigation when patterns of unauthorized access are detected

In Mercado, the access pattern was clear: hundreds of searches over six years involving 20 patients, all of whom were known to the physician but none of whom were under his clinical care. The pattern fell outside the circle of care for any of the accessed patients. The PHIPA violation was clear; the question for the OPSDT was the professional discipline characterization.

The professional misconduct framework

The CPSO discipline framework under the Health Professions Procedural Code (Schedule 2 to the Regulated Health Professions Act, 1991) includes both enumerated grounds of professional misconduct and the catch-all “disgraceful, dishonourable or unprofessional” standard. Privacy breaches are not specifically enumerated, but they fall squarely within the catch-all.

The reasoning: patient trust in the confidentiality of medical records is foundational to the physician-patient relationship. Patients disclose intimate clinical information on the understanding that it will be accessed only by those involved in their care. A physician who abuses access privileges to view records outside his circle of care has betrayed that trust, regardless of whether the access produced any direct downstream harm.

The OPSDT in Mercado articulated this principle in foundational terms: patient privacy is sacrosanct. The trust patients place in the medical profession depends on the confidence that their sensitive personal health information will not be accessed by unauthorized persons, including physicians not involved in their care. The radiologist had breached that trust over a sustained period through targeted searches involving extended family members, colleagues, and other acquaintances. The conduct constituted professional misconduct.

The penalty calibration

The sanction imposed by the OPSDT was:

A reprimand
A four-month suspension
Costs of $6,000

The calibration is mid-range for CPSO privacy cases. The aggravating features included the duration of the misconduct (six years), the volume of accesses (hundreds, including 484 for one patient and family), the targeted nature of the access (acquaintances and family members, not random patients), and the fact that the access stopped only when external intervention forced it to. The mitigating features included the admission of misconduct, the absence of evidence that the accessed information was disclosed to third parties or used for any further purpose, and the cooperation with the discipline proceedings.

The reprimand-plus-suspension-plus-costs structure is conventional for cases at this level of misconduct. Suspensions of three to six months are common where the misconduct is sustained but does not involve disclosure or commercial use of the accessed information. Costs of several thousand dollars reflect the discipline proceedings.

The civil law dimension: Jones v Tsige

The CPSO discipline proceeding is one of three potential consequences of unauthorized records access. The second is civil liability. The Ontario Court of Appeal in Jones v Tsige, 2012 ONCA 32, recognized the tort of “intrusion upon seclusion,” which provides damages for intentional or reckless intrusion into another’s private affairs.

The four elements of the tort are:

The defendant’s conduct was intentional or reckless
The defendant invaded, without lawful justification, the plaintiff’s private affairs or concerns
A reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish
The plaintiff need not prove pecuniary loss

The tort provides damages typically capped at around $20,000 per plaintiff for individual cases. Class actions involving institutional privacy breaches have produced larger settlements through aggregation, but the per-plaintiff damages remain modest.

In Mercado, the affected patients have potential Jones v Tsige claims. The 484 accesses against one patient and family are particularly egregious — the volume and pattern are precisely the kind of conduct that the tort was designed to address. The patients may also have potential claims against the hospital under PHIPA s. 65 (claims for damages for breach of PHIPA), although those claims face different analytical hurdles.

The civil law dimension does not appear to have been addressed in the discipline proceeding itself (as it would not be — the OPSDT addresses professional misconduct, not civil damages). But for the affected patients, the discipline finding may operate as useful evidence in any subsequent civil proceeding.

The IPC enforcement dimension

The third potential consequence is statutory enforcement through the Information and Privacy Commissioner of Ontario. The IPC has investigative powers under PHIPA s. 60 and following, can order custodians to take corrective action, and can refer matters for prosecution under PHIPA s. 72 (offences). Individual physicians who breach PHIPA can face statutory penalties (fines) on conviction.

The IPC tends to focus on systemic issues — gaps in custodian policies, training failures, audit deficiencies — rather than on individual breach actors, which are typically left to professional discipline. But the IPC’s parallel authority means that a single course of conduct can attract sanctions from multiple regulatory regimes operating in different ways.

The hospital’s institutional role

The hospital was the front-line responder in Mercado. The unauthorized access was detected through audit logs after a patient complaint. The hospital implemented immediate protective measures (denial of access) pending investigation. The hospital then participated in the regulatory response (referring the matter to the CPSO).

The institutional dimension is doctrinally important. PHIPA places the primary compliance obligation on the health information custodian — typically the hospital in the inpatient and ambulatory care setting. Hospitals must:

Establish policies and procedures for the protection of PHI
Provide training to agents (including physicians) on PHIPA compliance
Maintain audit capabilities sufficient to detect unauthorized access
Investigate complaints and incidents
Take corrective action when breaches are identified
Report significant breaches to the IPC as required

A hospital that fails in any of these areas may bear independent regulatory exposure under PHIPA, independent of any individual physician’s misconduct. Mercado illustrates a hospital meeting its obligations: the audit logs detected the pattern; the investigation confirmed it; the corrective action was taken; the matter was referred for professional discipline.

The CPSO discipline cluster — privacy as a new sub-category

Mercado opens a new sub-category in the rewritten CPSO discipline cluster on this site. The cluster now includes 10 cases across four substantive categories:

COVID-19 misinformation (4 cases):

CPSO v Luchkiw (refusing investigation)
CPSO v Phillips (COVID-19 communications)
CPSO v Trozzi (highest-severity case)
CPSO v Turek (lower-end calibration)

Sexual abuse and boundary violations (3 cases):

CPSO v Stein (attempting to date patient)
CPSO v Iannantuono (inappropriate touching)
CPSO v Peirovy (failure to comply with order)

Financial misconduct (2 cases):

CPSO v Kadri (nephrologist revocation)
CPSO v Karim (non-resident OHIP fraud)

Privacy breaches (NEW — 1 case):

CPSO v Mercado (this case — unauthorized records access)

The cluster now spans the four most common categories of CPSO discipline. Privacy cases like Mercado are doctrinally distinct from the other categories because they engage PHIPA and the broader privacy framework that operates beyond the CPSO discipline alone.

Connection to Martin v HPARB

Martin v HPARB, already in the procedural cluster on this site, was a Charter case involving PHIPA. The case held that the privacy framework operates with specific procedural and remedial provisions and does not always provide an avenue for Charter claims about regulatory decision-making. The two cases together illustrate different aspects of the PHIPA regime: Mercado shows the substantive prohibition operating against unauthorized access; Martin shows the procedural and remedial limits of the statutory regime.

The doctrinal lessons

The case stands for several propositions.

Patient privacy is foundational, not technical. The CPSO treats unauthorized records access as serious professional misconduct independent of whether any downstream harm is established. The principle is that patient trust in records confidentiality is foundational to the physician-patient relationship; breach of that trust is itself the misconduct.

The circle of care is the operative concept. Technical access to records is broader than legal authorization. The circle of care concept — the providers actively involved in providing or facilitating healthcare to a particular patient — is what distinguishes authorized from unauthorized access. Physicians who access records outside their circle of care for any particular patient are committing a PHIPA violation regardless of motivation.

Multiple regulatory regimes apply in parallel. A privacy breach can attract sanctions from the CPSO (professional discipline), the IPC (statutory enforcement), and the civil courts (the Jones v Tsige tort and PHIPA s. 65 damages claims). The three regimes are independent and can operate concurrently. A physician facing CPSO discipline for a privacy breach should anticipate the parallel exposure.

Audit logs are the detection mechanism. Hospital electronic record systems generate audit logs that record every access. Sustained patterns of unauthorized access are detectable through these logs. Physicians who breach PHIPA cannot rely on the absence of contemporaneous detection — the logs preserve the evidence indefinitely.

Patients can complain to multiple authorities. A patient who suspects unauthorized access to their records can complain to the custodian (typically the hospital), to the CPSO (for professional discipline), to the IPC (for statutory enforcement), or pursue civil litigation. The avenues are independent. For more on the complaint process generally, see A Patient’s Guide to Making Complaints About Health Care in Ontario.

Why this case matters

For patients who suspect unauthorized records access. If you have concerns that a physician (or any other person with access) has accessed your records without authorization, the available actions include:

Request an audit report from the hospital or other custodian (PHIPA s. 53 provides for access to one’s own records, which can include audit information about who accessed those records)
Complain to the custodian
Complain to the CPSO if a physician is involved
Complain to the Information and Privacy Commissioner of Ontario
Consult with counsel about civil action under Jones v Tsige or PHIPA s. 65

For physicians. The case is a reminder that hospital credentials carry continuing PHIPA obligations independent of clinical workflow. Accessing records outside one’s circle of care for any patient — even an acquaintance, even a family member — is a PHIPA violation and potential professional misconduct. The technical capacity to access does not create the legal authorization to access.

For hospital information governance. The case illustrates the importance of audit capabilities, training programs, and incident response procedures. Mercado was detected because the hospital’s systems made detection possible and the hospital responded promptly when a patient complained. The institutional infrastructure matters.

For counsel. The case is useful precedent on the CPSO discipline framework as applied to privacy breaches, and on the calibration of suspensions for sustained but non-disclosure-based misconduct. The case also identifies the foundational doctrinal frame (sanctity of patient privacy) that operates in privacy cases generally.

For more on the broader CPSO complaint process and patient rights, see Should I File a CPSO Complaint? and A Patient’s Guide to Making Complaints About Health Care in Ontario.

Decision Date: February 27, 2024

Jurisdiction: Ontario Physicians and Surgeons Discipline Tribunal

Citation: College of Physicians and Surgeons of Ontario v Mercado, 2024 ONPSDT 7 (CanLII)

Penalty: Reprimand + four-month suspension + $6,000 costs

Key authorities: Personal Health Information Protection Act, 2004, SO 2004, c 3, Sched A; Health Professions Procedural Code (Schedule 2 to the Regulated Health Professions Act, 1991); Jones v Tsige, 2012 ONCA 32 (tort of intrusion upon seclusion)

Filed under:

About the Author

Paul Cahill

Partner, Davidson Cahill Morrison LLP | LSO Certified Specialist in Civil Litigation

Paul represents victims of medical malpractice across Ontario, with trial experience including a $11.5M jury verdict in a birth injury case. He is recognized in Best Lawyers in Canada and serves as trial counsel to other lawyers on complex medical negligence matters.

About Paul

More on medical malpractice in Ontario.

Other articles by Paul exploring the conditions, decisions, and systems behind preventable medical harm.

Case comment on J.C. v Jugenburg, 2026 ONSC 3061, on clinic surveillance, intrusion upon seclusion, and aggregate privacy damages in a patient class action. By Paul Cahill, LSO Certified Specialist in Civil Litigation.

J.C. v Jugenburg: Undisclosed Patient Surveillance and the Tort of Intrusion upon Seclusion

A cosmetic surgery clinic recorded patients in consultation rooms and the operating room without telling them. In J.C. v Jugenburg, 2026 ONSC 3061, the court awarded $21.5 million in aggregate damages and $1 million in punitive damages, and clarified how intrusion upon seclusion applies inside the doctor-patient relationship.

Medical Records in Ontario, how to get a complete copy. Patient guide by Paul Cahill, LSO Certified Specialist in Civil Litigation.

How to Get Your Medical Records in Ontario

A practical guide to obtaining your medical records in Ontario under PHIPA, including what to ask for, how to find every custodian, and what to expect.

Case comment on CPSO v Kilian, 2024 ONPSDT 23, on the PHIPA custodian-subject distinction, the Charter section 8 framework, and the "ungovernable physician" doctrine in COVID-era discipline. By Paul Cahill, LSO Certified Specialist in Civil Litigation.

CPSO v Kilian: Physician Custodians and the Duty to Produce Patient Records

An Ontario tribunal ruled physicians have no Charter privacy interest in their patients’ records. Subsequent proceedings produced a 12-month suspension.